SlideShare une entreprise Scribd logo

15 Years of Web Security: The Rebellious Teenage Years

Télécharger en tant que PPTX, PDF
Jeremiah Grossman
Jeremiah Grossman

Where we came from as an industry, where we are, and where we're headed.

Technologie
1  sur  29
15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg The Rebellious Teenage Years
© 2015 WhiteHat Security, Inc. Jeremiah Grossman Hacker OWASP WebAppSec Person of the Year (2015) Brazilian Jiu-Jitsu Black Belt
WhiteHat Security Active Customers: ~1000 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8 © 2015 WhiteHat Security, Inc. We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+
© 2015 WhiteHat Security, Inc. • Threat Actors: Innovating, scaling, or both? • Intersection of security guarantees and cyber- insurance • Vulnerability Remediation: Lowering costs, easing the burden, and prioritization. • SDLC processes that measurably improve software security • Addressing the application security skill shortage My Areas of Focus
Threat Actors © 2015 WhiteHat Security, Inc. • Hacktivists • Organized Crime • Nation-State • Terrorists(?)
© 2015 WhiteHat Security, Inc. 6
© 2015 WhiteHat Security, Inc. 7 “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report WebApp Attacks Adversaries Use
© 2015 WhiteHat Security, Inc. 8 Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75bn, according to the latest figures from Gartner.”
© 2015 WhiteHat Security, Inc. Vulnerability Likelihood
© 2015 WhiteHat Security, Inc. Average Time-to-Fix (Days) Average'Time'to'Fix'
© 2015 WhiteHat Security, Inc. • A large % of websites are always vulnerable • 60% of all Retail are always vulnerable • 52% of all Healthcare and Social Assistance sites are always vulnerable • 38% of all Information Technology websites are always vulnerable • 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure 39% 52% 38% 60% 14% 10% 11% 9% 11% 12% 14% 10%18% 11% 16% 11% 17% 14% 22% 11% Finance and Insurance Health Care and Social Assistance Information Retail Trade Rarely Vulnerable 30 days or less a year Occasionally Vulnerable 31-150 days a year Regularly Vulnerable 151-270 days a year Frequently Vulnerable 271-364 days a year Always Vulnerable
© 2015 WhiteHat Security, Inc. 12 Ranges of Expected Loss by # of Records Verizon 2015 Data Breach Investigations Report
“In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of security professionals by CyberEdge © 2015 WhiteHat Security, Inc. 13 Result: Every Year is the Year of the Hack
© 2015 WhiteHat Security, Inc. 14 As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside protection
© 2015 WhiteHat Security, Inc. 15 “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.” Downside protection
© 2015 WhiteHat Security, Inc. 16 “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.” Downside protection
© 2015 WhiteHat Security, Inc. 2014 – 2015 New Security Investment vs. Cyber- Insurance Cyber-Security Insurance ~$3.2 Billion in new spending (+67%) (Gartner: Oct, 2015) Information Security Spending (Global) ~$3.8 billion in new spending (+4.7%)
© 2015 WhiteHat Security, Inc. No Guarantees No Warrantees No Return Policies Ever notice how everything in the information security industry is sold “as is”?
© 2015 WhiteHat Security, Inc. No More Snake Oil
© 2015 WhiteHat Security, Inc.
© 2015 WhiteHat Security, Inc. 21 “The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel)
Software Security Maturity Metrics Analysis © 2015 WhiteHat Security, Inc. • The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. • The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
© 2015 WhiteHat Security, Inc. 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 9% 29% 28% 30% 0% 5% 10% 15% 20% 25% 30% 35%
© 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open 129 119 108 114 95 100 105 110 115 120 125 130 135 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 34% 36% 38% 40% 42% 44% 46% Board of Directors Executive Management Software Development Security Department Remediation Rate
© 2015 WhiteHat Security, Inc. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest. 15% 6% 35% 19% 25% %ofrespondents Primary driver for resolving website vulnerabilities
© 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest. 14 21 28 28 10 0 5 10 15 20 25 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average # of vulnerabilities 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 10% 20% 30% 40% 50% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Remediation Rate
© 2015 WhiteHat Security, Inc. Security Controls # of Open Vulns Time-to-Fix Remediation Rate Automated static analysis during the code review process QA performs basic adversarial tests Defects identified through operations monitoring fed back to development Share results from security reviews with the QA
© 2015 WhiteHat Security, Inc. There Are No Best-Practices
Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg Thank you!

Recommandé

No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics Report
Jeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation Report
Silicon Valley Bank
 

Recommandé

No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics Report
Jeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation Report
Silicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
Silicon Valley Bank
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
Accenture Insurance
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A
Nick Normile
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
accenture
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
CNseg
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
Dave James
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud Prevention
Guardian Analytics
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
James Fintain Lawler
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Jef Lacson
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of Cybercrime
IDG
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
accenture
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
Bee_Ware
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
Leona Markham
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
Enterprise Management Associates
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
- Mark - Fullbright
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
John Davis
 
Dealing with Your Teenager's Rebellion
Dealing with Your Teenager's RebellionDealing with Your Teenager's Rebellion
Dealing with Your Teenager's Rebellion
Compound Wisdom
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
Symantec
 

Contenu connexe

Tendances

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
Leona Markham
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
John Davis
 

Tendances (20)

SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud Prevention
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of Cybercrime
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
 

En vedette

Dealing with Your Teenager's Rebellion
Dealing with Your Teenager's RebellionDealing with Your Teenager's Rebellion
Dealing with Your Teenager's Rebellion
Compound Wisdom
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
Quek Lilian
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
Quick Heal Technologies Ltd.
 
06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08
Vivek chan
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...
peihsin1980
 

En vedette (13)

Dealing with Your Teenager's Rebellion
Dealing with Your Teenager's RebellionDealing with Your Teenager's Rebellion
Dealing with Your Teenager's Rebellion
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
 
06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to Hacking
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...
 
Slideshare.Com Powerpoint
Slideshare.Com PowerpointSlideshare.Com Powerpoint
Slideshare.Com Powerpoint
 

Similaire à 15 Years of Web Security: The Rebellious Teenage Years

Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
TransUnion
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
PECB
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014
Peggy Lawless
 
Take Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_ForresterTake Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_Forrester
Dave Edington
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 

Similaire à 15 Years of Web Security: The Rebellious Teenage Years (20)

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
La Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesLa Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las Aplicaciones
 
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update
 
Preventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupPreventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite Group
 
Take Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_ForresterTake Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_Forrester
 
New fraud protection solutions
New fraud protection solutionsNew fraud protection solutions
New fraud protection solutions
 
Check Point SMB Proposition
Check Point SMB PropositionCheck Point SMB Proposition
Check Point SMB Proposition
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
The Rise of Data Breaches in Small Businesses
The Rise of Data Breaches in Small Businesses The Rise of Data Breaches in Small Businesses
The Rise of Data Breaches in Small Businesses
 

Plus de Jeremiah Grossman

Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Jeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Jeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
Jeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 

Plus de Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

15 Years of Web Security: The Rebellious Teenage Years

  • 1. 15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg The Rebellious Teenage Years
  • 2. © 2015 WhiteHat Security, Inc. Jeremiah Grossman Hacker OWASP WebAppSec Person of the Year (2015) Brazilian Jiu-Jitsu Black Belt
  • 3. WhiteHat Security Active Customers: ~1000 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8 © 2015 WhiteHat Security, Inc. We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+
  • 4. © 2015 WhiteHat Security, Inc. • Threat Actors: Innovating, scaling, or both? • Intersection of security guarantees and cyber- insurance • Vulnerability Remediation: Lowering costs, easing the burden, and prioritization. • SDLC processes that measurably improve software security • Addressing the application security skill shortage My Areas of Focus
  • 5. Threat Actors © 2015 WhiteHat Security, Inc. • Hacktivists • Organized Crime • Nation-State • Terrorists(?)
  • 6. © 2015 WhiteHat Security, Inc. 6
  • 7. © 2015 WhiteHat Security, Inc. 7 “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report WebApp Attacks Adversaries Use
  • 8. © 2015 WhiteHat Security, Inc. 8 Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75bn, according to the latest figures from Gartner.”
  • 9. © 2015 WhiteHat Security, Inc. Vulnerability Likelihood
  • 10. © 2015 WhiteHat Security, Inc. Average Time-to-Fix (Days) Average'Time'to'Fix'
  • 11. © 2015 WhiteHat Security, Inc. • A large % of websites are always vulnerable • 60% of all Retail are always vulnerable • 52% of all Healthcare and Social Assistance sites are always vulnerable • 38% of all Information Technology websites are always vulnerable • 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure 39% 52% 38% 60% 14% 10% 11% 9% 11% 12% 14% 10%18% 11% 16% 11% 17% 14% 22% 11% Finance and Insurance Health Care and Social Assistance Information Retail Trade Rarely Vulnerable 30 days or less a year Occasionally Vulnerable 31-150 days a year Regularly Vulnerable 151-270 days a year Frequently Vulnerable 271-364 days a year Always Vulnerable
  • 12. © 2015 WhiteHat Security, Inc. 12 Ranges of Expected Loss by # of Records Verizon 2015 Data Breach Investigations Report
  • 13. “In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of security professionals by CyberEdge © 2015 WhiteHat Security, Inc. 13 Result: Every Year is the Year of the Hack
  • 14. © 2015 WhiteHat Security, Inc. 14 As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside protection
  • 15. © 2015 WhiteHat Security, Inc. 15 “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.” Downside protection
  • 16. © 2015 WhiteHat Security, Inc. 16 “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.” Downside protection
  • 17. © 2015 WhiteHat Security, Inc. 2014 – 2015 New Security Investment vs. Cyber- Insurance Cyber-Security Insurance ~$3.2 Billion in new spending (+67%) (Gartner: Oct, 2015) Information Security Spending (Global) ~$3.8 billion in new spending (+4.7%)
  • 18. © 2015 WhiteHat Security, Inc. No Guarantees No Warrantees No Return Policies Ever notice how everything in the information security industry is sold “as is”?
  • 19. © 2015 WhiteHat Security, Inc. No More Snake Oil
  • 20. © 2015 WhiteHat Security, Inc.
  • 21. © 2015 WhiteHat Security, Inc. 21 “The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel)
  • 22. Software Security Maturity Metrics Analysis © 2015 WhiteHat Security, Inc. • The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. • The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
  • 23. © 2015 WhiteHat Security, Inc. 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 9% 29% 28% 30% 0% 5% 10% 15% 20% 25% 30% 35%
  • 24. © 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open 129 119 108 114 95 100 105 110 115 120 125 130 135 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 34% 36% 38% 40% 42% 44% 46% Board of Directors Executive Management Software Development Security Department Remediation Rate
  • 25. © 2015 WhiteHat Security, Inc. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest. 15% 6% 35% 19% 25% %ofrespondents Primary driver for resolving website vulnerabilities
  • 26. © 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest. 14 21 28 28 10 0 5 10 15 20 25 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average # of vulnerabilities 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 10% 20% 30% 40% 50% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Remediation Rate
  • 27. © 2015 WhiteHat Security, Inc. Security Controls # of Open Vulns Time-to-Fix Remediation Rate Automated static analysis during the code review process QA performs basic adversarial tests Defects identified through operations monitoring fed back to development Share results from security reviews with the QA
  • 28. © 2015 WhiteHat Security, Inc. There Are No Best-Practices
  • 29. Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg Thank you!

Notes de l'éditeur

  1. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  2. http://www.infosecurity-magazine.com/news/global-security-spend-set-to-top/ http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner http://www.gartner.com/newsroom/id/2828722 http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536 http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease
  3. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  4. http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?
  5. http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/ http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html http://www.cnbc.com/id/101804150 http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
  6. http://www.insurancejournal.com/news/national/2014/02/26/321638.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
  7. http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
  8. https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg