[Web Security] Can a PADSS certified system be hacked
Hi,
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding
techniques and includes the code for handling XSS, sql injections etc and
is PADSS certified but still can it be hacked?
Regards,
Sarvesh
India
Quoting Michael Howard of Microsoft:
"You'll Never Reach Zero Security Vulnerabilities
It's sad but true, but you'll never get to zero security vulnerabilities. I
remember when we issued one of the first security updates for Windows
Vista. Some users were surprised because they thought Microsoft claimed to
have solved the security problem with Windows Vista. First, I don't know of
anyone who made the claim and second, zero security vulnerabilities just
isn't achievable.
While zero security vulnerabilities would be nice, thinking you can reach
such a state is folly. The fact is the technology landscape is always in
flux, threats are a moving target, and security research is ongoing. I said
earlier security is an arms race. We add defenses to our products and the
attackers adapt.
Your code might seem utterly vulnerability-free today, but that could all
change tomorrow when a new type of vulnerability is discovered. For
instance, on October 15, 2003, Microsoft issued a security bulletin that
fixed a cross-site scripting (XSS) vulnerability in Outlook® Web Access
included with Microsoft Exchange 5.5. On March 4th the following year,
Sanctum (since purchased by Watchfire and now IBM) released a paper that
outlined a new vulnerability akin to cross-site scripting called HTTP
response splitting. Six months later, Microsoft issued another security
update for Outlook Web Access in Microsoft Exchange 5.5 to fix an HTTP
response splitting vulnerability. So what happened? Simply put, at the time
the first bulletin was issued, response splitting issues were unheard of,
but the landscape changed."
The rest of the article is also worth a read -
http://msdn.microsoft.com/en-us/magazine/cc163310.aspx
On Tue, May 21, 2013 at 5:16 AM, sarvesh shete sarvesh.sse@gmail.comwrote:
Hi,
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding
techniques and includes the code for handling XSS, sql injections etc and
is PADSS certified but still can it be hacked?
Regards,
Sarvesh
India
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
My 2 cents:-
Any system of processes (like PCI / PA DSS) has a set of activities that are
certified based on checks done at a point in time. However, as it is a
system of processes executed by humans, there is every chance of an error
creeping in because of some step either getting missed out or not being
followed to the letter (e.g., maybe because of a not-an-expert hand behind
it) ..
Hence, any system can be hacked, it is just a matter of time. A certificate
is not a guarantee.
Regards
Maanav
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Ryan Dewhurst
Sent: Thursday, May 23, 2013 3:50 AM
To: sarvesh shete
Cc:
Subject: Re: [WEB SECURITY] [Web Security] Can a PADSS certified system be
hacked
Quoting Michael Howard of Microsoft:
"You'll Never Reach Zero Security Vulnerabilities
It's sad but true, but you'll never get to zero security vulnerabilities. I
remember when we issued one of the first security updates for Windows Vista.
Some users were surprised because they thought Microsoft claimed to have
solved the security problem with Windows Vista. First, I don't know of
anyone who made the claim and second, zero security vulnerabilities just
isn't achievable.
While zero security vulnerabilities would be nice, thinking you can reach
such a state is folly. The fact is the technology landscape is always in
flux, threats are a moving target, and security research is ongoing. I said
earlier security is an arms race. We add defenses to our products and the
attackers adapt.
Your code might seem utterly vulnerability-free today, but that could all
change tomorrow when a new type of vulnerability is discovered. For
instance, on October 15, 2003, Microsoft issued a security bulletin that
fixed a cross-site scripting (XSS) vulnerability in OutlookR Web Access
included with Microsoft Exchange 5.5. On March 4th the following year,
Sanctum (since purchased by Watchfire and now IBM) released a paper that
outlined a new vulnerability akin to cross-site scripting called HTTP
response splitting. Six months later, Microsoft issued another security
update for Outlook Web Access in Microsoft Exchange 5.5 to fix an HTTP
response splitting vulnerability. So what happened? Simply put, at the time
the first bulletin was issued, response splitting issues were unheard of,
but the landscape changed."
The rest of the article is also worth a read -
http://msdn.microsoft.com/en-us/magazine/cc163310.aspx
On Tue, May 21, 2013 at 5:16 AM, sarvesh shete <sarvesh.sse@gmail.com
mailto:sarvesh.sse@gmail.com > wrote:
Hi,
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
Regards,
Sarvesh
India
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Sarvesh,
I provided an overview of the political and technical deficiencies
within http://www.slideshare.net/cmlh/padss back in 2010.
On Tue, May 21, 2013 at 1:16 PM, sarvesh shete sarvesh.sse@gmail.com wrote:
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
--
Regards,
Christian Heinrich
Thanx Maanav, Thanx Christian!
Actually why I asked this question is because same case happened in my
organization.
I work for a company who develops banking products. We have a product PADSS
certified and while delivering it to a bank who is our new client; the
product 'go live' has been put on hold because bank carried out penetration
testing from other company who is specialized in penetration testing based
on pure hacking stuff. Though the pen testers could not break encryption or
hashing done on stored card numbers but were able to find flaws in few
screens of application like XSS, SQL injection etc because in some screens
developers missed out server side validations. Now the client bank says if
your product is PADSS certified then why such issues? It must be completely
secure. We have no answer! Surely we can fix the same but we have got no
explanation why such issues still exist even though product is PADSS
certified.
On May 24, 2013 8:56 AM, "Christian Heinrich" christian.heinrich@cmlh.id.au
wrote:
Sarvesh,
I provided an overview of the political and technical deficiencies
within http://www.slideshare.net/cmlh/padss back in 2010.
On Tue, May 21, 2013 at 1:16 PM, sarvesh shete sarvesh.sse@gmail.com
wrote:
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting
vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding
techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
--
Regards,
Christian Heinrich
On 21.05.2013 um 05:16 sarvesh shete sarvesh.sse@gmail.com wrote:
Hi,
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism)
Even when you store data with AES256 or any other secure encryption, the data still has to accessed. on every transition, the data has to be loaded, decrypted and modified.
So EVERY data can be accessed bay attackers.
All other things about zero vulns and so are already said by the others in this thread.
[snip]
Regards,
Sarvesh
India
--
Christoph Gruber
At a more abstract level, there are proofs relating malware detection to
the Turing halting problem, saying in effect that one can't look at code
with a perfect algorithm to say "this is a virus" or "this is not a
virus".
So the state of the art in that area isn't going to rise too far above
imperfect heuristics, and signatures based on a known virus "zoo".
http://en.wikipedia.org/wiki/Malware_research
http://en.wikipedia.org/wiki/Fred_Cohen
http://en.wikipedia.org/wiki/Leonard_Adleman
The same ideas are probably applicable to other general questions about
the properties of computer software. "Does this program work?" may be
answered in specific cases, but not in the general unconstrained case.
Hi Sarvesh,
Your organization is not following secure SDLC while developing
applications.
Choose testers wisely.
Regards,
Lal kumar
On 24 May 2013 21:54, "sarvesh shete" sarvesh.sse@gmail.com wrote:
Thanx Maanav, Thanx Christian!
Actually why I asked this question is because same case happened in my
organization.
I work for a company who develops banking products. We have a product
PADSS certified and while delivering it to a bank who is our new client;
the product 'go live' has been put on hold because bank carried out
penetration testing from other company who is specialized in penetration
testing based on pure hacking stuff. Though the pen testers could not break
encryption or hashing done on stored card numbers but were able to find
flaws in few screens of application like XSS, SQL injection etc because in
some screens developers missed out server side validations. Now the client
bank says if your product is PADSS certified then why such issues? It must
be completely secure. We have no answer! Surely we can fix the same but we
have got no explanation why such issues still exist even though product is
PADSS certified.
On May 24, 2013 8:56 AM, "Christian Heinrich" <
christian.heinrich@cmlh.id.au> wrote:
Sarvesh,
I provided an overview of the political and technical deficiencies
within http://www.slideshare.net/cmlh/padss back in 2010.
On Tue, May 21, 2013 at 1:16 PM, sarvesh shete sarvesh.sse@gmail.com
wrote:
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting
vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding
techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
--
Regards,
Christian Heinrich
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Sarvesh
It perhaps sounds like you ought to be discussing this with your PA-QSA, and the PCISSC who certify PA-QSA companies and assessors:
https://www.pcisecuritystandards.org/approved_companies_providers/payment_application_qsas.php
https://www.pcisecuritystandards.org/approved_companies_providers/pa-qsaclientfeedbackform.php
Merchants using the product might be at risk.
Colin
----- Original Message -----
From: sarvesh shete
[mailto:sarvesh.sse@gmail.com]
To: Christian Heinrich
[mailto:christian.heinrich@cmlh.id.au]
Cc:
websecurity@lists.webappsec.org
Sent: Fri, 24 May 2013 07:24:38
+0100
Subject: Re: [WEB SECURITY] [Web Security] Can a PADSS certified
system be hacked
Thanx Maanav, Thanx Christian!
Actually why I asked this question is because same case happened in my
organization.
I work for a company who develops banking products. We have a product PADSS
certified and while delivering it to a bank who is our new client; the
product 'go live' has been put on hold because bank carried out penetration
testing from other company who is specialized in penetration testing based
on pure hacking stuff. Though the pen testers could not break encryption or
hashing done on stored card numbers but were able to find flaws in few
screens of application like XSS, SQL injection etc because in some screens
developers missed out server side validations. Now the client bank says if
your product is PADSS certified then why such issues? It must be completely
secure. We have no answer! Surely we can fix the same but we have got no
explanation why such issues still exist even though product is PADSS
certified.
On May 24, 2013 8:56 AM, "Christian Heinrich"
christian.heinrich@cmlh.id.au
wrote:
Sarvesh,
I provided an overview of the political and technical deficiencies
within http://www.slideshare.net/cmlh/padss back in 2010.
On Tue, May 21, 2013 at 1:16 PM, sarvesh shete sarvesh.sse@gmail.com
wrote:
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting
vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding
techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
--
Regards,
Christian Heinrich
Can an application be hacked even if it is PA-DSS validated? The answer is yes? Have you made any changes to the application since the validation? If so, are you performing code reviews and your penetration testing against the application? Are you doing these internally or do you have them performed by a third party?
These should have been caught before the validation process during your testing/QA phase. The auditor should have also caught them, but depending on their skills, they may have not performed the right tests or used the right tools.
I am curious, what company did the PA-DSS validation?
Steve Kerns
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of sarvesh shete
Sent: Friday, May 24, 2013 1:25 AM
To: Christian Heinrich
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] [Web Security] Can a PADSS certified system be hacked
Thanx Maanav, Thanx Christian!
Actually why I asked this question is because same case happened in my organization.
I work for a company who develops banking products. We have a product PADSS certified and while delivering it to a bank who is our new client; the product 'go live' has been put on hold because bank carried out penetration testing from other company who is specialized in penetration testing based on pure hacking stuff. Though the pen testers could not break encryption or hashing done on stored card numbers but were able to find flaws in few screens of application like XSS, SQL injection etc because in some screens developers missed out server side validations. Now the client bank says if your product is PADSS certified then why such issues? It must be completely secure. We have no answer! Surely we can fix the same but we have got no explanation why such issues still exist even though product is PADSS certified.
On May 24, 2013 8:56 AM, "Christian Heinrich" <christian.heinrich@cmlh.id.aumailto:christian.heinrich@cmlh.id.au> wrote:
Sarvesh,
I provided an overview of the political and technical deficiencies
within http://www.slideshare.net/cmlh/padss back in 2010.
On Tue, May 21, 2013 at 1:16 PM, sarvesh shete <sarvesh.sse@gmail.commailto:sarvesh.sse@gmail.com> wrote:
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
--
Regards,
Christian Heinrich