The Security Mindset

by Süleyman Petek 17. July 2015 21:00
Everyone in your organisation, all the time should keep security in mind. Remember that you are as s

Everyone in your organisation, all the time should keep security in mind. Remember that you are as secure as your weakest link in the chain. Whatever latest technology you use, your firewalls, IDS, IPS, antivirus etc. your level of protection is as high as your weakest link.

Everyone may not have the same level of mindset however the developers and IT staff should be careful about this. Of course having a company-wide mindset is not easy and it requires continuous education. Education comes with the cost of money and time. Top management should also have the mindset in order to approve these expenses.

Let's consider a project manager or a business analyst or a scrum master. While planning for the project, nearly none of them allocates time and human resource for security issues. Being aware of these issues requires allocating time plan for fixing the security issues and also aligning with the secure coding standards. The majority of the developers concantrate on learning new technologies but unfortunately they are not keen on security or they are not aware of the seriousness of the topic. 

In general there are some principles that should be kept in mind:

Least Privilege
Sometimes used as POLP (Principle of Least Privilege) is
 limiting access to the minimum level that is necessary to complete the job.

Simple is More Secure
Simply getting rid of unnecessary functions, unused features as possible as it is.

Do Not Trust Users
When we tackle about user actions, being paranoid is a good security behaviour. Even if your administrators are not 100% reliable for you (An unhappy employee may be very harmful). Sometimes offline actions such as phone calls can be considered as an attack.(Social Hacking)

The Unexpected Always Happens
Preventing the attack before it happens is vital. People generally see the "Happy Path" in projects but the edge cases should be considered also.

Defense in Depth
Slowing down the attacker via layered defenses. "If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system." - OWASP

If you read the CEH preparation book, hacking starts with reconnaissance process. The more information you give the more hackers benefit. Limit the information you give as minimum.

Blacklisting & Whitelisting
"A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.

A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received is one of this correct conditions."

Tags: , ,

IT Security | Awareness | Web Security | Web Attack

Secure Software Development Lifecycle

by Süleyman Petek 13. July 2015 23:00
Security should be a part of your DNA while building  a software system.

Security should be part of your DNA while building a software system. Here below a short list for acronyms.

Information Security Risks: The probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur.

Software Security: A way to defend against software exploits by building software to be secure.

Application Security: A way to defend against software exploits  after deployment is complete.

Return Of Security Investment in Security (ROSI): The total amount of money that an organization is expected to save in a year by implementing a security control.

The core components of Secure SDLC process are:

  • Clear and detailed requirements of business
  • Security requirements 
  • Threat modelling (Early in the security design phase, threat modelling should be done in order to identify the potential threats that exist specific to the application.)
  • Design
  • A policy for secure coding
  • A framework for secure coding (OWASP may be a resource here)
  • Segregation of environments (Dev/Test/Staging/PreProd/Prod)
  • Static and Dynamic Analysis of the code
  • Change management
  • Release management

To mitigate the probability of writing insecure code, a few steps should be included in the SDLC. Since writing secure code is vital for minimizing the occurrence of vulnerabilities, it is worth elaborating on this topic for the benefit of executives. This step in development is too often misunderstood or deemed to be of secondary importance compared with production deadlines. It is worth to review the basic steps of writing secure code and at some point it may look as an attractive return on investment.

Secure coding needs some key factors:

  • Top level management buy-in
  • Security architect engagement
  • Segregation of duties
  • Backups
  • Monitoring and logging of events
  • Patch management
  • Password management (authentication-authorization)
  • Session management
  • Input validation
  • Output encoding
  • Exception management (Fail safely)
  • Developer training (Create awareness, educate)
As you see the cost of a bug during SDLC, the security issues should be considered and fixed as early as possible.

What can you lose if you don't ?
  • Reputation
  • Data
  • Money
  • Time
And never forget that risks are for managers, not for developers !

Tags: , ,

IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

What is PCI DSS ?

by Süleyman Petek 3. July 2015 21:46
Payment Card Industry Data Security Standard aka PCI DSS

Payment Card Industry Data Security Standard a.k.a PCI DSS is a set of policies and procedures for fine tuning the cards that you use instead of money.  

As they define in their website "The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process  including prevention, detection and appropriate reaction to security incidents."

When you think of your daily life,

  • you work for money for a month
  • at the end of the month you earn your salary and it is transferred to your account
  • you pay your bills online
  • you use credit card / debit card while you are at a cafe/bar restaurants etc.
  • you use credit card while you shop online
  • bla bla
Did you notice that you do not see the money physically indeed ! You just see numbers on your screen whether on a mobile phone or website of your bank. As a customer of your bank, you should be confident about your privacy and security. 

Comparing the old days, the way thieves work changed a lot. When a was a child, Lucky Luke was protecting the bank from the Dalton's.


Now life is easier but somehow life is easier for the thieves also. So you need a proven security guidance. When you comply with PCI DSS, 

  1. Your customers will believe that they are secure as they have money related work with you
  2. This trust will make a positive feedback in your business
  3. Your partners will feel also trusted
  4. Having reputation among business partners will also bring the new partners and new customers 
In order to comply with PCI DSS you need these below, there are 6 main goals and 12 requirements are issued :

Say that you have done all of them above, then what is next ? The answer is audit. You will be audited by a  QSA (Qualified Security Assessor) and ASV (Approved Scanning Vendor) who are authorized by PCI. In some cases, the company is not ought to be audited on place, they can prove their compliance via SAQ (Self-Assessment Questionaire).

Major payment card brands has created their own security guidelines based on PCI DSS, for instance Visa is like below.

For further information you can check this out.

According to the document, the PCI DSS applies to "all entities involved in payment card processing - including merchants, processors, financial institutions and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data."

The standard defines cardholder data (CHD) and sensitive authentication data (SAD) as follows:

Cardholder Data

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code

Sensitive Authentication Data

  • Full track data (magnetic stripe data, or its equivalent on a chip)
  • CAV2/CVC2/CVV2/CID numbers
  • PINs/PIN blocks

If you're confused about how to get started with this process, then contracting a qualified assessment firm can help you to pinpoint any areas of improvement in your existing security policies.

Tags: , ,

IT Security

Check your "Short URLs"

by Süleyman Petek 22. June 2015 11:56
Very popular recently, for long URL addresses we use URL shorteners like, etc. We can
Very popular recently, for long URL addresses we use URL shorteners like, etc. We can also create short URLs via API's but this is not our issue for now. Sometimes these URLs are being compromised by bad guys. They use it to hide their infected URLs. So i can advice you to check a short link before click, think twice ! But how ? Go to and keep yourself secure.

Tags: , , ,

Awareness | Web Security


<<  May 2021  >>

View posts in large calendar