SlideShare a Scribd company logo

Data security in online commerce

Download as PPTX, PDF
A
Anand Nair

This document summarizes a presentation about data security in online commerce. It discusses: 1) An introduction about the presenter's experience in secure web services and open source contributions. 2) The main topics that will be covered, including data security discussions and tools to test security risks. 3) The most common web application security weakness is failing to validate input from clients, which can lead to vulnerabilities like cross-site scripting and SQL injection. 4) It emphasizes that external data should never be trusted and validations are important with many data input points in complex applications.

Technology
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
Data security in Online Commerce PRESENTATION BY ANAND NAIR FOR DATA SECURITY MEET UP. 03/2008
Introduction  About me:  More than a decade experience as a researcher and developer of secure web services for online infrastructure  Contributor to open source projects  Speaker in various meet ups for technology and approach for highly scalable secure architecture.  Recognized as technologist in gaming industry in research and development of online infrastructure.  What’s in presentation  Data security discussion  Tools to test security risk
Data vulnerability The most common web application security weakness is the failure to properly validate input coming from the client or environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks and buffer overflows.
Data Security : Watch the input data  Data from an external entity or client should never be trusted, since it can be arbitrarily tampered with by an attacker.  Unfortunately, complex applications like often have a large number of data input points, which makes it difficult for a developer to enforce this rule.
Data Security : Types of Attack  A MitM attack can be performed in two different ways:  The attacker is in control of a router along the normal point of traffic communication between the victim and the server the victim is communicating with.  The attacker is located on the same broadcast domain (e.g. subnet) as the victim.  The attacker is located on the same broadcast domain (e.g. subnet) as any of the routing devices used by the victim to route traffic.
Data Security: Transport Protocol  Attacker has the ability to view and modify any TCP traffic sent to or from the victim machine.  HTTP traffic is unencrypted and contains no authentication. Therefore, all HTTP traffic can be trivially monitored/modified by the attacker.
Data Security: Secure transport protocol  Man in the middle enables the attacker to view most exchanged data, but does not enable the attacker to intercept data exchanged of protocols that implement their own authentication and encryption (e.g. SSH, SSL/TLS).  The purpose of HTTPS is to create a secure communication over top of HTTP by the use of SSL or TLS. On its own SSL/TLS can be very effective and secure. However, there are significant problems  The browsers handling of SSL/TLS can lead to issues when both HTTPS and HTTP sites are visited by the user.  Man in middle would present a certificate warning message in the user’s browser and likely alert the user to the attack that most users would ignore the warning and continue – thus exposing all of their data.  Alternatively, the attacker could try and use tools such as SSLstrip to leverage poor application design with regards to SSL/TLS.
Using Tools  Toolkit:  Platform to run the application  Network switch to create a closed network environment  Wireshark (www.wireshark.org)  Burp Suite (www.portswigger.net/burp/download.html)
Using Tools: Wireshark
Using Tools: Burp Wire

More Related Content

PPTX
Wireless Intrusion Techniques
Cadis1
 
PPTX
Attack lecture #2 ppt
vasanthimuniasamy
 
PDF
Cyber security slideshare_oct_2020
Arun Velayudhan
 
PPTX
WEB APPLICATION SECURITY
yashwanthlavu
 
PPTX
Client server network threat
Raj vardhan
 
PPTX
network security
nandita0798
 
PPTX
Security
chian417
 
PPTX
Types of attack
RajuPrasad33
 
Wireless Intrusion Techniques
Cadis1
 
Attack lecture #2 ppt
vasanthimuniasamy
 
Cyber security slideshare_oct_2020
Arun Velayudhan
 
WEB APPLICATION SECURITY
yashwanthlavu
 
Client server network threat
Raj vardhan
 
network security
nandita0798
 
Security
chian417
 
Types of attack
RajuPrasad33
 

What's hot (20)

PPTX
Security Mechanisms
priya_trehan
 
PPTX
webinos Security privacy
webinos project
 
PPT
Types of attack -Part3 (Malware Part -2)
SHUBHA CHATURVEDI
 
PDF
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
PPT
What are various types of cyber attacks
kanika sharma
 
PPTX
Computer security 7.pptx
Khappiyo
 
PPTX
Chapter- I introduction
Dr.Florence Dayana
 
PPTX
Network security
Ashish Gaurkhede
 
PPTX
Network attacks
Manjushree Mashal
 
PPTX
Konica Arora
Konica Arora
 
PDF
cisco security training
qosnetworking
 
PDF
8 palo alto security policy concepts
Mostafa El Lathy
 
PPTX
Web server security challenges
Martins Chibuike Onuoha
 
PPTX
WEB APPLICATION SECURITY
yashwanthlavu
 
PPTX
Web security
Iqbal Shaikh
 
PPT
Chapter 01
nathanurag
 
PPTX
System Security enviroment in operating system
Kushagr sharma
 
PPT
Security communication
Say Shyong
 
PPTX
Formal and Practical Aspects of Security of Operating System
Meghaj Mallick
 
PDF
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Security Mechanisms
priya_trehan
 
webinos Security privacy
webinos project
 
Types of attack -Part3 (Malware Part -2)
SHUBHA CHATURVEDI
 
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
What are various types of cyber attacks
kanika sharma
 
Computer security 7.pptx
Khappiyo
 
Chapter- I introduction
Dr.Florence Dayana
 
Network security
Ashish Gaurkhede
 
Network attacks
Manjushree Mashal
 
Konica Arora
Konica Arora
 
cisco security training
qosnetworking
 
8 palo alto security policy concepts
Mostafa El Lathy
 
Web server security challenges
Martins Chibuike Onuoha
 
WEB APPLICATION SECURITY
yashwanthlavu
 
Web security
Iqbal Shaikh
 
Chapter 01
nathanurag
 
System Security enviroment in operating system
Kushagr sharma
 
Security communication
Say Shyong
 
Formal and Practical Aspects of Security of Operating System
Meghaj Mallick
 
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Ad

Viewers also liked (13)

PPTX
Vgjyhf
Gabriel Stancu
 
PDF
Computing Science Dissertation
rmc1987
 
PDF
Face to-face
Plastic Surgery Services
 
PPTX
Leadership academy power point
lshores
 
PDF
Social media landscape 2013 Geraud Montigny
Géraud Montigny
 
PDF
Breve histórico da pedologia
Linuxterra Eudes
 
DOCX
Doc1
Maria Jose Caro
 
PPTX
The businessman app
mdivt13
 
PPTX
The businessman app
mdivt13
 
PPTX
Prototype
mdivt13
 
PDF
The History of Injectables
Plastic Surgery Services
 
PPTX
Community development
Joseph Berry
 
PPTX
Community development
Joseph Berry
 
Vgjyhf
Gabriel Stancu
 
Computing Science Dissertation
rmc1987
 
Face to-face
Plastic Surgery Services
 
Leadership academy power point
lshores
 
Social media landscape 2013 Geraud Montigny
Géraud Montigny
 
Breve histórico da pedologia
Linuxterra Eudes
 
Doc1
Maria Jose Caro
 
The businessman app
mdivt13
 
The businessman app
mdivt13
 
Prototype
mdivt13
 
The History of Injectables
Plastic Surgery Services
 
Community development
Joseph Berry
 
Community development
Joseph Berry
 
Ad

Similar to Data security in online commerce (20)

PDF
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
PPT
E commerce security
Shakti Singh
 
PPT
1 network securityIntroduction - MSC.ppt
bilqesahmed608
 
PPTX
State of the information security nation
SensePost
 
PPT
E-COMMERCE SECURITY (2).ppt
Hemlata Gangwar
 
PPT
Electronic commerce security seventh annual edition
pathanaazim
 
PPT
E-COMMERCE SECURITY (1).ppt VI6R7UTGT6T5FRKDLKUTY
subhamkumar56644
 
PPT
E-COMMERCE SECURITY , e bussines nvjfffbjurgrujgkmdgnfblguisrljkfbbjsreio[q3g...
subhamkumar56644
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPT
Web Application Security
Abdul Wahid
 
PPTX
Computer Network Case Study - bajju.pptx
ShivamBajaj36
 
PPTX
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PPT
Securing E-Commerce Networks Presentation.ppt
anshikagoel52
 
PPTX
Week 7 Basics of Web Security, a course in cyber security.pptx
AkachiOkoro1
 
PPTX
Cyber Attacks and Defences - JNTUH,Cyber Attacks and Defences
NiharikaGuptas
 
PDF
Ch7-Computer Security
Attaporn Ninsuwan
 
PPSX
Secure electronic transaction
Nishant Pahad
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PPT
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
DEEPAK948083
 
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
E commerce security
Shakti Singh
 
1 network securityIntroduction - MSC.ppt
bilqesahmed608
 
State of the information security nation
SensePost
 
E-COMMERCE SECURITY (2).ppt
Hemlata Gangwar
 
Electronic commerce security seventh annual edition
pathanaazim
 
E-COMMERCE SECURITY (1).ppt VI6R7UTGT6T5FRKDLKUTY
subhamkumar56644
 
E-COMMERCE SECURITY , e bussines nvjfffbjurgrujgkmdgnfblguisrljkfbbjsreio[q3g...
subhamkumar56644
 
How to Test for The OWASP Top Ten
Security Innovation
 
Web Application Security
Abdul Wahid
 
Computer Network Case Study - bajju.pptx
ShivamBajaj36
 
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Securing E-Commerce Networks Presentation.ppt
anshikagoel52
 
Week 7 Basics of Web Security, a course in cyber security.pptx
AkachiOkoro1
 
Cyber Attacks and Defences - JNTUH,Cyber Attacks and Defences
NiharikaGuptas
 
Ch7-Computer Security
Attaporn Ninsuwan
 
Secure electronic transaction
Nishant Pahad
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
DEEPAK948083
 

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation theory and applications.pdf
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Data security in online commerce

  • 1. Data security in Online Commerce PRESENTATION BY ANAND NAIR FOR DATA SECURITY MEET UP. 03/2008
  • 2. Introduction  About me:  More than a decade experience as a researcher and developer of secure web services for online infrastructure  Contributor to open source projects  Speaker in various meet ups for technology and approach for highly scalable secure architecture.  Recognized as technologist in gaming industry in research and development of online infrastructure.  What’s in presentation  Data security discussion  Tools to test security risk
  • 3. Data vulnerability The most common web application security weakness is the failure to properly validate input coming from the client or environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks and buffer overflows.
  • 4. Data Security : Watch the input data  Data from an external entity or client should never be trusted, since it can be arbitrarily tampered with by an attacker.  Unfortunately, complex applications like often have a large number of data input points, which makes it difficult for a developer to enforce this rule.
  • 5. Data Security : Types of Attack  A MitM attack can be performed in two different ways:  The attacker is in control of a router along the normal point of traffic communication between the victim and the server the victim is communicating with.  The attacker is located on the same broadcast domain (e.g. subnet) as the victim.  The attacker is located on the same broadcast domain (e.g. subnet) as any of the routing devices used by the victim to route traffic.
  • 6. Data Security: Transport Protocol  Attacker has the ability to view and modify any TCP traffic sent to or from the victim machine.  HTTP traffic is unencrypted and contains no authentication. Therefore, all HTTP traffic can be trivially monitored/modified by the attacker.
  • 7. Data Security: Secure transport protocol  Man in the middle enables the attacker to view most exchanged data, but does not enable the attacker to intercept data exchanged of protocols that implement their own authentication and encryption (e.g. SSH, SSL/TLS).  The purpose of HTTPS is to create a secure communication over top of HTTP by the use of SSL or TLS. On its own SSL/TLS can be very effective and secure. However, there are significant problems  The browsers handling of SSL/TLS can lead to issues when both HTTPS and HTTP sites are visited by the user.  Man in middle would present a certificate warning message in the user’s browser and likely alert the user to the attack that most users would ignore the warning and continue – thus exposing all of their data.  Alternatively, the attacker could try and use tools such as SSLstrip to leverage poor application design with regards to SSL/TLS.
  • 8. Using Tools  Toolkit:  Platform to run the application  Network switch to create a closed network environment  Wireshark (www.wireshark.org)  Burp Suite (www.portswigger.net/burp/download.html)