Laura Diane Hamilton

Technical Product Manager at Groupon

Resumé

How to Secure Your Web Application and Fight Fraud with Repsheet

Braintree hosted a fantastic Security workshop yesterday.

Aaron Bedra gave a great talk about web application security — including a run-down of Braintree's open-source anti-fraud tool repsheet.


Application Security — Tier 1

The first thing you should do to make sure that your site is secure is to check it against the OWASP Top 10 Flaws:

  1. Injection flaws (such as SQL, OS, and LDAP injection)
  2. Broken authentication and session management
  3. Cross-site scripting (XSS)
  4. Insecure object references
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access control
  8. Cross-site request forgery (CSRF)
  9. Using components with known vulnerabilities
  10. Unvalidated redirects and forwards
Of course, there's a relevant XKCD: XKCD.com - Exploits of a Mom
Source: XKCD #327 "Exploits of a Mom"

In order to test your site for OWASP top 10 flaws, you can use an online security scanning service such as Qualys.


Now for Tier 2

Here's where it gets interesting. Braintree also collects a ton of information about all their traffic (both to their website and to their payment gateway), and uses repsheet to collect the data, mine the data, and identify anomalies.

This is really important to anyone who sells things online, because online credit card fraud costs retailers $3.5 billion per year. And most e-retailers are relatively unsophisticated in their anti-fraud techniques.

First, you'll want to install Mod Security. Aaron has a great article on how to install Mod Security if you're looking for a tutorial.

Mod Security is a web application layer firewall that supplies an array of request filtering and other security features to Apache, IIS, and NGINX.

It has the following features:

  1. HTTP traffic logging
  2. Real-time monitoring and attack detection
  3. Attack prevention and just-in-time patching
  4. Flexible rule engine
  5. Embedded deployment
  6. Network-based deployment
(You can read more about the features here.)

You will also want to install geoip in order to take advantage of ip geolocation information. For example, fraudulent activity often originates from Cyprus, Nigeria, and Argentina. In general, a sudden spike in activity from a particular country is cause for investigation.

Here's where repsheet comes into play. Repsheet will record all traffic and all parameters — HTTP header information, ip information, ip geolocation, Mod Security alerts, and any custom rules you have set up. It stores all the traffic data in a redis database. And it can block traffic, set up warnings in repsheet visualizer for a human to investigate, and even send updated rules to Mod Security.

If you've had attacks/fraud in the past, you can also build your own machine-learning fraud model and supply that to repsheet.

You can also find Aaron's slides here.

Lauradhamilton.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.