Enviar búsqueda
Cargar
Web Application Security: Connecting the Dots
•
1 recomendación
•
1,258 vistas
InnoTech
Seguir
Presented on May 3, 2012 for InnoTech Oregon. All rights reserved.
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 34
Descargar ahora
Descargar para leer sin conexión
Recomendados
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
GFI Software
Hybrid Technology
Hybrid Technology
GFI Software
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know
Enterprise Management Associates
Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow
Enterprise Management Associates
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
aakash malhotra
Más contenido relacionado
La actualidad más candente
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
- Mark - Fullbright
Security Threats for SMBs
Security Threats for SMBs
GFI Software
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
whmillerjr
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Citrix Online
Comodo SOC service provider
Comodo SOC service provider
paulharry03
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
Security Ninja
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Skybox Security
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
Julian Samuels
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
Julian Samuels
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
IBM Security
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
Arun Chinnaraju MBA, PMP, CSM, CSPO, SA
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
InnoTech
The value of our data
The value of our data
EnterpriseGRC Solutions, Inc.
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware product
GFI Software
College Presentation
College Presentation
scottfrost
Security Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
La actualidad más candente
(20)
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
Security Threats for SMBs
Security Threats for SMBs
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Comodo SOC service provider
Comodo SOC service provider
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
The value of our data
The value of our data
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware product
College Presentation
College Presentation
Security Feature Cover Story
Security Feature Cover Story
Destacado
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
Why You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
IDS and IPS
IDS and IPS
Santosh Khadsare
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
Destacado
(6)
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Why You Need A Web Application Firewall
Why You Need A Web Application Firewall
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
IDS and IPS
IDS and IPS
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Similar a Web Application Security: Connecting the Dots
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
Jeremiah Grossman
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Gabriel Dusil
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
SolarWinds
Presentation security build for v mware
Presentation security build for v mware
solarisyourep
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics Report
Jeremiah Grossman
Advanced Web Security Deployment
Advanced Web Security Deployment
Cisco Canada
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
Lumension
kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
Presentation gdl
Presentation gdl
Juan Carlos Carrillo
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public Sector
IBMGovernmentCA
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
EnergySec
Rochester Security Event
Rochester Security Event
calebbarlow
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
TechSoup
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
Info sec for startups
Info sec for startups
Kesava Reddy
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Cloudflare
Check Point Consolidation
Check Point Consolidation
Group of company MUK
Similar a Web Application Security: Connecting the Dots
(20)
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Presentation security build for v mware
Presentation security build for v mware
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics Report
Advanced Web Security Deployment
Advanced Web Security Deployment
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
kill-chain-presentation-v3
kill-chain-presentation-v3
Presentation gdl
Presentation gdl
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public Sector
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
Rochester Security Event
Rochester Security Event
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Info sec for startups
Info sec for startups
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Check Point Consolidation
Check Point Consolidation
Más de InnoTech
"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
InnoTech
Artificial Intelligence is Maturing
Artificial Intelligence is Maturing
InnoTech
What is AI without Data?
What is AI without Data?
InnoTech
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
InnoTech
The Gathering Storm
The Gathering Storm
InnoTech
Sql Server tips from the field
Sql Server tips from the field
InnoTech
Quantum Computing and its security implications
Quantum Computing and its security implications
InnoTech
Converged Infrastructure
Converged Infrastructure
InnoTech
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
InnoTech
Blockchain use cases and case studies
Blockchain use cases and case studies
InnoTech
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
InnoTech
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
InnoTech
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
InnoTech
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
InnoTech
User requirements is a fallacy
User requirements is a fallacy
InnoTech
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
InnoTech
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
InnoTech
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
InnoTech
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
InnoTech
Power apps presentation
Power apps presentation
InnoTech
Más de InnoTech
(20)
"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
Artificial Intelligence is Maturing
Artificial Intelligence is Maturing
What is AI without Data?
What is AI without Data?
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
The Gathering Storm
The Gathering Storm
Sql Server tips from the field
Sql Server tips from the field
Quantum Computing and its security implications
Quantum Computing and its security implications
Converged Infrastructure
Converged Infrastructure
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
Blockchain use cases and case studies
Blockchain use cases and case studies
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
User requirements is a fallacy
User requirements is a fallacy
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
Power apps presentation
Power apps presentation
Último
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
DianaGray10
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
DianaGray10
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
Bachir Benyammi
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
Jamie (Taka) Wang
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
Daniel Santiago Silva Capera
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
DianaGray10
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
David Newbury
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
DianaGray10
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
Adam Moalla
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
IES VE
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Commit University
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
Eric D. Schabell
20150722 - AGV
20150722 - AGV
Jamie (Taka) Wang
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
DianaGray10
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
Mahmoud Rabie
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Aggregage
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
Seth Reyes
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
dgelyza
Último
(20)
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
20150722 - AGV
20150722 - AGV
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
Web Application Security: Connecting the Dots
1.
Web Application Security: Connecting
the Dots Jeremiah Grossman Founder & Chief Technology Officer Innotech 2012 (Portland, Oregon) 05.20.2012 © 2012 WhiteHat Security, Inc. 1
2.
Jeremiah Grossman ØFounder &
CTO of WhiteHat Security Ø6-Continent Public Speaker ØTED Alumni ØAn InfoWorld Top 25 CTO ØCo-founder of the Web Application Security Consortium ØCo-author: Cross-Site Scripting Attacks ØFormer Yahoo! information security officer ØBrazilian Jiu-Jitsu Black Belt © 2012 WhiteHat Security, Inc. 2
3.
WhiteHat Security :
Company Overview ØHeadquartered in Santa Clara, CA ØWhiteHat Sentinel – SaaS end-to-end website risk management platform ØEmployees: 170+ ØCustomers: 500+ Cool Vendor The FutureNow List © 2012 WhiteHat Security, Inc.
4.
We shop, bank,
pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more. Cyber-war Cyber-crime Hacktivism PwC Survey: “Cybercrime is now the second biggest cause of economic crime experienced by the Financial Services sector.” © 2012 WhiteHat Security, Inc. 4
5.
8 out of
10 websites have serious* vulnerabilities Average annual amount of new serious* vulnerabilities introduced per website by year 1111 795 480 230 79 2007 2008 2009 2010 2011 * Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-‐DSS severity HIGH, CRITICAL, or URGENT) Vulnerabili*es are counted by unique Web applica*on and vulnerability class. If three of the five parameters of a single Web applica*on (/foo/webapp.cgi) are vulnerable to SQL Injec*on, this is counted as 3 individual vulnerabili*es (e.g. aGack vectors). © 2012 WhiteHat Security, Inc. 5
6.
Website Hacked
© 2012 WhiteHat Security, Inc. 6
7.
Verizon Data Breach
Investigations Report: 2010 DBIR: “The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." 2011 DBIR: “The number of Web application breaches increased last year and made up nearly 40% of the overall attacks.“ “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” © 2012 WhiteHat Security, Inc. 7
8.
855 incidents, 174
million compromised records © 2012 WhiteHat Security, Inc. 8
9.
© 2012 WhiteHat
Security, Inc. 9
10.
Attacker Profiles Random
Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately Directed Opportunistic • Commercial and Open Source Tools • Authentication scans • Multi-step processes (forms) Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) © 2012 WhiteHat Security, Inc. 10
11.
WhiteHat Sentinel –
Assessment Platform • SaaS (Annual Subscription) - Unlimited Assessments / Users • Unique Methodology - Proprietary scanning technology - Expert website security analysis (TRC) - Satisfies PCI 6.6 requirements • Vulnerability Verification and prioritization – virtually eliminating false positives • XML API links other security solutions • Easy to get started – - Need URL and Credentials - No Management of Hardware or Software - No Additional Training
12.
WhiteHat Sentinel
500+ enterprises from start-ups to fortune 500 1,000,000 vulnerabilities processed per day 6 Terabytes data stored per day 7,000+ websites receiving ~weekly assessments 940,000,000 http(s) requests per month © 2012 WhiteHat Security, Inc. 12
13.
© 2012 WhiteHat
Security, Inc. 13
14.
WhiteHat Security Top
Ten (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 14
15.
Top Seven by
Industry (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 15
16.
Top Seven by
Industry (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 16
17.
Window of Exposure
(2011) Number of days [in a year] a website is exposed to at least one serious* reported vulnerability. © 2012 WhiteHat Security, Inc. 17
18.
© 2012 WhiteHat
Security, Inc. 18
19.
Time-to-Fix in Days Cumulative
Website Percentage Average Time-to-Fix (Days) © 2012 WhiteHat Security, Inc. 19
20.
Remediation Rates by
Industry (Trend) A steady improvement in the percentage of reported vulnerabilities that have been resolved during each of the last three years, which now resides at 53%. Progress! © 2012 WhiteHat Security, Inc. 20
21.
Publish Scorecards Internally
& Regularly -- For All To See Avg. High Severity RemediaAon Window of Exposure Group Time-‐to-‐Fix VulnerabiliAes Rate (Days) (Days) 2012 Corporate Goal 20 30 75% 100 Industry Average 55 32 63% 223 Business Unit 1 17 45 74% 195 Business Unit 2 53 30 46% 161 Business Unit 3 67 66 63% 237 Business Unit 4 48 35 69% 232 © 2012 WhiteHat Security, Inc. 21
22.
Overall Vulnerability Population
(2011) Percentage breakdown of all the serious* vulnerabilities discovered Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say: A WAF could feasible help mitigate the risk of at least 71% of all custom Web application vulnerabilities. © 2012 WhiteHat Security, Inc. 22
23.
Why do vulnerabilities
go unfixed? • No one at the organization understands or is responsible for maintaining the code. • Development group does not understand or respect the vulnerability. • Lack of budget to fix the issues. • Affected code is owned by an unresponsive third-party vendor. • Website will be decommissioned or replaced “soon.” • Risk of exploitation is accepted. • Solution conflicts with business use case. • Compliance does not require fixing the issue. • Feature enhancements are prioritized ahead of security fixes. © 2012 WhiteHat Security, Inc. 23
24.
Testing Speed &
Frequency Matters © 2012 WhiteHat Security, Inc. 24
25.
Why Do Breaches (and
vulnerabilities) Continue to Happen? © 2012 WhiteHat Security, Inc. 25
26.
Typical IT Budget
Allocation Applications Host Network Software, development, Servers, desktops, laptops, Routers, switches, network CRM, ERP, etc. etc. admins, etc. © 2012 WhiteHat Security, Inc. 26
27.
Typical IT Security
Budget Applications Host Network Vulnerability management, Firewalls, Network IDS, SSL, Software architecture, system config,patching, monitoring, etc. trainings,testing, etc. etc. © 2012 WhiteHat Security, Inc. 27
28.
Budget Prioritization The biggest
line item in [non-security] spending SHOULD match the biggest line item in security. IT IT Security 1 3 Applications 2 2 Host 3 1 Network © 2012 WhiteHat Security, Inc. 28
29.
Survey [2010] of
IT pros and C-level executives from 450 Fortune 1000 companies (FishNet Security)... “Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." The report goes on to say... “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)." http://www.darkreading.com/security-services/167801101/security/perimeter-security/227300116/index.html © 2012 WhiteHat Security, Inc. 29
30.
Big Picture “Market-sizing estimates
for network security range anywhere from $5-8bn, whereas our calculation for the aggregate application security market is about $444m. Despite the spending boost on application security mandated by the Payment Card Industry Data Security Standards (PCI-DSS), it’s still not commensurate with the demonstrated level of risk.” The Application Security Spectrum (The 451 Group) “...we expect this revenue will grow at a CAGR of 23% to reach $1bn by 2014.” © 2012 WhiteHat Security, Inc. 30
31.
How to develop secure-(enough)
software? © 2012 WhiteHat Security, Inc. 31
32.
Little-to-No Supporting Data.
© 2012 WhiteHat Security, Inc. 32
33.
Connect the Dots...
(SDL) Production Attack Security Breaches Vulnerabilities Traffic Controls BSIMM WhiteHat Security Akamai Verizon DBIR IBM Trustwave Then we’ll start getting some real answers about how to product secure-enough. © 2012 WhiteHat Security, Inc. 33
34.
Thank You! Blog: http://blog.whitehatsec.com/ Twitter:
http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2012 WhiteHat Security, Inc. 34
Descargar ahora