SlideShare a Scribd company logo
1 of 29
15 years of Web Security
© 2015 WhiteHat Security, Inc.
Jeremiah Grossman
Founder
WhiteHat Security, Inc.
Twitter: @jeremiahg
The Rebellious Teenage Years
© 2015 WhiteHat Security, Inc.
Jeremiah Grossman
Hacker
OWASP WebAppSec Person of the Year (2015)
Brazilian Jiu-Jitsu Black Belt
WhiteHat Security
Active Customers: ~1000
Fortune 500: 63
Commercial Banks
7 of the Top 18
Largest Banks
10 of the Top 50
Software
6 of the Top 16
Consumer Financial Services
4 of the Top 8
© 2015 WhiteHat Security, Inc.
We help secure the
Web by finding
application
vulnerabilities, in the
source code all the
way through to
production, and help
companies get them
fixed, before the bad
guys exploit them.
Founded: 2001
Headquarters: Santa Clara, CA
Employees: 300+
© 2015 WhiteHat Security, Inc.
• Threat Actors: Innovating, scaling, or both?
• Intersection of security guarantees and cyber-
insurance
• Vulnerability Remediation: Lowering costs,
easing the burden, and prioritization.
• SDLC processes that measurably improve
software security
• Addressing the application security skill shortage
My Areas of Focus
Threat Actors
© 2015 WhiteHat Security, Inc.
• Hacktivists
• Organized Crime
• Nation-State
• Terrorists(?)
© 2015 WhiteHat Security, Inc. 6
© 2015 WhiteHat Security, Inc. 7
“This year, organized
crime became the most
frequently seen threat
actor for Web App
Attacks.”
Verizon 2015 Data Breach
Investigations Report
WebApp Attacks Adversaries Use
© 2015 WhiteHat Security, Inc. 8
Security Industry Spends
Billions
“2015 Global spending
on information security
is set to grow by close
to 5% this year to top
$75bn, according to the
latest figures from
Gartner.”
© 2015 WhiteHat Security, Inc.
Vulnerability Likelihood
© 2015 WhiteHat Security, Inc.
Average Time-to-Fix (Days)
Average'Time'to'Fix'
© 2015 WhiteHat Security, Inc.
• A large % of websites
are always vulnerable
• 60% of all Retail are
always vulnerable
• 52% of all Healthcare
and Social Assistance
sites are always
vulnerable
• 38% of all Information
Technology websites
are always vulnerable
• 39% of all Finance
and Insurance
websites are always
vulnerable
Windows of Exposure
39%
52%
38%
60%
14%
10%
11%
9%
11%
12%
14%
10%18%
11%
16%
11%
17% 14%
22%
11%
Finance and
Insurance
Health Care
and Social
Assistance
Information Retail Trade
Rarely Vulnerable 30 days or less a year
Occasionally Vulnerable 31-150 days a year
Regularly Vulnerable 151-270 days a year
Frequently Vulnerable 271-364 days a year
Always Vulnerable
© 2015 WhiteHat Security, Inc. 12
Ranges of Expected Loss by # of Records
Verizon 2015 Data Breach Investigations Report
“In 2014, 71% of security professionals
said their networks were breached.
22% of them victimized 6 or more times.
This increased from 62% and 16%
respectively from 2013. 52% said their
organizations will likely be successfully
hacked in the next 12 months.
This is up from 39% in 2013.”
Survey of security professionals by CyberEdge
© 2015 WhiteHat Security, Inc. 13
Result: Every Year is the Year of the
Hack
© 2015 WhiteHat Security, Inc. 14
As of 2014, American businesses
were expected to pay up to $2 billion
on cyber-insurance premiums, a
67% spike from $1.2 billion spent in
2013.
Current expectations by one industry
watcher suggest 100% growth in
insurance premium activity,
possibly 130% growth.
It’s usually the firms that are best
prepared for cyber attacks that wind
up buying insurance.
Downside protection
© 2015 WhiteHat Security, Inc. 15
“Target spent $248 million after
hackers stole 40 million payment
card accounts and the personal
information of up to 70 million
customers. The insurance payout,
according to Target, will be $90
million.”
“Home Depot reported $43 million
in expenses related to its
September 2014 hack, which
affected 56 million credit and debit
card holders. Insurance covered
only $15 million.”
Downside protection
© 2015 WhiteHat Security, Inc. 16
“Anthem has $150 million to $200
million in cyber coverage, including
excess layers, sources say.”
Insurers providing excess layers of
cyber coverage include: Lloyd's of
London syndicates; operating units of
Liberty Mutual Holding Co.; Zurich
Insurance Group; and CNA Financial
Corp., sources say.”
Downside protection
© 2015 WhiteHat Security, Inc.
2014 – 2015
New Security Investment vs. Cyber-
Insurance
Cyber-Security Insurance
~$3.2 Billion in new spending (+67%)
(Gartner: Oct, 2015)
Information Security Spending
(Global)
~$3.8 billion in new spending (+4.7%)
© 2015 WhiteHat Security, Inc.
No Guarantees
No Warrantees
No Return Policies
Ever notice how everything in
the information security
industry is sold “as is”?
© 2015 WhiteHat Security, Inc.
No More Snake Oil
© 2015 WhiteHat Security, Inc.
© 2015 WhiteHat Security, Inc. 21
“The only two products not covered by product liability are religion
and software, and software shall not escape much longer.”
Dan Geer (CISO, In-Q-Tel)
Software Security
Maturity Metrics Analysis
© 2015 WhiteHat Security, Inc.
• The analysis is based on 118 responses on a survey
sent to security professionals to measure maturity
models of application security programs at various
organizations.
• The responses obtained in the survey are correlated with
the data available in Sentinel to get deeper insights.
Statistics pulled from Sentinel are for 2014 timeframe.
© 2015 WhiteHat Security, Inc.
56% of all respondents
did not have any part of
the organization held
accountable in case of
data or system breach.
If an organization experiences a website(s) data or system
breach, which part of the organization is held accountable
and what is it’s performance?
9%
29% 28% 30%
0%
5%
10%
15%
20%
25%
30%
35%
© 2015 WhiteHat Security, Inc.
If an organization experiences a website(s) data or system
breach, which part of the organization is held accountable
and what is it’s performance?
10 10
17
25
0
10
20
30
Board of
Directors
Executive
Management
Software
Development
Security
Department
Average Number of Vulns
Open
129
119
108
114
95
100
105
110
115
120
125
130
135
Board of
Directors
Executive
Management
Software
Development
Security
Department
Average Time to Fix (Days)
44% 43%
37%
43%
34%
36%
38%
40%
42%
44%
46%
Board of
Directors
Executive
Management
Software
Development
Security
Department
Remediation Rate
© 2015 WhiteHat Security, Inc.
15% of the respondents cite
Compliance as the primary reason
for resolving website vulnerabilities
6% of the respondents cite
Corporate Policy as the primary
reason for resolving website
vulnerabilities
35% of the respondents cite Risk
Reduction as the primary reason for
resolving website vulnerabilities
19% of the respondents cite
Customer or Partner Demand as the
primary reason for resolving website
vulnerabilities
25% of the respondents cite other
reasons for resolving website
vulnerabilities
Please rank your organization’s drivers for resolving
website vulnerabilities. 1 lowest priority, 5 highest.
15%
6%
35%
19%
25%
%ofrespondents
Primary driver for resolving website
vulnerabilities
© 2015 WhiteHat Security, Inc.
Please rank your organization’s drivers for resolving
website vulnerabilities. 1 the lowest priority, 5 the highest.
14
21
28 28
10
0
5
10
15
20
25
30
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Primary reasons for resolving web site vulnerabilities
Average # of vulnerabilities
132
86 78
163 150
0
50
100
150
200
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Primary reasons for resolving web site vulnerabilities
Average Time to Fix (Days)
55%
21%
40%
50%
33%
0%
10%
20%
30%
40%
50%
60%
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Primary reasons for resolving web site vulnerabilities
Average Remediation Rate
© 2015 WhiteHat Security, Inc.
Security Controls # of Open Vulns Time-to-Fix
Remediation
Rate
Automated static analysis
during the code review
process
QA performs basic adversarial
tests
Defects identified through
operations monitoring fed
back to development
Share results from security
reviews with the QA
© 2015 WhiteHat Security, Inc.
There Are No
Best-Practices
Questions?
© 2015 WhiteHat Security, Inc.
Jeremiah Grossman
Founder
WhiteHat Security, Inc.
Twitter: @jeremiahg
Thank you!

More Related Content

What's hot

SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorAccenture Insurance
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...CNseg
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Jef Lacson
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of CybercrimeIDG
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilienceaccenture
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowLeona Markham
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksEnterprise Management Associates
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firmsJohn Davis
 

What's hot (20)

SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud Prevention
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of Cybercrime
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
 

Viewers also liked

Dealing with Your Teenager's Rebellion
Dealing with Your Teenager's RebellionDealing with Your Teenager's Rebellion
Dealing with Your Teenager's RebellionCompound Wisdom
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSymantec
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 
06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08Vivek chan
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to HackingRishabha Garg
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationJoshua Prince
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesJeremiah Grossman
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hackingeiti panchkula
 
Secure development automatic identification and mitigation of application v...
Secure development   automatic identification and mitigation of application v...Secure development   automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...peihsin1980
 
Slideshare.Com Powerpoint
Slideshare.Com PowerpointSlideshare.Com Powerpoint
Slideshare.Com Powerpointguested929b
 

Viewers also liked (13)

Dealing with Your Teenager's Rebellion
Dealing with Your Teenager's RebellionDealing with Your Teenager's Rebellion
Dealing with Your Teenager's Rebellion
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
 
06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to Hacking
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
Secure development automatic identification and mitigation of application v...
Secure development   automatic identification and mitigation of application v...Secure development   automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...
 
Slideshare.Com Powerpoint
Slideshare.Com PowerpointSlideshare.Com Powerpoint
Slideshare.Com Powerpoint
 

Similar to 15 Years of Web Security: The Rebellious Teenage Years

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemTransUnion
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...SolarWinds
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security reportMarco Antonio Agnese
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?Executive Leaders Network
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014Peggy Lawless
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research UpdateGridCyberSec
 
Preventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupPreventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupLaurent Pacalin
 
Take Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_ForresterTake Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_ForresterDave Edington
 
New fraud protection solutions
New fraud protection solutionsNew fraud protection solutions
New fraud protection solutionsLaurent Pacalin
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 

Similar to 15 Years of Web Security: The Rebellious Teenage Years (20)

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
La Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesLa Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las Aplicaciones
 
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update
 
Preventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupPreventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite Group
 
Take Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_ForresterTake Insurance Loyalty to Next Level Epsilon_Forrester
Take Insurance Loyalty to Next Level Epsilon_Forrester
 
New fraud protection solutions
New fraud protection solutionsNew fraud protection solutions
New fraud protection solutions
 
Check Point SMB Proposition
Check Point SMB PropositionCheck Point SMB Proposition
Check Point SMB Proposition
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
The Rise of Data Breaches in Small Businesses
The Rise of Data Breaches in Small Businesses The Rise of Data Breaches in Small Businesses
The Rise of Data Breaches in Small Businesses
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 

Recently uploaded

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 

Recently uploaded (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 

15 Years of Web Security: The Rebellious Teenage Years

  • 1. 15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg The Rebellious Teenage Years
  • 2. © 2015 WhiteHat Security, Inc. Jeremiah Grossman Hacker OWASP WebAppSec Person of the Year (2015) Brazilian Jiu-Jitsu Black Belt
  • 3. WhiteHat Security Active Customers: ~1000 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8 © 2015 WhiteHat Security, Inc. We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+
  • 4. © 2015 WhiteHat Security, Inc. • Threat Actors: Innovating, scaling, or both? • Intersection of security guarantees and cyber- insurance • Vulnerability Remediation: Lowering costs, easing the burden, and prioritization. • SDLC processes that measurably improve software security • Addressing the application security skill shortage My Areas of Focus
  • 5. Threat Actors © 2015 WhiteHat Security, Inc. • Hacktivists • Organized Crime • Nation-State • Terrorists(?)
  • 6. © 2015 WhiteHat Security, Inc. 6
  • 7. © 2015 WhiteHat Security, Inc. 7 “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report WebApp Attacks Adversaries Use
  • 8. © 2015 WhiteHat Security, Inc. 8 Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75bn, according to the latest figures from Gartner.”
  • 9. © 2015 WhiteHat Security, Inc. Vulnerability Likelihood
  • 10. © 2015 WhiteHat Security, Inc. Average Time-to-Fix (Days) Average'Time'to'Fix'
  • 11. © 2015 WhiteHat Security, Inc. • A large % of websites are always vulnerable • 60% of all Retail are always vulnerable • 52% of all Healthcare and Social Assistance sites are always vulnerable • 38% of all Information Technology websites are always vulnerable • 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure 39% 52% 38% 60% 14% 10% 11% 9% 11% 12% 14% 10%18% 11% 16% 11% 17% 14% 22% 11% Finance and Insurance Health Care and Social Assistance Information Retail Trade Rarely Vulnerable 30 days or less a year Occasionally Vulnerable 31-150 days a year Regularly Vulnerable 151-270 days a year Frequently Vulnerable 271-364 days a year Always Vulnerable
  • 12. © 2015 WhiteHat Security, Inc. 12 Ranges of Expected Loss by # of Records Verizon 2015 Data Breach Investigations Report
  • 13. “In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of security professionals by CyberEdge © 2015 WhiteHat Security, Inc. 13 Result: Every Year is the Year of the Hack
  • 14. © 2015 WhiteHat Security, Inc. 14 As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside protection
  • 15. © 2015 WhiteHat Security, Inc. 15 “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.” Downside protection
  • 16. © 2015 WhiteHat Security, Inc. 16 “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.” Downside protection
  • 17. © 2015 WhiteHat Security, Inc. 2014 – 2015 New Security Investment vs. Cyber- Insurance Cyber-Security Insurance ~$3.2 Billion in new spending (+67%) (Gartner: Oct, 2015) Information Security Spending (Global) ~$3.8 billion in new spending (+4.7%)
  • 18. © 2015 WhiteHat Security, Inc. No Guarantees No Warrantees No Return Policies Ever notice how everything in the information security industry is sold “as is”?
  • 19. © 2015 WhiteHat Security, Inc. No More Snake Oil
  • 20. © 2015 WhiteHat Security, Inc.
  • 21. © 2015 WhiteHat Security, Inc. 21 “The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel)
  • 22. Software Security Maturity Metrics Analysis © 2015 WhiteHat Security, Inc. • The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. • The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
  • 23. © 2015 WhiteHat Security, Inc. 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 9% 29% 28% 30% 0% 5% 10% 15% 20% 25% 30% 35%
  • 24. © 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open 129 119 108 114 95 100 105 110 115 120 125 130 135 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 34% 36% 38% 40% 42% 44% 46% Board of Directors Executive Management Software Development Security Department Remediation Rate
  • 25. © 2015 WhiteHat Security, Inc. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest. 15% 6% 35% 19% 25% %ofrespondents Primary driver for resolving website vulnerabilities
  • 26. © 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest. 14 21 28 28 10 0 5 10 15 20 25 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average # of vulnerabilities 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 10% 20% 30% 40% 50% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Remediation Rate
  • 27. © 2015 WhiteHat Security, Inc. Security Controls # of Open Vulns Time-to-Fix Remediation Rate Automated static analysis during the code review process QA performs basic adversarial tests Defects identified through operations monitoring fed back to development Share results from security reviews with the QA
  • 28. © 2015 WhiteHat Security, Inc. There Are No Best-Practices
  • 29. Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg Thank you!

Editor's Notes

  1. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  2. http://www.infosecurity-magazine.com/news/global-security-spend-set-to-top/ http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner http://www.gartner.com/newsroom/id/2828722 http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536 http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease
  3. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  4. http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?
  5. http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/ http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html http://www.cnbc.com/id/101804150 http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
  6. http://www.insurancejournal.com/news/national/2014/02/26/321638.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
  7. http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
  8. https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg