Your SlideShare is downloading. ×
infoShare 2011 - Paweł Krawczyk - Why care about application security (open)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

infoShare 2011 - Paweł Krawczyk - Why care about application security (open)

852
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
852
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Why care about application security?
    Paweł Krawczyk (IPSec.pl)
    pawel.krawczyk@hush.com
  • 2. Sony PSN
    April 2011
    PSN & Qriosity outage
    80m records lost
    May 3
    Another 25m records
    Sony Online Entertainment outage
  • 3. Small issues are important
    Sony 2011
    Challenger 1986
  • 4. Top hack (2009)
    130 million personal records
    Credit card numbers
  • 5. Fast & furious...
    Source: datalossdb.org
  • 6. $$$
    Settlements
    Visa = $60.0m
    AmEx = $ 3.5m
    Consumer = $ 4.8m
    Ponemon Institute estimate
    At $60 cost per record = $7.8b
    Now $140 (2010)
    Indirect costs (e.g. lost business)
    Source: datalossdb.org
  • 7. NYSE
    Source: datalossdb.org
  • 8. Side effect
    CC’s prices drop on „black market”
    2008 $10-20
    2009 $2-6
    Numbers from: Finjan, Kaspersky
  • 9. Grace periodfor startups?
  • 10.
  • 11. Source: dereknewton.com
  • 12. Farming
    Source: historyforkids.org
  • 13. Malware farming
    Mass 500k websites infections
    2011 (LizaMoon), 2008
    Results for website owners
    Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. Your website
    Blacklisted
    Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
  • 19. Bestwaystogethacked
    Guaranteed
    Use ancient Wordpress, Joomla, PHPbb...
    Use trivial passwords for FTP, SSH...
    Likely
    Write your own application...
  • 20. Tumblr
    Source: niebezpiecznik.pl, Reddit
  • 21. Bad news live long
    Source: niebezpiecznik.pl
  • 22. .pl
    As seen on 23 March 2011
  • 23. Wyższa Szkoła Policji
    Source: prawo.vagla.pl
  • 24. Sąd Okręgowy w Częstochowie
    Source: prawo.vagla.pl
  • 25. Data protection laws
    Poland - up to 50’000 PLN fines
    May issue order to stop processing data
    Audit reports are public
    Would you trust them in future?
  • 26. Going international?
    GBP 5,6m
    GBP 17,5m
    GBP 3m
  • 27. How to fix stuff?
    Source: NASA, Wikipedia (Apollo 13 - 1970)
  • 28. IsSecurityEnemy of economy?
  • 29. SecurityisEconomy
  • 30. Eliminate bugs early
    Early code audit
    Applied Software Measurement, Capers Jones, 1996
    Building Security Into The Software Life Cycle, Marco M. Morana, 2006
  • 31. It’s cheaper than...
    Pentest
    Late code audit
    Applied Software Measurement, Capers Jones, 1996
    Building Security Into The Software Life Cycle, Marco M. Morana, 2006
  • 32. And way cheaper than...
    Hack!
    Applied Software Measurement, Capers Jones, 1996
    Building Security Into The Software Life Cycle, Marco M. Morana, 2006
  • 33. How?
    Dough Hubbard „The Failure of Risk Management”
    Security Assurance Maturity Model (OpenSAMM)
    Security Development Lifecycle (SDL)
  • 34. Outsourcing?
    Tell them what you need (precisely)
    UML, BPMN
    Specify assurance level
    OWASP ASVS
    Trust but verify
    Supplier due dilligence, audit, pentest
  • 35. Ask peers
    OWASP
    Open Web Application Security Project
    www.owasp.org
    ISSA
    Information Systems Security Association
    www.issa.org.pl
  • 36. Questions, comments?
    pawel.krawczyk@hush.com

×