Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Why care about application security?<br />Paweł Krawczyk (IPSec.pl)<br />pawel.krawczyk@hush.com<br />Presentation license...
Sony PSN<br />April 2011<br />PSN & Qriosity outage<br />80m records lost<br />May 3<br />Another 25m records<br />Sony On...
Small issues are important<br />Sony 2011<br />Challenger 1986<br />
Top hack (2009)<br />130 million personal records<br />Credit card numbers<br />
Fast & furious...<br />Source: datalossdb.org<br />
$$$<br />Settlements<br />Visa 		= $60.0m<br />AmEx 	= $  3.5m<br />Consumer 	= $  4.8m<br />Ponemon Institute estimate<br...
NYSE<br />Source: datalossdb.org<br />
Side effect<br />CC’s prices drop on „black market”<br />2008	$10-20<br />2009	$2-6<br />Numbers from: Finjan, Kaspersky<b...
Grace periodfor startups?<br />
Source: dereknewton.com<br />
Farming<br />Source: historyforkids.org<br />
Malware farming<br />Mass 500k websites infections<br />2011 (LizaMoon), 2008<br />Results for website owners<br />Blackli...
Your website<br />Blacklisted<br />Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.<br />
Bestwaystogethacked<br />Guaranteed<br />Use ancient Wordpress, Joomla, PHPbb...<br />Use trivial passwords for FTP, SSH.....
Tumblr<br />Source: niebezpiecznik.pl, Reddit<br />
Bad news live long<br />Source: niebezpiecznik.pl<br />
.pl<br />As seen on 23 March 2011<br />
Wyższa Szkoła Policji<br />Source: prawo.vagla.pl<br />
Sąd Okręgowy w Częstochowie<br />Source: prawo.vagla.pl<br />
Data protection laws<br />Poland - up to 50’000 PLN fines<br />May issue order to stop processing data<br />Audit reports ...
Going international?<br />GBP 5,6m<br />GBP 17,5m<br />GBP 3m<br />
How to fix stuff?<br />Source: NASA, Wikipedia (Apollo 13 - 1970)<br />
IsSecurityEnemy of economy?<br />
SecurityisEconomy<br />
Eliminate bugs early<br />Early code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security In...
It’s cheaper than...<br />Pentest<br />Late code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building...
And way cheaper than...<br />Hack!<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The S...
How?<br />Dough Hubbard „The Failure of Risk Management”<br />Security Assurance Maturity Model (OpenSAMM)<br />Security D...
Outsourcing?<br />Tell them what you need (precisely)<br />UML, BPMN<br /> Specify assurance level<br />OWASP ASVS<br />Tr...
Ask peers<br />OWASP<br />Open Web Application Security Project<br />www.owasp.org<br />ISSA<br />Information Systems Secu...
Upcoming SlideShare
Loading in …5
×

Why care about application security

1,353 views

Published on

This is a security awareness presentation on impact of developing and using insecure applications in organisations. Number of case studies of data leaks, defacements and regulatory fines are presented as example.

  • Be the first to comment

  • Be the first to like this

Why care about application security

  1. 1. Why care about application security?<br />Paweł Krawczyk (IPSec.pl)<br />pawel.krawczyk@hush.com<br />Presentation licensed under CC BY-NC<br />http://creativecommons.org/licenses/by-nc/3.0/<br />
  2. 2. Sony PSN<br />April 2011<br />PSN & Qriosity outage<br />80m records lost<br />May 3<br />Another 25m records<br />Sony Online Entertainment outage<br />
  3. 3. Small issues are important<br />Sony 2011<br />Challenger 1986<br />
  4. 4. Top hack (2009)<br />130 million personal records<br />Credit card numbers<br />
  5. 5. Fast & furious...<br />Source: datalossdb.org<br />
  6. 6. $$$<br />Settlements<br />Visa = $60.0m<br />AmEx = $ 3.5m<br />Consumer = $ 4.8m<br />Ponemon Institute estimate<br />At $60 cost per record = $7.8b<br />Now $140 (2010)<br />Indirect costs (e.g. lost business)<br />Source: datalossdb.org<br />
  7. 7. NYSE<br />Source: datalossdb.org<br />
  8. 8. Side effect<br />CC’s prices drop on „black market”<br />2008 $10-20<br />2009 $2-6<br />Numbers from: Finjan, Kaspersky<br />
  9. 9. Grace periodfor startups?<br />
  10. 10.
  11. 11. Source: dereknewton.com<br />
  12. 12. Farming<br />Source: historyforkids.org<br />
  13. 13. Malware farming<br />Mass 500k websites infections<br />2011 (LizaMoon), 2008<br />Results for website owners<br />Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.<br />
  14. 14.
  15. 15.
  16. 16.
  17. 17.
  18. 18. Your website<br />Blacklisted<br />Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.<br />
  19. 19. Bestwaystogethacked<br />Guaranteed<br />Use ancient Wordpress, Joomla, PHPbb...<br />Use trivial passwords for FTP, SSH...<br />Likely<br />Write your own application...<br />
  20. 20. Tumblr<br />Source: niebezpiecznik.pl, Reddit<br />
  21. 21. Bad news live long<br />Source: niebezpiecznik.pl<br />
  22. 22. .pl<br />As seen on 23 March 2011<br />
  23. 23. Wyższa Szkoła Policji<br />Source: prawo.vagla.pl<br />
  24. 24. Sąd Okręgowy w Częstochowie<br />Source: prawo.vagla.pl<br />
  25. 25. Data protection laws<br />Poland - up to 50’000 PLN fines<br />May issue order to stop processing data<br />Audit reports are public<br />Would you trust them in future?<br />
  26. 26. Going international?<br />GBP 5,6m<br />GBP 17,5m<br />GBP 3m<br />
  27. 27. How to fix stuff?<br />Source: NASA, Wikipedia (Apollo 13 - 1970)<br />
  28. 28. IsSecurityEnemy of economy?<br />
  29. 29. SecurityisEconomy<br />
  30. 30. Eliminate bugs early<br />Early code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The Software Life Cycle, Marco M. Morana, 2006<br />
  31. 31. It’s cheaper than...<br />Pentest<br />Late code audit<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The Software Life Cycle, Marco M. Morana, 2006<br />
  32. 32. And way cheaper than...<br />Hack!<br />Applied Software Measurement, Capers Jones, 1996<br />Building Security Into The Software Life Cycle, Marco M. Morana, 2006<br />
  33. 33. How?<br />Dough Hubbard „The Failure of Risk Management”<br />Security Assurance Maturity Model (OpenSAMM)<br />Security Development Lifecycle (SDL)<br />
  34. 34. Outsourcing?<br />Tell them what you need (precisely)<br />UML, BPMN<br /> Specify assurance level<br />OWASP ASVS<br />Trust but verify<br />Supplier due dilligence, audit, pentest<br />
  35. 35. Ask peers<br />OWASP<br />Open Web Application Security Project<br />www.owasp.org<br />ISSA<br />Information Systems Security Association<br />www.issa.org.pl<br />
  36. 36. Questions, comments?<br />pawel.krawczyk@hush.com<br />

×