6. $$$ Settlements Visa = $60.0m AmEx = $ 3.5m Consumer = $ 4.8m Ponemon Institute estimate At $60 cost per record = $7.8b Now $140 (2010) Indirect costs (e.g. lost business) Source: datalossdb.org
13. Malware farming Mass 500k websites infections 2011 (LizaMoon), 2008 Results for website owners Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
25. Data protection laws Poland - up to 50’000 PLN fines May issue order to stop processing data Audit reports are public Would you trust them in future?
30. Eliminate bugs early Early code audit Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006
31. It’s cheaper than... Pentest Late code audit Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006
32. And way cheaper than... Hack! Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006
33. How? Dough Hubbard „The Failure of Risk Management” Security Assurance Maturity Model (OpenSAMM) Security Development Lifecycle (SDL)
34. Outsourcing? Tell them what you need (precisely) UML, BPMN Specify assurance level OWASP ASVS Trust but verify Supplier due dilligence, audit, pentest
35. Ask peers OWASP Open Web Application Security Project www.owasp.org ISSA Information Systems Security Association www.issa.org.pl