SlideShare una empresa de Scribd logo
1 de 34
Descargar para leer sin conexión
Web Application Security:
Connecting the Dots
Jeremiah Grossman
Founder & Chief Technology Officer

Innotech 2012
(Portland, Oregon)
05.20.2012




                                     © 2012 WhiteHat Security, Inc.   1
Jeremiah Grossman
ØFounder & CTO of WhiteHat Security
Ø6-Continent Public Speaker
ØTED Alumni
ØAn InfoWorld Top 25 CTO
ØCo-founder of the Web Application Security Consortium
ØCo-author: Cross-Site Scripting Attacks
ØFormer Yahoo! information security officer
ØBrazilian Jiu-Jitsu Black Belt




                                               © 2012 WhiteHat Security, Inc.   2
WhiteHat Security : Company Overview
ØHeadquartered in Santa Clara, CA
ØWhiteHat Sentinel – SaaS end-to-end website risk
  management platform
ØEmployees: 170+
ØCustomers: 500+


     Cool Vendor




                   The FutureNow List




                                            © 2012 WhiteHat Security, Inc.
We shop, bank, pay bills, file taxes,
       share photos, keep in touch with
       friends & family, watch movies, play
       games, and more.


    Cyber-war        Cyber-crime        Hacktivism

PwC Survey:
“Cybercrime is now the second biggest cause of economic
crime experienced by the Financial Services sector.”
                                          © 2012 WhiteHat Security, Inc.   4
8 out of 10 websites have
                                             serious* vulnerabilities

       Average annual amount of new serious*
     vulnerabilities introduced per website by year

     1111                                      795                                     480                                     230                                      79

       2007                                    2008                                    2009                                   2010                                   2011

*	
  Serious	
  Vulnerability:	
  A	
  security	
  weakness	
  that	
  if	
  exploited	
  may	
  lead	
  to	
  breach	
  or	
  data	
  loss	
  of	
  a	
  
system,	
  its	
  data,	
  or	
  users.	
  (PCI-­‐DSS	
  severity	
  HIGH,	
  CRITICAL,	
  or	
  URGENT)

Vulnerabili*es	
  are	
  counted	
  by	
  unique	
  Web	
  applica*on	
  and	
  vulnerability	
  class.	
  If	
  three	
  of	
  the	
  five	
  parameters	
  of	
  a	
  single	
  Web	
  
applica*on	
  (/foo/webapp.cgi)	
  are	
  vulnerable	
  to	
  SQL	
  Injec*on,	
  this	
  is	
  counted	
  as	
  3	
  individual	
  vulnerabili*es	
  (e.g.	
  aGack	
  vectors).
                                                                                                                                         © 2012 WhiteHat Security, Inc.                    5
Website Hacked




            © 2012 WhiteHat Security, Inc.   6
Verizon Data Breach Investigations Report:
2010 DBIR:
“The majority of breaches and almost all of the data stolen
in 2009 (95%) were perpetrated by remote organized
criminal groups hacking "servers and applications."

2011 DBIR:
“The number of Web application breaches increased last year
and made up nearly 40% of the overall attacks.“




“Web applications abound in many larger companies, and
remain a popular (54% of breaches) and successful (39% of
records) attack vector.”

                                               © 2012 WhiteHat Security, Inc.   7
855 incidents, 174 million compromised records




                                        © 2012 WhiteHat Security, Inc.   8
© 2012 WhiteHat Security, Inc.   9
Attacker Profiles
 Random Opportunistic
 • Fully automated scripts
 • Unauthenticated scans
 • Targets chosen indiscriminately

 Directed Opportunistic
 • Commercial and Open Source Tools
 • Authentication scans
 • Multi-step processes (forms)

 Fully Targeted
 • Customize their own tools
 • Focused on business logic
 • Clever and profit driven ($$$)



                                      © 2012 WhiteHat Security, Inc.   10
WhiteHat Sentinel – Assessment Platform
• SaaS (Annual Subscription)
    - Unlimited Assessments / Users

• Unique Methodology
    - Proprietary scanning technology
    - Expert website security analysis (TRC)
    - Satisfies PCI 6.6 requirements

• Vulnerability Verification and
  prioritization – virtually eliminating false
  positives

• XML API links other security solutions

• Easy to get started –
    - Need URL and Credentials
    - No Management of Hardware or Software
    - No Additional Training
WhiteHat Sentinel
                 500+
enterprises from start-ups to fortune 500
              1,000,000
   vulnerabilities processed per day
            6 Terabytes
          data stored per day
                7,000+
websites receiving ~weekly assessments
            940,000,000
       http(s) requests per month

                                    © 2012 WhiteHat Security, Inc.   12
© 2012 WhiteHat Security, Inc.   13
WhiteHat Security Top Ten (2011)




     Percentage likelihood of a website having at least one
                  vulnerability sorted by class

                                                    © 2012 WhiteHat Security, Inc.   14
Top Seven by Industry (2011)




     Percentage likelihood of a website having at least one
                  vulnerability sorted by class



                                                    © 2012 WhiteHat Security, Inc.   15
Top Seven by Industry (2011)




     Percentage likelihood of a website having at least one
                  vulnerability sorted by class



                                                    © 2012 WhiteHat Security, Inc.   16
Window of Exposure (2011)
Number of days [in a year] a website is exposed to at least one
               serious* reported vulnerability.




                                                        © 2012 WhiteHat Security, Inc.   17
© 2012 WhiteHat Security, Inc.   18
Time-to-Fix in Days
Cumulative Website Percentage




                                Average Time-to-Fix (Days)

                                                             © 2012 WhiteHat Security, Inc.   19
Remediation Rates by Industry (Trend)




  A steady improvement in the percentage of reported vulnerabilities
that have been resolved during each of the last three years, which now
                      resides at 53%. Progress!
                                                           © 2012 WhiteHat Security, Inc.   20
Publish Scorecards Internally &
Regularly -- For All To See
                                                      Avg.	
  
                            High	
  Severity	
                           RemediaAon	
       Window	
  of	
  Exposure	
  
          Group                                    Time-­‐to-­‐Fix	
  
                            VulnerabiliAes                                  Rate                 (Days)
                                                     (Days)

2012	
  Corporate	
  Goal           20                    30                 75%                         100

Industry	
  Average                 55                    32                 63%                         223

Business	
  Unit	
  1               17                    45                 74%                         195

Business	
  Unit	
  2               53                    30                 46%                         161

Business	
  Unit	
  3               67                    66                 63%                         237

Business	
  Unit	
  4               48                    35                 69%                         232

                                                                                    © 2012 WhiteHat Security, Inc.         21
Overall Vulnerability Population (2011)
      Percentage breakdown of all the serious* vulnerabilities discovered




Web Application Firewalls are best
at mitigating vulnerabilities such as
Cross-Site Scripting, Content
Spoofing, SQL Injection, Response
Splitting, etc. By summing all these
percentages up we might safely say:

A WAF could feasible help mitigate
the risk of at least 71% of all custom
Web application vulnerabilities.




                                                         © 2012 WhiteHat Security, Inc.   22
Why do vulnerabilities go unfixed?
• No one at the organization understands or is responsible for
 maintaining the code.
• Development group does not understand or respect the vulnerability.
• Lack of budget to fix the issues.
• Affected code is owned by an unresponsive third-party vendor.
• Website will be decommissioned or replaced “soon.”
• Risk of exploitation is accepted.
• Solution conflicts with business use case.
• Compliance does not require fixing the issue.
• Feature enhancements are prioritized ahead of security fixes.




                                                            © 2012 WhiteHat Security, Inc.   23
Testing Speed & Frequency Matters




                         © 2012 WhiteHat Security, Inc.   24
Why Do Breaches

(and vulnerabilities)

Continue to Happen?




                        © 2012 WhiteHat Security, Inc.   25
Typical IT Budget Allocation




      Applications                   Host                       Network
  Software, development,   Servers, desktops, laptops,   Routers, switches, network
  CRM, ERP, etc.           etc.                          admins, etc.


                                                              © 2012 WhiteHat Security, Inc.   26
Typical IT Security Budget




       Applications                  Host                    Network
                            Vulnerability management,   Firewalls, Network IDS, SSL,
  Software architecture,
                            system config,patching,     monitoring, etc.
  trainings,testing, etc.
                             etc.

                                                           © 2012 WhiteHat Security, Inc.   27
Budget Prioritization
The biggest line item in [non-security] spending
SHOULD match the biggest line item in security.
                    IT                 IT Security



                    1                      3
Applications



                    2                      2
   Host



                    3                      1
  Network
                                               © 2012 WhiteHat Security, Inc.   28
Survey [2010] of IT pros and C-level executives from 450
   Fortune 1000 companies (FishNet Security)...
   “Nearly 70% [of those surveyed] say mobile computing is the
   biggest threat to security today, closely followed by social
   networks (68%), and cloud computing platforms (35%). Around
   65% rank mobile computing the top threat in the next two
   years, and 62% say cloud computing will be the biggest threat,
   bumping social networks."


   The report goes on to say...
   “45% say firewalls are their priority security purchase,
   followed by antivirus (39%), and authentication (31%) and
   anti-malware tools (31%)."



http://www.darkreading.com/security-services/167801101/security/perimeter-security/227300116/index.html   © 2012 WhiteHat Security, Inc.   29
Big Picture
“Market-sizing estimates for network security range
anywhere from $5-8bn, whereas our calculation for the
aggregate application security market is about $444m.
Despite the spending boost on application security
mandated by the Payment Card Industry Data Security
Standards (PCI-DSS), it’s still not commensurate with the
demonstrated level of risk.”
The Application Security Spectrum (The 451 Group)




  “...we expect this revenue will grow at a CAGR of 23%
  to reach $1bn by 2014.”

                                                    © 2012 WhiteHat Security, Inc.   30
How to develop
secure-(enough) software?




                  © 2012 WhiteHat Security, Inc.   31
Little-to-No
Supporting Data.


            © 2012 WhiteHat Security, Inc.   32
Connect the Dots...


  (SDL)
                Production        Attack
 Security                                                   Breaches
               Vulnerabilities    Traffic
 Controls



  BSIMM       WhiteHat Security   Akamai                   Verizon DBIR
                                  IBM                      Trustwave



Then we’ll start getting some real answers
about how to product secure-enough.

                                            © 2012 WhiteHat Security, Inc.   33
Thank You!
Blog: http://blog.whitehatsec.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com




                                        © 2012 WhiteHat Security, Inc.   34

Más contenido relacionado

La actualidad más candente

DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting   Executive Security PresentationDecember ISSA Meeting   Executive Security Presentation
December ISSA Meeting Executive Security Presentationwhmillerjr
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version   ...Four mistakes to avoid when hiring your next security chief (print version   ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Citrix Online
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0Julian Samuels
 
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0Julian Samuels
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataIBM Security
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...InnoTech
 
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productHow to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productGFI Software
 
College Presentation
College PresentationCollege Presentation
College Presentationscottfrost
 

La actualidad más candente (20)

DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting   Executive Security PresentationDecember ISSA Meeting   Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version   ...Four mistakes to avoid when hiring your next security chief (print version   ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
 
BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0BCP Expo Presentation and company overview final ver. 1.0
BCP Expo Presentation and company overview final ver. 1.0
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productHow to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware product
 
College Presentation
College PresentationCollege Presentation
College Presentation
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 

Destacado

Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughSavvius, Inc
 

Destacado (6)

Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
 

Similar a Web Application Security: Connecting the Dots

How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Gabriel Dusil
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...SolarWinds
 
Presentation security build for v mware
Presentation   security build for v mwarePresentation   security build for v mware
Presentation security build for v mwaresolarisyourep
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security DeploymentCisco Canada
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityLumension
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorIBMGovernmentCA
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Eventcalebbarlow
 
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...TechSoup
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startupsKesava Reddy
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCCloudflare
 

Similar a Web Application Security: Connecting the Dots (20)

How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
 
Presentation security build for v mware
Presentation   security build for v mwarePresentation   security build for v mware
Presentation security build for v mware
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics Report
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Presentation gdl
Presentation gdlPresentation gdl
Presentation gdl
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public Sector
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Event
 
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
Developing Your Security Foundation: A Guide for Nonprofits During the Pandem...
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startups
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
 

Más de InnoTech

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"InnoTech
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is MaturingInnoTech
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?InnoTech
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostInnoTech
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering StormInnoTech
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the fieldInnoTech
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implicationsInnoTech
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged InfrastructureInnoTech
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365InnoTech
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studiesInnoTech
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential InnoTech
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?InnoTech
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...InnoTech
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeInnoTech
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacyInnoTech
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio InnoTech
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumInnoTech
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2InnoTech
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionInnoTech
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentationInnoTech
 

Más de InnoTech (20)

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is Maturing
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the field
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implications
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged Infrastructure
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studies
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacy
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 

Último

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Último (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Web Application Security: Connecting the Dots

  • 1. Web Application Security: Connecting the Dots Jeremiah Grossman Founder & Chief Technology Officer Innotech 2012 (Portland, Oregon) 05.20.2012 © 2012 WhiteHat Security, Inc. 1
  • 2. Jeremiah Grossman ØFounder & CTO of WhiteHat Security Ø6-Continent Public Speaker ØTED Alumni ØAn InfoWorld Top 25 CTO ØCo-founder of the Web Application Security Consortium ØCo-author: Cross-Site Scripting Attacks ØFormer Yahoo! information security officer ØBrazilian Jiu-Jitsu Black Belt © 2012 WhiteHat Security, Inc. 2
  • 3. WhiteHat Security : Company Overview ØHeadquartered in Santa Clara, CA ØWhiteHat Sentinel – SaaS end-to-end website risk management platform ØEmployees: 170+ ØCustomers: 500+ Cool Vendor The FutureNow List © 2012 WhiteHat Security, Inc.
  • 4. We shop, bank, pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more. Cyber-war Cyber-crime Hacktivism PwC Survey: “Cybercrime is now the second biggest cause of economic crime experienced by the Financial Services sector.” © 2012 WhiteHat Security, Inc. 4
  • 5. 8 out of 10 websites have serious* vulnerabilities Average annual amount of new serious* vulnerabilities introduced per website by year 1111 795 480 230 79 2007 2008 2009 2010 2011 *  Serious  Vulnerability:  A  security  weakness  that  if  exploited  may  lead  to  breach  or  data  loss  of  a   system,  its  data,  or  users.  (PCI-­‐DSS  severity  HIGH,  CRITICAL,  or  URGENT) Vulnerabili*es  are  counted  by  unique  Web  applica*on  and  vulnerability  class.  If  three  of  the  five  parameters  of  a  single  Web   applica*on  (/foo/webapp.cgi)  are  vulnerable  to  SQL  Injec*on,  this  is  counted  as  3  individual  vulnerabili*es  (e.g.  aGack  vectors). © 2012 WhiteHat Security, Inc. 5
  • 6. Website Hacked © 2012 WhiteHat Security, Inc. 6
  • 7. Verizon Data Breach Investigations Report: 2010 DBIR: “The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." 2011 DBIR: “The number of Web application breaches increased last year and made up nearly 40% of the overall attacks.“ “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” © 2012 WhiteHat Security, Inc. 7
  • 8. 855 incidents, 174 million compromised records © 2012 WhiteHat Security, Inc. 8
  • 9. © 2012 WhiteHat Security, Inc. 9
  • 10. Attacker Profiles Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately Directed Opportunistic • Commercial and Open Source Tools • Authentication scans • Multi-step processes (forms) Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) © 2012 WhiteHat Security, Inc. 10
  • 11. WhiteHat Sentinel – Assessment Platform • SaaS (Annual Subscription) - Unlimited Assessments / Users • Unique Methodology - Proprietary scanning technology - Expert website security analysis (TRC) - Satisfies PCI 6.6 requirements • Vulnerability Verification and prioritization – virtually eliminating false positives • XML API links other security solutions • Easy to get started – - Need URL and Credentials - No Management of Hardware or Software - No Additional Training
  • 12. WhiteHat Sentinel 500+ enterprises from start-ups to fortune 500 1,000,000 vulnerabilities processed per day 6 Terabytes data stored per day 7,000+ websites receiving ~weekly assessments 940,000,000 http(s) requests per month © 2012 WhiteHat Security, Inc. 12
  • 13. © 2012 WhiteHat Security, Inc. 13
  • 14. WhiteHat Security Top Ten (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 14
  • 15. Top Seven by Industry (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 15
  • 16. Top Seven by Industry (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 16
  • 17. Window of Exposure (2011) Number of days [in a year] a website is exposed to at least one serious* reported vulnerability. © 2012 WhiteHat Security, Inc. 17
  • 18. © 2012 WhiteHat Security, Inc. 18
  • 19. Time-to-Fix in Days Cumulative Website Percentage Average Time-to-Fix (Days) © 2012 WhiteHat Security, Inc. 19
  • 20. Remediation Rates by Industry (Trend) A steady improvement in the percentage of reported vulnerabilities that have been resolved during each of the last three years, which now resides at 53%. Progress! © 2012 WhiteHat Security, Inc. 20
  • 21. Publish Scorecards Internally & Regularly -- For All To See Avg.   High  Severity   RemediaAon   Window  of  Exposure   Group Time-­‐to-­‐Fix   VulnerabiliAes Rate (Days) (Days) 2012  Corporate  Goal 20 30 75% 100 Industry  Average 55 32 63% 223 Business  Unit  1 17 45 74% 195 Business  Unit  2 53 30 46% 161 Business  Unit  3 67 66 63% 237 Business  Unit  4 48 35 69% 232 © 2012 WhiteHat Security, Inc. 21
  • 22. Overall Vulnerability Population (2011) Percentage breakdown of all the serious* vulnerabilities discovered Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say: A WAF could feasible help mitigate the risk of at least 71% of all custom Web application vulnerabilities. © 2012 WhiteHat Security, Inc. 22
  • 23. Why do vulnerabilities go unfixed? • No one at the organization understands or is responsible for maintaining the code. • Development group does not understand or respect the vulnerability. • Lack of budget to fix the issues. • Affected code is owned by an unresponsive third-party vendor. • Website will be decommissioned or replaced “soon.” • Risk of exploitation is accepted. • Solution conflicts with business use case. • Compliance does not require fixing the issue. • Feature enhancements are prioritized ahead of security fixes. © 2012 WhiteHat Security, Inc. 23
  • 24. Testing Speed & Frequency Matters © 2012 WhiteHat Security, Inc. 24
  • 25. Why Do Breaches (and vulnerabilities) Continue to Happen? © 2012 WhiteHat Security, Inc. 25
  • 26. Typical IT Budget Allocation Applications Host Network Software, development, Servers, desktops, laptops, Routers, switches, network CRM, ERP, etc. etc. admins, etc. © 2012 WhiteHat Security, Inc. 26
  • 27. Typical IT Security Budget Applications Host Network Vulnerability management, Firewalls, Network IDS, SSL, Software architecture, system config,patching, monitoring, etc. trainings,testing, etc. etc. © 2012 WhiteHat Security, Inc. 27
  • 28. Budget Prioritization The biggest line item in [non-security] spending SHOULD match the biggest line item in security. IT IT Security 1 3 Applications 2 2 Host 3 1 Network © 2012 WhiteHat Security, Inc. 28
  • 29. Survey [2010] of IT pros and C-level executives from 450 Fortune 1000 companies (FishNet Security)... “Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." The report goes on to say... “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)." http://www.darkreading.com/security-services/167801101/security/perimeter-security/227300116/index.html © 2012 WhiteHat Security, Inc. 29
  • 30. Big Picture “Market-sizing estimates for network security range anywhere from $5-8bn, whereas our calculation for the aggregate application security market is about $444m. Despite the spending boost on application security mandated by the Payment Card Industry Data Security Standards (PCI-DSS), it’s still not commensurate with the demonstrated level of risk.” The Application Security Spectrum (The 451 Group) “...we expect this revenue will grow at a CAGR of 23% to reach $1bn by 2014.” © 2012 WhiteHat Security, Inc. 30
  • 31. How to develop secure-(enough) software? © 2012 WhiteHat Security, Inc. 31
  • 32. Little-to-No Supporting Data. © 2012 WhiteHat Security, Inc. 32
  • 33. Connect the Dots... (SDL) Production Attack Security Breaches Vulnerabilities Traffic Controls BSIMM WhiteHat Security Akamai Verizon DBIR IBM Trustwave Then we’ll start getting some real answers about how to product secure-enough. © 2012 WhiteHat Security, Inc. 33
  • 34. Thank You! Blog: http://blog.whitehatsec.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2012 WhiteHat Security, Inc. 34