Application Security — Tier 1
The first thing you should do to make sure that your site is secure is to check it against the OWASP Top 10 Flaws:
- Injection flaws (such as SQL, OS, and LDAP injection)
- Broken authentication and session management
- Cross-site scripting (XSS)
- Insecure object references
- Security misconfiguration
- Sensitive data exposure
- Missing function level access control
- Cross-site request forgery (CSRF)
- Using components with known vulnerabilities
- Unvalidated redirects and forwards
Source: XKCD #327 "Exploits of a Mom"
In order to test your site for OWASP top 10 flaws, you can use an online security scanning service such as Qualys.
Now for Tier 2
Here's where it gets interesting. Braintree also collects a ton of information about all their traffic (both to their website and to their payment gateway), and uses repsheet to collect the data, mine the data, and identify anomalies.
This is really important to anyone who sells things online, because online credit card fraud costs retailers $3.5 billion per year. And most e-retailers are relatively unsophisticated in their anti-fraud techniques.
Mod Security is a web application layer firewall that supplies an array of request filtering and other security features to Apache, IIS, and NGINX.
It has the following features:
- HTTP traffic logging
- Real-time monitoring and attack detection
- Attack prevention and just-in-time patching
- Flexible rule engine
- Embedded deployment
- Network-based deployment
You will also want to install geoip in order to take advantage of ip geolocation information. For example, fraudulent activity often originates from Cyprus, Nigeria, and Argentina. In general, a sudden spike in activity from a particular country is cause for investigation.
Here's where repsheet comes into play. Repsheet will record all traffic and all parameters — HTTP header information, ip information, ip geolocation, Mod Security alerts, and any custom rules you have set up. It stores all the traffic data in a redis database. And it can block traffic, set up warnings in repsheet visualizer for a human to investigate, and even send updated rules to Mod Security.
If you've had attacks/fraud in the past, you can also build your own machine-learning fraud model and supply that to repsheet.
You can also find Aaron's slides here.