infoShare 2011 - Paweł Krawczyk - Why care about application security (open)
•Download as PPTX, PDF•
2 likes•864 views
Recommended
Recommended
More Related Content
Similar to infoShare 2011 - Paweł Krawczyk - Why care about application security (open)
Similar to infoShare 2011 - Paweł Krawczyk - Why care about application security (open) (20)
More from Infoshare
More from Infoshare (20)
infoShare 2011 - Paweł Krawczyk - Why care about application security (open)
- 1. Why care about application security? Paweł Krawczyk (IPSec.pl) pawel.krawczyk@hush.com
- 2. Sony PSN April 2011 PSN & Qriosity outage 80m records lost May 3 Another 25m records Sony Online Entertainment outage
- 3. Small issues are important Sony 2011 Challenger 1986
- 4. Top hack (2009) 130 million personal records Credit card numbers
- 5. Fast & furious... Source: datalossdb.org
- 6. $$$ Settlements Visa = $60.0m AmEx = $ 3.5m Consumer = $ 4.8m Ponemon Institute estimate At $60 cost per record = $7.8b Now $140 (2010) Indirect costs (e.g. lost business) Source: datalossdb.org
- 8. Side effect CC’s prices drop on „black market” 2008 $10-20 2009 $2-6 Numbers from: Finjan, Kaspersky
- 13. Malware farming Mass 500k websites infections 2011 (LizaMoon), 2008 Results for website owners Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
- 18. Your website Blacklisted Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
- 19. Bestwaystogethacked Guaranteed Use ancient Wordpress, Joomla, PHPbb... Use trivial passwords for FTP, SSH... Likely Write your own application...
- 20. Tumblr Source: niebezpiecznik.pl, Reddit
- 21. Bad news live long Source: niebezpiecznik.pl
- 22. .pl As seen on 23 March 2011
- 23. Wyższa Szkoła Policji Source: prawo.vagla.pl
- 24. Sąd Okręgowy w Częstochowie Source: prawo.vagla.pl
- 25. Data protection laws Poland - up to 50’000 PLN fines May issue order to stop processing data Audit reports are public Would you trust them in future?
- 26. Going international? GBP 5,6m GBP 17,5m GBP 3m
- 27. How to fix stuff? Source: NASA, Wikipedia (Apollo 13 - 1970)
- 30. Eliminate bugs early Early code audit Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006
- 31. It’s cheaper than... Pentest Late code audit Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006
- 32. And way cheaper than... Hack! Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006
- 33. How? Dough Hubbard „The Failure of Risk Management” Security Assurance Maturity Model (OpenSAMM) Security Development Lifecycle (SDL)
- 34. Outsourcing? Tell them what you need (precisely) UML, BPMN Specify assurance level OWASP ASVS Trust but verify Supplier due dilligence, audit, pentest
- 35. Ask peers OWASP Open Web Application Security Project www.owasp.org ISSA Information Systems Security Association www.issa.org.pl