The document provides an agenda for a presentation on application security and incident response best practices. It introduces Ted Julian from Co3 Systems and Chris Wysopal from Veracode as the speakers. It summarizes Co3's automated breach management platform and Veracode's application security testing platform. The presentation covers application vulnerabilities, real-world breaches from vulnerabilities like SQL injection, and techniques for testing application security. It also outlines best practices for preparing for, reporting on, assessing, and managing application security incidents.
2. Page 2
Agenda
• Introductions
• Application Security 101
• How To Improve Application Security
• Application Security IR Best Practices
• Q&A
3. Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Ted is a serial entrepreneur who has launched four companies
during his ~20 years in the security / compliance industry.
• Chris Wysopal, Co-Founder, CTO & CISO,
Veracode
• Director of Development, Symantec; VP Research & Development,
@stake
4. Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion
5. Page 5
About Veracode
• Founded in 2006 by a world class team of
application security experts from @stake,
Guardent, Symantec, and VeriSign, Veracode
provides the world’s leading Application Risk
Management Platform. Veracode's patented and
proven cloud-based capabilities allow customers to
govern and mitigate software security risk across a
single application or an enterprise portfolio with
unmatched simplicity.
• Veracode has received considerable recognition
and awards in the industry including being named
a Gartner “Cool Vendor,” The Wall Street Journal’s
“Technology Innovation Award,” and was listed as
#20 on Forbes’ “America’s Most Promising
Companies”
6. Page 6
Your Apps, In The Crosshairs
Corporations are targeted for their IP and other
valuables which sit behind a porous security perimeter
7. Page 7
Your Apps, In The Crosshairs
It is porous because of the way businesses interact with
their customers, suppliers, and partners via email and
web applications. Mobile apps coming soon!
8. Page 8
But I Already Have Security!
• Firewalls – Don’t block data moving to and from trusted
computers. You trust your web servers. You trust your
employees desktops. Won’t stop spear phishing or web app
attacks.
• Encryption – You encrypt data so it can’t be snooped over
network or read from stolen hard drive. Attackers access
encrypted data through applications posing as legitimate
users
• Antivirus – Can only stop known malware. Attackers make
brand new custom malware to attack you.
Spearphishing and web app vulnerabilities bypass all 3!
12. Page 12
Case Study: Night Dragon
• Impacted the Energy Sector from
Nov 2009 – Feb 2011
• Information targeted:
• Energy field production
information
• Financial information
• Industrial Control System
information
18. Page 18
Techniques To Test Application Security
• Universe of application security
vulnerabilities is extensive
• There is no “silver bullet” – each technique
has strengths and weaknesses
• A complete analysis includes:
• Static analysis (i.e. White Box)
• Dynamic analysis (i.e. Black Box)
• Penetration testing
• Design review
• Threat modeling
• Automation allows manual penetration
testers to focus on vulnerabilities only
humans can find
Automated
Static
Automated
Dynamic
Penetration
Testing
20. Page 20
Application Security Incident Response (IR)
PREPARE
Minimize Risk
• Inventory your apps
• Remove vulnerabilities in
advance
• Simulate application security
incidents
• Verify data collection for key
apps
• ID organizational / skill-set gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Short and Long-Term fix
• Track historical performance
• Lots of App Sec incidents?
• Update app inventory and re-scan
• Annual IR report / infographic
ASSESS
Characterize Impact
• Gather forensics
• Any PII?
• Send notice to IR team
• App you didn't know about? How
crucial is it to the business?
MANAGE
Tune The Incident Response
Plan
• Triage the app
• Pull it? Patch it? Monitor it?
• Assign tasks: who/what/when
• Time to fix?
• Monitor progress to completion
21. Page 21
Application Security IR - Prepare
• Inventory applications
• Web apps, Mobile apps, 3rd Party apps
• Rank by importance / severity / difficulty to fix
• Quadrant or other metaphor to prioritize on the critical that
are easy?
• Verify data collection on key apps
• Simulate an App Sec breach
• Anything they are likely to learn from the simulation / fire
drill other than they may need skills they don’t have?
It is cheapest to fix these issues in advance
22. Page 22
Application Security IR - Report
• Post-mortem
• What went well? What didn’t?
• People, Process, and Technology remediation
• Report to management in business impact terms
• Technology remediation plan
• Quick fixes? Compensating controls?
• Update application inventory
• Web apps, Mobile apps, 3rd Party apps
• Report by incident type and business unit
• What incident types and business units are the main
problems?
24. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages
for privacy look like.”
GARTNER
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
www.veracode.com
25. Page 25
About Chris Wysopal
Co-Founder, CTO & CISO, Veracode
• Chris is responsible for the security analysis capabilities of
Veracode technology. Mr. Wysopal is recognized as an expert
and a well known speaker in the information security field
and was recently named one of InfoWorld’s Top 25 CTO’s
and one of the 100 most influential people in IT by the
editorial staffs of eWeek, CIO Insight and Baseline Magazine.
Chris has testified on Capitol Hill on the subjects of
government computer security and how vulnerabilities are
discovered in software. He also has spoken as the keynote at
West Point, to the Defense Information Systems Agency
(DISA) and before the International Financial Futures and
Options Exchange in London. His opinions on Internet
security are highly sought after and most major print and
media outlets have featured stories on Mr. Wysopal and his
work.