Your SlideShare is downloading. ×
0
Why care about application security?<br />Paweł Krawczyk (IPSec.pl)<br />pawel.krawczyk@hush.com<br />
Sony PSN<br />April 2011<br />PSN & Qriosity outage<br />80m records lost<br />May 3<br />Another 25m records<br />Sony On...
Small issues are important<br />Sony 2011<br />Challenger 1986<br />
Top hack (2009)<br />130 million personal records<br />Credit card numbers<br />
Fast & furious...<br />Source: datalossdb.org<br />
$$$<br />Settlements<br />Visa 		= $60.0m<br />AmEx 	= $  3.5m<br />Consumer 	= $  4.8m<br />Ponemon Institute estimate<br...
NYSE<br />Source: datalossdb.org<br />
Side effect<br />CC’s prices drop on „black market”<br />2008	$10-20<br />2009	$2-6<br />Numbers from: Finjan, Kaspersky<b...
Grace periodfor startups?<br />
Source: dereknewton.com<br />
Farming<br />Source: historyforkids.org<br />
Malware farming<br />Mass 500k websites infections<br />2011 (LizaMoon), 2008<br />Results for website owners<br />Blackli...
Your website<br />Blacklisted<br />Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.<br />
Bestwaystogethacked<br />Guaranteed<br />Use ancient Wordpress, Joomla, PHPbb...<br />Use trivial passwords for FTP, SSH.....
Tumblr<br />Source: niebezpiecznik.pl, Reddit<br />
Bad news live long<br />Source: niebezpiecznik.pl<br />
.pl<br />As seen on 23 March 2011<br />
Wyższa Szkoła Policji<br />Source: prawo.vagla.pl<br />
Sąd Okręgowy w Częstochowie<br />Source: prawo.vagla.pl<br />
Data protection laws<br />Poland - up to 50’000 PLN fines<br />May issue order to stop processing data<br />Audit reports ...
Going international?<br />GBP 5,6m<br />GBP 17,5m<br />GBP 3m<br />
How to fix stuff?<br />Source: NASA, Wikipedia (Apollo 13 - 1970)<br />
IsSecurityEnemy of economy?<br />
SecurityisEconomy<br />
Eliminate bugs early<br />Early code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security In...
It’s cheaper than...<br />Pentest<br />Late code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building...
And way cheaper than...<br />Hack!<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The S...
How?<br />Dough Hubbard „The Failure of Risk Management”<br />Security Assurance Maturity Model (OpenSAMM)<br />Security D...
Outsourcing?<br />Tell them what you need (precisely)<br />UML, BPMN<br /> Specify assurance level<br />OWASP ASVS<br />Tr...
Ask peers<br />OWASP<br />Open Web Application Security Project<br />www.owasp.org<br />ISSA<br />Information Systems Secu...
Upcoming SlideShare
Loading in...5
×

infoShare 2011 - Paweł Krawczyk - Why care about application security (open)

870

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
870
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "infoShare 2011 - Paweł Krawczyk - Why care about application security (open)"

  1. 1. Why care about application security?<br />Paweł Krawczyk (IPSec.pl)<br />pawel.krawczyk@hush.com<br />
  2. 2. Sony PSN<br />April 2011<br />PSN & Qriosity outage<br />80m records lost<br />May 3<br />Another 25m records<br />Sony Online Entertainment outage<br />
  3. 3. Small issues are important<br />Sony 2011<br />Challenger 1986<br />
  4. 4. Top hack (2009)<br />130 million personal records<br />Credit card numbers<br />
  5. 5. Fast & furious...<br />Source: datalossdb.org<br />
  6. 6. $$$<br />Settlements<br />Visa = $60.0m<br />AmEx = $ 3.5m<br />Consumer = $ 4.8m<br />Ponemon Institute estimate<br />At $60 cost per record = $7.8b<br />Now $140 (2010)<br />Indirect costs (e.g. lost business)<br />Source: datalossdb.org<br />
  7. 7. NYSE<br />Source: datalossdb.org<br />
  8. 8. Side effect<br />CC’s prices drop on „black market”<br />2008 $10-20<br />2009 $2-6<br />Numbers from: Finjan, Kaspersky<br />
  9. 9. Grace periodfor startups?<br />
  10. 10.
  11. 11. Source: dereknewton.com<br />
  12. 12. Farming<br />Source: historyforkids.org<br />
  13. 13. Malware farming<br />Mass 500k websites infections<br />2011 (LizaMoon), 2008<br />Results for website owners<br />Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.<br />
  14. 14.
  15. 15.
  16. 16.
  17. 17.
  18. 18. Your website<br />Blacklisted<br />Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.<br />
  19. 19. Bestwaystogethacked<br />Guaranteed<br />Use ancient Wordpress, Joomla, PHPbb...<br />Use trivial passwords for FTP, SSH...<br />Likely<br />Write your own application...<br />
  20. 20. Tumblr<br />Source: niebezpiecznik.pl, Reddit<br />
  21. 21. Bad news live long<br />Source: niebezpiecznik.pl<br />
  22. 22. .pl<br />As seen on 23 March 2011<br />
  23. 23. Wyższa Szkoła Policji<br />Source: prawo.vagla.pl<br />
  24. 24. Sąd Okręgowy w Częstochowie<br />Source: prawo.vagla.pl<br />
  25. 25. Data protection laws<br />Poland - up to 50’000 PLN fines<br />May issue order to stop processing data<br />Audit reports are public<br />Would you trust them in future?<br />
  26. 26. Going international?<br />GBP 5,6m<br />GBP 17,5m<br />GBP 3m<br />
  27. 27. How to fix stuff?<br />Source: NASA, Wikipedia (Apollo 13 - 1970)<br />
  28. 28. IsSecurityEnemy of economy?<br />
  29. 29. SecurityisEconomy<br />
  30. 30. Eliminate bugs early<br />Early code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The Software Life Cycle, Marco M. Morana, 2006<br />
  31. 31. It’s cheaper than...<br />Pentest<br />Late code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The Software Life Cycle, Marco M. Morana, 2006<br />
  32. 32. And way cheaper than...<br />Hack!<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The Software Life Cycle, Marco M. Morana, 2006<br />
  33. 33. How?<br />Dough Hubbard „The Failure of Risk Management”<br />Security Assurance Maturity Model (OpenSAMM)<br />Security Development Lifecycle (SDL)<br />
  34. 34. Outsourcing?<br />Tell them what you need (precisely)<br />UML, BPMN<br /> Specify assurance level<br />OWASP ASVS<br />Trust but verify<br />Supplier due dilligence, audit, pentest<br />
  35. 35. Ask peers<br />OWASP<br />Open Web Application Security Project<br />www.owasp.org<br />ISSA<br />Information Systems Security Association<br />www.issa.org.pl<br />
  36. 36. Questions, comments?<br />pawel.krawczyk@hush.com<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×