OWASP AppSec Latam 2013

Public Key Cryptography is a reality in Brazil. For the past three years more than five million digital certificates were issued under the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil). This number is expected to grow more and more insofar as new applications created for using digital certificates are incorporated in the Brazilian’s everyday life.
A digital certificate is a digital file that binds a public key to a specific subject. It is usually issued by Certificate Authorities (CA), entities that are trusted by the public. The public key is mathematically related to a private key, which is supposed to be kept by (and only by) the subject.
The process of issuing digital certificates is crucial to the Certificate Authority operation. Through it, the digital certificate requesters perform the key pair generation and create a formal request (Certificate Signing Request), which is sent to the CA for validation and certificate file generation (formatted according the X.509 standard).
Important parts of this process take place in the requester/end-user environment, that is, the key pair generation, formal request creation and final installation of the digital certificate into the cryptographic repository. Security is obviously a critical issue in this scenario, mostly because we are dealing with an environment that is not controlled by the certificate authority: the end user’s one.
The purpose of this talk is to describe the path followed by Certisign Certificadora Digital S.A. through the years, searching to improve the digital certificate issuing operations that take place in the end user’s environment, focusing on usability and security. We are going to show the software components adopted, their evolution, problems faced and solutions applied. We are also going to take the opportunity to discuss trends, standards and projects under development in the field.
Emphasis will be placed on the Web Application security issues related to the digital certificate issuing process, since most of the existing Certificate Authorities make use of this kind of application to deliver services to their stakeholders and customers. It keeps representing a challenge to the application developers, as long as Web Browsers and Operating Systems impose a great number of restrictions on the interactions between the web page and cryptographic key repositories. Also, the currently known Web Application vulnerabilities represent an important threat to the end user and to the whole Public Key Infrastructure.

The talk aims to present a project run in a multinational company with over 500,000 employees, security training in software development by following the guidelines and projects developed by OWASP.
The speaker is responsible for the project, which began in 2012, has trained hundreds of developers, and will continue for 2013 and 2014. The data presented involve the level of compliance of the applications developed by the company, the use of the content presented by the developers, and the positive impact on the quality of software developed.
Some of the material used in training is shown and the methodology used will be explained.

Before reading this article imagine what it would be like to manage your company without your customer’s data or if the data was in your competitors’ hands.
The value of data is an established fact and almost doesn’t bear mentioning. The experiences your customers acquire along the years as well as their database are fundamental and represent a great competitive edge in this new corporate era.
Keeping this in mind we realize the importance of implementing specific policies in order to build a base to guarantee the safety of these data.
Recently, there’s been an increase in security related incidents in a way that IT management has become more and more complex and, automatically, the need for a new kind of professional has emerged, the Chief Security Officer (CSO).
The CSO has become the person responsible for all risk areas, data security and, also for the definition and implementation of security strategies and policies that a company will implement.
Such policies are developed to reduce risks and negative impacts and also to limit exposure to liability in all areas.
However, the main issue dealt with here doesn’t question the need for good professionals, for secured information or development of better security policies. It deals with the constructive process through which every company goes when creating and structuring such policies.
The limited vision, commonly used at the moment of creating these policies, isn’t, enough to comprise all the company’s existing range of vulnerabilities.

So, I will demonstrate a lot of security issues that this limited vision brings, like human faults in WebServers, and others vulnerabilities like SQL Injections and other related with TOP 10 OWASP.