HP Application Security
Center
       ViViT – Madison, WI (Dec. 4, 2009)



1   12 March 2009
Your Security Will Fail
        … you just don’t know it yet.



                                                         ...
Today’s Agenda
•Quick Scan of Headliners
    −Incidents & data theft
•5 Reasons Security Is Failing
    −Security not user...
4   12 March 2009
5   12 March 2009
Quick Scan of Recent Headlines
    India vs. Pakistan in “cyber-war”
•
    − India hacked Pakistan’s websites, Pakistan
  ...
Security Fails Because…




7   12 March 2009
Security Fails Because…
•   Security is not user-friendly
    − Secure is not second nature
         • Seat belts, dead-bo...
Security Fails Because…
•   Data storage is de-centralized
    − How many devices carry “data”
         • iPod, USB Memory...
Security Fails Because…
•    Consumerization drives non-securable
     technologies
     − Vendors build for “wow factor”
...
Security Fails Because…
•    Businesses pass the [risk] buck
     − “Not my problem” mentality
          • Contracts write...
Security Fails Because…
     End-users still don’t get it
•
     − End-users still apathetic about security
          • Wh...
Security Has No End-Game
•    Live to fight another day
     − Mitigate immediate risks
     − Secure what you can
     − ...
You Can Succeed




14   12 March 2009
You Can Succeed
                                              People: Providing guidance on secure application
           ...
Are You Ready? Take the First Step.




16   12 March 2009
“The Journey of a
 thousand miles must
 begin with a single step”
                                                    -- C...
Appendix
          References
A.
     1.      http://www.arsalanonline.com/2008/11/indian-website-hacked-pakistani-hackers...
Upcoming SlideShare
Loading in …5
×

Failed - Why Security Fails And What To Do v08.1204a

886 views
743 views

Published on

Security (particularly web application security) programs and efforts more often than not.. .fail. You can do something about it, this presentation gives you a bit of the overview of how to start to understand and succeed from our point of view.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
886
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
18
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Failed - Why Security Fails And What To Do v08.1204a

  1. 1. HP Application Security Center ViViT – Madison, WI (Dec. 4, 2009) 1 12 March 2009
  2. 2. Your Security Will Fail … you just don’t know it yet. Rafal M. Los Sr. Security Solutions Specialist © 2006 Hewlett-Packard Development Company, L.P. 22 MarchThe information contained herein is subject to change without notice 1 2009
  3. 3. Today’s Agenda •Quick Scan of Headliners −Incidents & data theft •5 Reasons Security Is Failing −Security not user-friendly −Decentralized data storage −Consumerization −Passing the buck (aka – liability) −Consumer apathy •How You Will Succeed −Magic pixie dust 3 12 March 2009
  4. 4. 4 12 March 2009
  5. 5. 5 12 March 2009
  6. 6. Quick Scan of Recent Headlines India vs. Pakistan in “cyber-war” • − India hacked Pakistan’s websites, Pakistan retaliates(A1) US Pentagon web sites “penetrated” by Chinese • − “No sites are safe” say the Chinese hackers(A2) • Corporate sites hacked − Hackers attacking corporate sites(A3-A5) Hacking your way into Harvard (A6) • Santa’s Gmail account hacked! • − Is no one safe? Not even Santa!? (A7) 6 12 March 2009
  7. 7. Security Fails Because… 7 12 March 2009
  8. 8. Security Fails Because… • Security is not user-friendly − Secure is not second nature • Seat belts, dead-bolt locks, locking your car − Secure is possible, but requires a PhD • Configuring your computer to be “secure” • Using minimal browser-capabilities (NoScript?) − Security measures are complex • Tokens, digital certificates, “widgets” and “gadgets” • Anti-virus, Anti-Malware, SPAM, trojans, ClickJacking − Usability is arch enemy of security • Why? 8 12 March 2009
  9. 9. Security Fails Because… • Data storage is de-centralized − How many devices carry “data” • iPod, USB Memory stick, cell phone • Many, many other devices store information − Castle theory is impossible • No “centralized” data store to build defenses around − Data in all formats • Spreadsheets, databases, txt files, PSTs, PDFs, PPTs, DOCs, et al − No one knows where data lives • Is *your* corporate data centralized? • Can anyone identify data/types/locations for all data? 9 12 March 2009
  10. 10. Security Fails Because… • Consumerization drives non-securable technologies − Vendors build for “wow factor” • Cool sells • Secure does not − Viral marketing works • iPhone, iPod vs. Windows Mobile, Zune − Corporations cannot deal with all the gadgets • Gadgets don’t include enterprise features • No way to secure this stuff! − It just shows up one day • New devices show up on the corp. network every day 10 12 March 2009
  11. 11. Security Fails Because… • Businesses pass the [risk] buck − “Not my problem” mentality • Contracts write liability down the chain • Customers responsible for own security − Contracts are brutal • Corporations pass liability to vendors − Corporations don’t understand impact • Liability is one thing, public opinion… another • Customers don’t care for liability write-offs − The pen is mightier (so is the blog) • Bloggers, digital media exposes breaches 11 12 March 2009
  12. 12. Security Fails Because… End-users still don’t get it • − End-users still apathetic about security • Who cares if my computer is hacked? • What would hackers want with my information? − Wait until your identity is stolen… • Costs are huge in dollars and time − End-users think corporations protect them • … but companies don’t do enough • … but no one can protect you from yourself − Apathy to outrage • “Why didn’t someone tell me”… when it’s too late 12 12 March 2009
  13. 13. Security Has No End-Game • Live to fight another day − Mitigate immediate risks − Secure what you can − Educate and empower end-users − Make it simple stupid • People, Process, Tools are the foundation − People: educate, empower, assist − Process: easier to do the right thing, not the wrong − Tools: don’t replace people, make them efficient 13 12 March 2009
  14. 14. You Can Succeed 14 12 March 2009
  15. 15. You Can Succeed People: Providing guidance on secure application development •Educate and empower •HP ASC Security Team can help! Process: Security cannot be an afterthought Tools: Coverage for the entire SDLC. •Repeatable processes • WebInspect •Secure coding practices • QAInspect •Web Security Policies and Standards • DevInspect • AMP platform 15 12 March 2009
  16. 16. Are You Ready? Take the First Step. 16 12 March 2009
  17. 17. “The Journey of a thousand miles must begin with a single step” -- Chinese proverb Rafal “Raf” M. Los Sr. Security Solutions Consultant - HP Application Security Center Direct - (404) 606-6056 - email: Rafal@hp.com http://www.communities.hp.com/securitysoftware/blogs/rafal/
  18. 18. Appendix References A. 1. http://www.arsalanonline.com/2008/11/indian-website-hacked-pakistani-hackers-response-to-ogra-website- hacking/ 2. http://www.cnn.com/2008/TECH/03/07/china.hackers/index.html 3. http://www.engadgethd.com/tag/Tweeter/ 4. http://www.pcworld.com/printable/article/id,148007/printable.html 5. http://cyberinsecure.com/businessweek-online-content-hit-by-sql-injection/ 6. http://www.accessmylibrary.com/coms2/summary_0286-8459030_ITM 7. http://preachsecurity.blogspot.com/2008/12/santas-gmail-hacked-is-nothing-sacred.html 18 12 March 2009

×