Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

15 Years of Web Security: The Rebellious Teenage Years

4,719 views

Published on

From Application Security California 2016

Published in: Technology
  • Nice !! Download 100 % Free Ebooks, PPts, Study Notes, Novels, etc @ https://www.ThesisScientist.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

15 Years of Web Security: The Rebellious Teenage Years

  1. 1. 15 years of Web Security The Rebellious Teenage Years Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg
  2. 2. Jeremiah Grossman Hacker 2015 OWASP WebAppSec Person of the Year Brazilian Jiu-Jitsu Black Belt
  3. 3. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded 2001 Headquarters Santa Clara Employees 300+
  4. 4. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. 7 of 18 Top Commercial Banks 10 of 50 Top Largest Banks 6 of 16 Top Software Companies 4 of 8 Top Consumer Financial Services 1000+ Active Customers #63 Fortune 500
  5. 5. My Areas of Focus  Threat Actors: Innovating, scaling, or both?  Intersection of security guarantees and cyber-insurance  Easing the burden of vulnerability remediation  Measuring the impact of SDLC security controls  Addressing the application security skill shortage
  6. 6. Threat Actors Hacktivists Organized Crime Nation State Terrorists?
  7. 7. WebApp Attacks Adversaries Use “This year, organized crime became the most frequently seen threat actor for Web App Attacks” Verizon 2015 Data Breach Investigations Report 1.5% 2.0% 3.4% 6.3% 6.8% 8.3% 8.3% 19.0% 40.5% 50.7% OS Commanding Forced Browsing Path Traversal XSS Brute Force Abuse of Functionality RFI SQLI Use of Backdoor or C2 Use of Stolen Credit Cards
  8. 8. Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75BN, according to the latest figures from Gartner”
  9. 9. Vulnerability Likelihood (1 or more) 70% 56% 47% 29% 26% 24% 16% 15% 11% 11% 8% 6% 6% 6% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
  10. 10. Average Time-to-Fix (Days) 73 97 99 108 111 130 132 136 158 160 191 192 227 0 50 100 150 200 250
  11. 11. Windows of Exposure  A large percentage of websites are always vulnerable  60% of all Retail are always vulnerable  52% of all Healthcare and Social Assistance sites are always vulnerable  38% of all Information Technology websites are always vulnerable  39% of all Finance and Insurance websites are always vulnerable 60% 38% 52% 39% 9% 11% 11% 14% 10% 14% 12% 11% 11% 16% 11% 18% 11% 22% 14% 17% Retail Trade Information Health Care & Social Assistance Finance & Insurance Always Vulnerable Frequently Vulnerable (271-364 days a year) Regularly Vulnerable (151-270 days a year) Occasionally Vulnerable (31-150 days a year) Rarely Vulnerable (30 days or less a year)
  12. 12. Ranges of Expected Loss by Number of Records RECORDS PREDICTION (LOWER) AVERAGE (LOWER) EXPECTED AVERAGE (UPPER) PREDICTION (UPPER) 100 $1,170 $18,120 $25,450 $35,730 $555,660 1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730 10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400 100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200 1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090 10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950 100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100 Verizon 2015 Data Breach Investigations Report
  13. 13. Result: Every Year is the Year of the Hack “In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of Security professionals by CyberEdge
  14. 14. Downside Protection As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance.
  15. 15. Downside Protection “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.”
  16. 16. Downside Protection “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”
  17. 17. $3,800,000,000 $3,200,000,000 $1,000,000,000 Information Security Spending (Global) ~ $3.8 billion in new spending (+4.7%) Cyber-Security Insurance ~$3.2 billion in spending (+67%) Application Security Market (+15%) 2014 – 2015 New Security Investment vs. Cyber-Insurance
  18. 18. Ever notice how everything in the information security industry is sold “as is”? No Guarantees No Warranties No Return Policies
  19. 19. InfoSec is a $75 Billion Garage Sale
  20. 20. “The only two products not covered by product liability are religion and software, and software shall not escape much longer” Dan Geer CISO, In-Q-Tel
  21. 21. Software Security Maturity Metrics Analysis  The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models in application security programs at various organizations.  The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
  22. 22. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. 9% 29% 28% 30% 0% 10% 20% 30% 40%
  23. 23. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 129 119 108 114 100 110 120 130 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 30% 35% 40% 45% 50% Board of Directors Executive Management Software Development Security Department Remediation Rate 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open
  24. 24. Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities. 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities. 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities. 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities. 25% of the respondents cite other reasons for resolving website vulnerabilities. 15% 6% 35% 19% 25% %ofRespondents
  25. 25. Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 20% 40% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Remediation Rate 14 21 28 28 10 0 10 20 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Number of Vulnerabilities
  26. 26. SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX REMEDIATION RATE Automated static analysis during the code review process + + - QA performs basic adversarial tests + - + Defects identified through operations monitoring fed back to development - + - Share results from security reviews with the QA + - +
  27. 27. There are No Best-Practices
  28. 28. Thank You Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg

×