Web Application Security For Small and Medium Businesses

279 views
208 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
279
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web Application Security For Small and Medium Businesses

  1. 1. Qualys, Inc. Confidential Will Bechtel – Director, Product Management May 24, 2012 Web Application Security For Small and Medium Businesses
  2. 2. How do breaches occur? •  81% utilized some form of hacking (+31%) How are web apps involved? •  Web Applications….were associated with over a third of total data loss What can you do to help your organization? •  92% of incidents were discovered by a third party •  97% of breaches were avoidable through simple or intermediate controls 2 Why Web App Security Matters 2012 Verizon Data Breach Investigation Report
  3. 3. Why Web App Security Matters 3 Compromised Assets by percent of breaches and percent of records* Type Category All Orgs Larger Orgs POS server (store controller) POS terminal Desktop/Workstation Automated Teller Machine (ATM) Web/application server Database server Regular employee/end-user Mail server Payment card (credit, debit, etc.) Cashier/Teller/Waiter Pay at the Pump terminal File server Laptop/Netbook Remote access server Call Center Staff Servers User devices User devices User devices Servers Servers People Servers Offline data People User devices Servers User devices Servers People 50% 35% 18% 8% 6% 6% 3% 3% 3% 2% 2% 1% 1% 1% 1% 1% <1% 34% 21% 80% 96% 1% 2% <1% <1% <1% <1% <1% <1% <1% 2% 2% 12% 13% 33% 33% 5% 10% 0% 2% 0% 5% 5% 7% 7% <1% <1% 36% 21% 82% 98% <1% 2% <1% <1% <1% <1% <1% <1% <1% *Assets  involved  in  less  than  1%  of  breaches  are  not  shown  
  4. 4. Web Application Security Overview for SMB 4 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Third Party Applications §  Purchased to support the business §  Could be commercial off the shelf (COTS) §  May be developed, customized or supported by 3rd party Internally Developed §  For many small and medium businesses, web app IS the business §  Access to developers §  May need to support customers
  5. 5. Web Application Security Drivers 5 Compliance §  Payment Card Industry (PCI) §  Privacy Regulations §  GLBA, SB1386, FCC Partnerships §  Must demonstrate current and ongoing security §  Usually confirmed by 3rd party Revenue and Brand Reputation Security §  Loss of revenue while you stop to address issues or are taken down by hackers §  Loss of reputation that may be documented forever §  Breach notification costs
  6. 6. Web Application Security Conventional web application security program 6
  7. 7. Web Application Security Conventional web application security program 7 Secure Development §  Secure SDLC §  Static Analysis §  Dynamic Analysis Secure Deployment §  Vulnerability Scanning §  Penetration Testing Secure Operation §  Web Application Firewall (WAF) §  Penetration Testing §  Vulnerability Assessment §  Activity Monitoring
  8. 8. Web Application Security SMB focus 8 Secure Development §  Secure SDLC −  Internal development §  Security Requirements §  Secure Design −  3rd Party §  Review vendor secure dev process §  Dynamic Analysis −  Automated scanning/Interactive Testing Secure Deployment §  Vulnerability Scanning −  Automated scanning Secure Operation §  Vulnerability Assessment §  Activity Monitoring
  9. 9. Web Application Security Dynamic Analysis/Vulnerability Scanning 9 Detect Web Application Security Flaws §  Cost effective §  OWASP Top 10 (SQL Injection, XSS, etc) §  Authenticate, Crawl web application, Test §  Create report of security flaws §  Validation of issues/Remediation §  Used by Compliance/Partners
  10. 10. Web Application Security Dynamic Analysis/Vulnerability Scanning 10 Installed Software Scanners §  Interactive use – targeted for trained appsec resources §  Installed on workstation/server §  Data management not included Cloud SaaS Services §  Highly automated §  No installation, easy to setup, annual subscription §  Data management included
  11. 11. Web Application Security Summary 11 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Security in 3 Phases §  Development §  Deployment §  Operation Determine mix of cost effective controls §  Ensure secure SDLC §  Test for security flaws (Scan/Pen Test) §  Monitor
  12. 12. Resources §  Open Web Application Security Program- OWASP http://www.owasp.org/ §  Web Application Security — How to Minimize the Risk of Attacks http://www.qualys.com/forms/guides/was_minimize_risk/ §  Building a Web Application Security Program http://www.qualys.com/forms/whitepapers/building_was_program/ §  Web Application Security for Dummies http://www.qualys.com/forms/ebook/wasfordummies/ 12 Web Application Security More information
  13. 13. Thank You Will Bechtel– wbechtel@qualys.com

×