SlideShare a Scribd company logo
1 of 30
15 years of Web Security
The Rebellious Teenage Years
Jeremiah Grossman
Founder: WhiteHat Security, Inc.
Twitter: @jeremiahg
Jeremiah Grossman
Hacker
2015 OWASP WebAppSec Person of the Year
Brazilian Jiu-Jitsu Black Belt
WhiteHat Security
We help secure the Web
by finding application
vulnerabilities, in the
source code all the way
through to production,
and help companies get
them fixed, before the
bad guys exploit them.
Founded
2001
Headquarters
Santa
Clara
Employees
300+
WhiteHat Security
We help secure the Web
by finding application
vulnerabilities, in the
source code all the way
through to production,
and help companies get
them fixed, before the
bad guys exploit them.
7 of 18
Top Commercial
Banks
10 of 50
Top Largest
Banks
6 of 16
Top Software
Companies
4 of 8
Top Consumer
Financial Services
1000+
Active Customers
#63
Fortune 500
My Areas of Focus
 Threat Actors: Innovating, scaling, or both?
 Intersection of security guarantees and cyber-insurance
 Easing the burden of vulnerability remediation
 Measuring the impact of SDLC security controls
 Addressing the application security skill shortage
Threat Actors
Hacktivists Organized Crime Nation State Terrorists?
WebApp Attacks Adversaries Use
“This year, organized
crime became the
most frequently
seen threat actor for
Web App Attacks”
Verizon 2015 Data Breach
Investigations Report
1.5%
2.0%
3.4%
6.3%
6.8%
8.3%
8.3%
19.0%
40.5%
50.7%
OS Commanding
Forced Browsing
Path Traversal
XSS
Brute Force
Abuse of Functionality
RFI
SQLI
Use of Backdoor or C2
Use of Stolen Credit Cards
Security Industry Spends Billions
“2015 Global spending on
information security is set to
grow by close to 5% this year to
top $75BN, according to the
latest figures from Gartner”
Vulnerability Likelihood (1 or more)
70%
56%
47%
29% 26% 24%
16% 15% 11% 11% 8% 6% 6% 6% 5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Average Time-to-Fix (Days)
73
97 99 108 111
130 132 136
158 160
191 192
227
0
50
100
150
200
250
Windows of Exposure
 A large percentage of websites are
always vulnerable
 60% of all Retail are always vulnerable
 52% of all Healthcare and Social
Assistance sites are always vulnerable
 38% of all Information Technology
websites are always vulnerable
 39% of all Finance and Insurance
websites are always vulnerable
60%
38%
52%
39%
9%
11%
11%
14%
10%
14%
12%
11%
11%
16%
11%
18%
11%
22%
14%
17%
Retail Trade
Information
Health Care &
Social Assistance
Finance &
Insurance
Always Vulnerable
Frequently Vulnerable (271-364 days a year)
Regularly Vulnerable (151-270 days a year)
Occasionally Vulnerable (31-150 days a year)
Rarely Vulnerable (30 days or less a year)
Ranges of Expected Loss by Number of Records
RECORDS PREDICTION
(LOWER)
AVERAGE
(LOWER)
EXPECTED AVERAGE
(UPPER)
PREDICTION
(UPPER)
100 $1,170 $18,120 $25,450 $35,730 $555,660
1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730
10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400
100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200
1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090
10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950
100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100
Verizon 2015 Data Breach Investigations Report
Result: Every Year is the Year of the Hack
“In 2014, 71% of security professionals said their
networks were breached. 22% of them victimized
6 or more times.
This increased from 62% and 16% respectively
from 2013. 52% said their organizations will likely
be successfully hacked in the next 12 months.
This is up from 39% in 2013.”
Survey of Security professionals by CyberEdge
Downside Protection
As of 2014, American businesses
were expected to pay up to $2 billion
on cyber-insurance premiums, a 67%
spike from $1.2 billion spent in 2013.
Current expectations by one industry
watcher suggest 100% growth in
insurance premium activity, possibly
130% growth.
It’s usually the firms that are best
prepared for cyber attacks that wind
up buying insurance.
Downside Protection
“Target spent $248 million after hackers
stole 40 million payment card accounts
and the personal information of up to 70
million customers. The insurance payout,
according to Target, will be $90 million.”
“Home Depot reported $43 million in
expenses related to its September 2014
hack, which affected 56 million credit and
debit card holders. Insurance covered
only $15 million.”
Downside Protection
“Anthem has $150 million to $200 million
in cyber coverage, including excess
layers, sources say.”
“Insurers providing excess layers of cyber
coverage include: Lloyd’s of London
syndicates: operating units of Liberty
Mutual Holding Co.; Zurich Insurance
Group; and CNA Financial Corp.,
sources say.”
$3,800,000,000
$3,200,000,000
$1,000,000,000
Information Security Spending (Global)
~ $3.8 billion in new spending (+4.7%)
Cyber-Security Insurance
~$3.2 billion in spending (+67%)
Application Security Market (+15%)
2014 – 2015 New Security Investment vs. Cyber-Insurance
Ever notice how everything
in the information security
industry is sold “as is”?
No Guarantees
No Warranties
No Return Policies
InfoSec is a
$75 Billion
Garage Sale
“The only two products not
covered by product liability
are religion and software,
and software shall not
escape much longer”
Dan Geer
CISO, In-Q-Tel
Software Security Maturity Metrics Analysis
 The analysis is based on 118 responses on a survey sent to
security professionals to measure maturity models in
application security programs at various organizations.
 The responses obtained in the survey are correlated with the
data available in Sentinel to get deeper insights. Statistics
pulled from Sentinel are for 2014 timeframe.
If an organization experiences a website(s) data or system breach, which
part of the organization is held accountable and what is it’s performance?
56% of all respondents
did not have any part of
the organization held
accountable in case of
data or system breach.
9%
29% 28% 30%
0%
10%
20%
30%
40%
If an organization experiences a website(s) data or system breach, which
part of the organization is held accountable and what is it’s performance?
129
119
108
114
100
110
120
130
Board of
Directors
Executive
Management
Software
Development
Security
Department
Average Time to Fix (Days)
44% 43%
37%
43%
30%
35%
40%
45%
50%
Board of
Directors
Executive
Management
Software
Development
Security
Department
Remediation Rate
10 10
17
25
0
10
20
30
Board of
Directors
Executive
Management
Software
Development
Security
Department
Average Number of Vulns Open
Please rank your organization’s drivers for resolving website vulnerabilities.
“1” being your lowest priority, “5” being your highest.
15% of the respondents cite
Compliance as the primary reason for
resolving website vulnerabilities.
6% of the respondents cite Corporate
Policy as the primary reason for
resolving website vulnerabilities.
35% of the respondents cite Risk
Reduction as the primary reason for
resolving website vulnerabilities.
19% of the respondents cite Customer
or Partner Demand as the primary
reason for resolving website
vulnerabilities.
25% of the respondents cite other
reasons for resolving website
vulnerabilities.
15%
6%
35%
19%
25%
%ofRespondents
Please rank your organization’s drivers for resolving website vulnerabilities.
“1” being your lowest priority, “5” being your highest.
132
86 78
163 150
0
50
100
150
200
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Average Time to Fix (Days)
55%
21%
40%
50%
33%
0%
20%
40%
60%
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Average Remediation Rate
14
21
28 28
10
0
10
20
30
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Average Number of Vulnerabilities
SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX
REMEDIATION
RATE
Automated static analysis
during the code review
process
+ + -
QA performs basic
adversarial tests + - +
Defects identified through
operations monitoring fed
back to development
- + -
Share results from security
reviews with the QA + - +
There are No
Best-Practices
Thank You
Jeremiah Grossman
Founder: WhiteHat Security, Inc.
Twitter: @jeremiahg

More Related Content

What's hot

Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Mateusz Maj
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
Digital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehDigital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehJude Umeh
 
Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 OurCrowd
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020Bernard Marr
 
Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte Canada
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020Ray Bugg
 
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...CharityComms
 
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersHow to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersStephenie Rodriguez
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 EdinburghRay Bugg
 

What's hot (18)

99 Facts on the Future of Business in the Digital Economy
99 Facts on the Future of Business in the Digital Economy99 Facts on the Future of Business in the Digital Economy
99 Facts on the Future of Business in the Digital Economy
 
Digital Economy
Digital EconomyDigital Economy
Digital Economy
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud Report
 
Governments Are Going Digital
Governments Are Going DigitalGovernments Are Going Digital
Governments Are Going Digital
 
Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
Digital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehDigital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude Umeh
 
Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
 
Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020
 
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
 
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersHow to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 Edinburgh
 
The Quantified Self
The Quantified SelfThe Quantified Self
The Quantified Self
 

Viewers also liked

Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 
Azure ARM’d and Ready
Azure ARM’d and ReadyAzure ARM’d and Ready
Azure ARM’d and Readymscug
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical InterfaceJosh Clark
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)Amazon Web Services
 
Launching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's BackLaunching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's Backjoshelman
 
Azure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsAzure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsITProceed
 
BIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - QuboleBIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - QuboleQubole
 
Fortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsFortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsAmazon Web Services
 
Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup   Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup Qubole
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsTommaso Di Bartolo
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in HealthcareNetApp
 
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...NoSQLmatters
 
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...Amazon Web Services
 
Qubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europeQubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europeJoydeep Sen Sarma
 

Viewers also liked (20)

Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)
 
Azure ARM’d and Ready
Azure ARM’d and ReadyAzure ARM’d and Ready
Azure ARM’d and Ready
 
RDO-Packstack Workshop
RDO-Packstack Workshop RDO-Packstack Workshop
RDO-Packstack Workshop
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical Interface
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
 
Launching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's BackLaunching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's Back
 
Digital Portfolios
Digital Portfolios Digital Portfolios
Digital Portfolios
 
Azure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsAzure stream analytics by Nico Jacobs
Azure stream analytics by Nico Jacobs
 
BIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - QuboleBIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - Qubole
 
Creating a fortigate vpn network & security blog
Creating a fortigate vpn   network & security blogCreating a fortigate vpn   network & security blog
Creating a fortigate vpn network & security blog
 
Fortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsFortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure Workloads
 
Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup   Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup
 
Azure Document Db
Azure Document DbAzure Document Db
Azure Document Db
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage Startups
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in Healthcare
 
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
 
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
 
Qubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europeQubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europe
 

Similar to 15 Years of Web Security: The Rebellious Teenage Years

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summarypatmisasi
 
Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2Stephanie Crates
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019  –  Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019  –  Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...Symantec
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Tracey Ong
 
2017 Scalar Security Study Summary
2017 Scalar Security Study Summary2017 Scalar Security Study Summary
2017 Scalar Security Study SummaryScalar Decisions
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
The July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk LandscapeThe July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk LandscapeCraig McGill
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls PresentationBill Lisse
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionDevOps.com
 
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us SolarWinds
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 

Similar to 15 Years of Web Security: The Rebellious Teenage Years (20)

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019  –  Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019  –  Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]
 
2017 Scalar Security Study Summary
2017 Scalar Security Study Summary2017 Scalar Security Study Summary
2017 Scalar Security Study Summary
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
The July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk LandscapeThe July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk Landscape
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls Presentation
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
CAPP Conference Survey
CAPP Conference SurveyCAPP Conference Survey
CAPP Conference Survey
 
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 

Recently uploaded

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

15 Years of Web Security: The Rebellious Teenage Years

  • 1. 15 years of Web Security The Rebellious Teenage Years Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg
  • 2. Jeremiah Grossman Hacker 2015 OWASP WebAppSec Person of the Year Brazilian Jiu-Jitsu Black Belt
  • 3. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded 2001 Headquarters Santa Clara Employees 300+
  • 4. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. 7 of 18 Top Commercial Banks 10 of 50 Top Largest Banks 6 of 16 Top Software Companies 4 of 8 Top Consumer Financial Services 1000+ Active Customers #63 Fortune 500
  • 5. My Areas of Focus  Threat Actors: Innovating, scaling, or both?  Intersection of security guarantees and cyber-insurance  Easing the burden of vulnerability remediation  Measuring the impact of SDLC security controls  Addressing the application security skill shortage
  • 6. Threat Actors Hacktivists Organized Crime Nation State Terrorists?
  • 7.
  • 8. WebApp Attacks Adversaries Use “This year, organized crime became the most frequently seen threat actor for Web App Attacks” Verizon 2015 Data Breach Investigations Report 1.5% 2.0% 3.4% 6.3% 6.8% 8.3% 8.3% 19.0% 40.5% 50.7% OS Commanding Forced Browsing Path Traversal XSS Brute Force Abuse of Functionality RFI SQLI Use of Backdoor or C2 Use of Stolen Credit Cards
  • 9. Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75BN, according to the latest figures from Gartner”
  • 10. Vulnerability Likelihood (1 or more) 70% 56% 47% 29% 26% 24% 16% 15% 11% 11% 8% 6% 6% 6% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
  • 11. Average Time-to-Fix (Days) 73 97 99 108 111 130 132 136 158 160 191 192 227 0 50 100 150 200 250
  • 12. Windows of Exposure  A large percentage of websites are always vulnerable  60% of all Retail are always vulnerable  52% of all Healthcare and Social Assistance sites are always vulnerable  38% of all Information Technology websites are always vulnerable  39% of all Finance and Insurance websites are always vulnerable 60% 38% 52% 39% 9% 11% 11% 14% 10% 14% 12% 11% 11% 16% 11% 18% 11% 22% 14% 17% Retail Trade Information Health Care & Social Assistance Finance & Insurance Always Vulnerable Frequently Vulnerable (271-364 days a year) Regularly Vulnerable (151-270 days a year) Occasionally Vulnerable (31-150 days a year) Rarely Vulnerable (30 days or less a year)
  • 13. Ranges of Expected Loss by Number of Records RECORDS PREDICTION (LOWER) AVERAGE (LOWER) EXPECTED AVERAGE (UPPER) PREDICTION (UPPER) 100 $1,170 $18,120 $25,450 $35,730 $555,660 1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730 10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400 100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200 1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090 10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950 100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100 Verizon 2015 Data Breach Investigations Report
  • 14. Result: Every Year is the Year of the Hack “In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of Security professionals by CyberEdge
  • 15. Downside Protection As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance.
  • 16. Downside Protection “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.”
  • 17. Downside Protection “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”
  • 18. $3,800,000,000 $3,200,000,000 $1,000,000,000 Information Security Spending (Global) ~ $3.8 billion in new spending (+4.7%) Cyber-Security Insurance ~$3.2 billion in spending (+67%) Application Security Market (+15%) 2014 – 2015 New Security Investment vs. Cyber-Insurance
  • 19. Ever notice how everything in the information security industry is sold “as is”? No Guarantees No Warranties No Return Policies
  • 20. InfoSec is a $75 Billion Garage Sale
  • 21.
  • 22. “The only two products not covered by product liability are religion and software, and software shall not escape much longer” Dan Geer CISO, In-Q-Tel
  • 23. Software Security Maturity Metrics Analysis  The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models in application security programs at various organizations.  The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
  • 24. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. 9% 29% 28% 30% 0% 10% 20% 30% 40%
  • 25. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 129 119 108 114 100 110 120 130 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 30% 35% 40% 45% 50% Board of Directors Executive Management Software Development Security Department Remediation Rate 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open
  • 26. Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities. 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities. 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities. 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities. 25% of the respondents cite other reasons for resolving website vulnerabilities. 15% 6% 35% 19% 25% %ofRespondents
  • 27. Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 20% 40% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Remediation Rate 14 21 28 28 10 0 10 20 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Number of Vulnerabilities
  • 28. SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX REMEDIATION RATE Automated static analysis during the code review process + + - QA performs basic adversarial tests + - + Defects identified through operations monitoring fed back to development - + - Share results from security reviews with the QA + - +
  • 30. Thank You Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg

Editor's Notes

  1. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  2. http://www.infosecurity-magazine.com/news/global-security-spend-set-to-top/ http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#2715e4857a0b676a557a2191 http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner http://www.gartner.com/newsroom/id/2828722 http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536 http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease http://techcrunch.com/2016/01/06/cockroaches-vs-unicorns-the-golden-age-of-cybersecurity-startups/
  3. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  4. http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?
  5. http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/ http://www.bna.com/cybersecurity-insurance-explosion-n57982065668/?elq=bcac7d48d68d4c18a9d273cb25bdf9ce&elqCampaignId=2283&elqaid=3786&elqat=1&elqTrackId=f1a8b4caaf024d8fac60cd7533b2b96b http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html http://www.cnbc.com/id/101804150 http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
  6. http://www.insurancejournal.com/news/national/2014/02/26/321638.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
  7. http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
  8. http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#2715e4857a0b676a557a2191
  9. https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg