2. What is Web 2.0? Dictionary.com Main Entry: web 2.0 Part of Speech: n Definition: the second generation of the World Wide Web in which content is user-generated and dynamic, and software is offered that mimics desktop programs Example: Web 2.0 encourages collaboration and communication between users. Etymology: 2004
5. Gilt is a Web 2.0 site for luxury fashion at discounted prices Gilt combines published content with user generated content. Users can shop, blog, upload comments about fashion products to Twitter, Facebook. Users can share cool deals on Gilt City via Facebook, Twitter, Email. Users can blog about Gilt products.
6. Evolution of Threats in Web 2.0 Every insider is a threat. Even a CISO. To a trojan, you are just an IP address. New propagation methods for malware (PDF, videos, social networks, pop-up ads, etc.) Perimeter of the network is no longer clearly defined as employees use social media (Twitter, Facebook) and external cloud providers.
17. None of the “new” attacks appear on OWASP top 10 list of security bugs.
18. In fact, Verizon 2009 data breach report lists top data breach causes as - Weak or default passwords - SQL injection attacks - Improper access rights - XSS attacks
19. Our Approach Security decisions are based on risk, not just threats and vulnerabilities (risk = threat*vulnerability*cost). Don’t chase hot vulnerabilities of the day. Instead, mitigate top risks. AAA and least privilege principle. Heavily based on policy and user education. “Onion security” – multiple protections at each layer. Achieve “essential”, then worry about “excellent”. Be a “how team” instead of a “no team”. Build security into the software development lifecycle.
24. Recommendations (cont.) Build security into the SDLC (software development lifecycle). Secure coding + books for all developers. Fortify static code scanner + dynamic scans using BurpSuite - Jira security category approval workflow
25. Recommendations (cont.) Standardized configmanager for firewall rules. Bandwidth analysis. Standard laptop and server images (disk encryption, A/V, LanRev) Evaluate 3rd parties’ security before sending them your data. Monitor your good name (actually go to hacker forums, Google for it, watch the press, etc.)