Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites

•Download as PPTX, PDF•

0 likes•921 views

Presentation by Craig Spiezle at the 2014 DigiCert Security Summit. Video recording: https://vimeo.com/112416916 About Craig Spiezle President and Executive Director of the Online Trust Alliance Mr. Spiezle is a recognized thought leader and pioneer on the convergence of interactive marketing, society, and digital commerce. Leveraging his deep understanding of privacy, security, and data stewardship, Spiezle is a champion of best practices to help protect consumer trust and the importance of promoting the vitality and innovation of the internet. Spiezle frequently briefs members of Congress representing the roles and shared responsibility of members of the ecosystem and the importance of meaningful self-regulation. Prior to OTA, Spiezle spent over a decade at Microsoft in several management roles. Most recently he was the Director of Security & Privacy Product Management, driving development of anti-spam, anti-phishing, anti-malware, and privacy-enabling technologies. During his tenure, Spiezle championed digital inclusiveness and the societal impact of internet literacy and access. Spiezle holds a Bachelor of Science from the Rochester Institute of Technology and an MBA from Seattle University. https://www.digicert.com/events/summit-2014/

Technology

2014 Online Trust Audit
How Does Your Site Rank?
Audit of the Top 500 Ecommerce
Sites
Craig Spiezle
Executive Director & President, OTA

© 2014 All rights reserved. Online Trust Alliance (OTA)

Server Configuration Analysis
Common Issues
• Support of TLS 2.0
• “Beast Attack”
• Mismatched certs
• Cross site scripting
• iframes exploits
Data Sources: SSL Labs - https://www.ssllabs.com & High-Tech Bridge https://www.htbridge.com/
© 2014. All rights reserved. Online Trust Alliance (OTA)

SSL Configuration
© 2014. All rights reserved. Online Trust Alliance (OTA)

Enhanced SSL Criteria
Two new grades, A+ (100 pts) and A- (90 pts), allow for finer grading.
Support for TLS 1.2 required for an A. If not, grade is capped at B.
Key lengths below 2048-bit capped at B (below 1024-bit receive an F)
MD5 certificate signatures considered insecure, receive an F
Warnings – servers with good configuration, but one or more warnings, are
reduced to an A-
– Servers not supporting Forward Secrecy receive a warning
– Servers that do not support secure renegotiation receive a warning
– Servers that use RC4 with TLS 1.1 or TLS 1.2 receive a warning
© 2014. All rights reserved. Online Trust Alliance (OTA)

Privacy – Bonus Points
Layered Notice
i.e. Publishers Clearing House
http://privacy.pch.com/
Reduced word count from
over 4,000 words to 475!
Adds clarity, readability &
transparency

Call To Action
• Continually monitoring
• Email authentication
• Both SPF & DKIM & DMARC
• Monitoring your server configuration
• Privacy policy and practices for alignment
• Scan all third party ads and content
© 2014. All rights reserved. Online Trust Alliance (OTA)

Tools & Resources
• Online Trust Honor Roll https://otalliance.org/HonorRoll
• Mobile Best Practices
https://otalliance.org/resources/mobile.html
• 2014 Data Protection & Breach Readiness Guide
https://otalliance.org/Breach.html
• Email Security https://otalliance.org/auth.html
• Always On SSL SSL Best Practices https://otalliance.org/resources/always-ssl-
aossl
• Malvertising / Ad Integrity
https://otalliance.org/AdIntegrity
Craig Spiezle craigs@otalliance.org +1 425-455-7400

For customers with hundreds or thousands of secrets, like database credentials and API keys, manually rotating and managing access to those secrets can be complex and cause application disruptions. AWS Secrets Manager protects access to your IT resources by enabling you to easily and centrally rotate and manage access to secrets. In this session, we explore the benefits and key features of Secrets Manager. We demonstrate how to safely rotate secrets, manage access to secrets with fine-grained access policies, and centrally secure and audit your secrets.

Why Your Customers Care About Compliance and You Should Too

Amazon Web Services

As you're expanding your business into regulated markets, addressing compliance requirements can feel overwhelming. AWS has developed a robust compliance portfolio designed to help you and your customers meet compliance goals. During this session we will discuss ways to implement, market, and communicate compliance to your customers and grow your business in regulated industries. We’ll also cover common objections from customers and how you can find information to counter these concerns—and you’ll have time to discuss and share your own customer’s objections. Speakers: Kristin Haught - Technical PM III, AWS Bill Reid - Sr Mgr, Solutions Architecture, AWS

Gwava gwava6

GWAVA

D3NY17 - Migrating to the Cloud

Imperva Incapsula

Introduction to Threat Detection and Remediation

Amazon Web Services

by Cameron Worrell, Solutions Architect, AWS In this talk, we will introduce several methods of threat detection and remediation on AWS, including GuardDuty, Macie, WAF, Shield, Lambda, AWS Config, Systems Manager and Inspector. We will do a brief overview of each of these services, and then talk about how to put them all together, to have a comprehensive thread detection and remediation solution. We will also discuss how to use these services across multiple AWS accounts and regions, to cover the governance needs of enterprise AWS deployments.

AWS Security Week: Why Your Customers Care About Compliance

Amazon Web Services

Cloud Native DDoS Attack Mitigation

Amazon Web Services

Kubernetes meetup k8s_aug_2019

dhubbard858

"Il Regolamento generale sulla protezione dei dati (GDPR) dell'Unione Europea tutela il diritto fondamentale alla privacy e alla protezione dei dati personali dei cittadini dell'Unione europea. Esso costituisce una grande opportunità ed una grande sfida, specie per la PA, perché introduce requisiti rigorosi che definiscono e armonizzano nuovi standard in materia di compliance, sicurezza e protezione dei dati. L’obiettivo di questa sessione è quello di esplorare le misure tecniche ed organizzative (TOM) indicate dal regolamento e di illustrare come AWS può aiutare i titolari ed i responsabili del trattamento dei dati all’interno delle organizzazioni nel loro percorso di conformità al GDPR."

AWS Security Week: Threat Detection & Remediation Workshop

Amazon Web Services

AWS Security Fundamentals

Amazon Web Services

This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.

Asvs v4 developers and founders

Hemed Gur Ary

MDaemon Spam Filter Recommended Settings

Alt-N Technologies

Introduction to AWS Security

Amazon Web Services

Austin CSS Slalom Presentation

Alert Logic

Advanced Techniques for Securing Web Applications

Amazon Web Services

Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services

Cloud Based Content Services

Cédric Hüsler

BMO jaarvergadering 2013

Remco Bron

App Safari for Weddingplanners

Remco Bron

IF-MAP protocolТранслируем.бел

MACPA 2013 Innovation Summit - Press Conference

Tom Hood, CPA,CITP,CGMA

Innovation - Collaboration - Inspiration are the themes of this year's 2013 Innovation Summit. This special briefing highlights the Top 5 Platinum Sponsors - Simplified Innovations, CCH, Sage, CPA2Biz, Ziptr. Three special technologies will be featured that will help participants connect and collaborate with our major sponsors and each other during the conference. The three technologies are Conferences.io, Flybits, and ThinkTank.

Kuba Marchwicki - Speechstorm - Usability w mediach innych niż www3camp

Virtual Recruiter – zwycięzca Startup Weekend Trójmiasto. Od pomysłu do biznesu

3camp

Certificates, Revocation and the new gTLD's Oh My!

CASCouncil

Digital Certificates @ ResellerClub

ResellerClub

Office365 in today's digital threats landscape: attacks & remedies from a hac...

Benedek Menesi

Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it. In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms. You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.

Office 365 in today's digital threats landscape: attacks & remedies from a ha...

panagenda

After the positive feedback of Ben Menesi's session at the 2019 SPS Ottawa, he was asked to repeat it at Salt Lake M365 Friday in February 2020. Abstract: Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it. In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms. You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks. https://www.linkedin.com/in/benedekmenesi/

What's hot

AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud

Amazon Web Services

Application Resiliency

Amazon Web Services

AWS per la semplificazione del percorso di conformità al GDPR

Amazon Web Services

AWS Security Week: Threat Detection & Remediation Workshop

Amazon Web Services

AWS Security Fundamentals

Amazon Web Services

Asvs v4 developers and founders

Hemed Gur Ary

MDaemon Spam Filter Recommended Settings

Alt-N Technologies

Introduction to AWS Security

Amazon Web Services

Austin CSS Slalom Presentation

Alert Logic

Advanced Techniques for Securing Web Applications

Amazon Web Services

Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services

What's hot (11)

AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud

Application Resiliency

AWS per la semplificazione del percorso di conformità al GDPR

AWS Security Week: Threat Detection & Remediation Workshop

AWS Security Fundamentals

Asvs v4 developers and founders

MDaemon Spam Filter Recommended Settings

Introduction to AWS Security

Austin CSS Slalom Presentation

Advanced Techniques for Securing Web Applications

Secure and Automate AWS Deployments with Next Generation Security

Viewers also liked

Cloud Based Content Services

Cédric Hüsler

BMO jaarvergadering 2013

Remco Bron

App Safari for Weddingplanners

Remco Bron

IF-MAP protocolТранслируем.бел

MACPA 2013 Innovation Summit - Press Conference

Tom Hood, CPA,CITP,CGMA

Kuba Marchwicki - Speechstorm - Usability w mediach innych niż www3camp

Virtual Recruiter – zwycięzca Startup Weekend Trójmiasto. Od pomysłu do biznesu

3camp

Viewers also liked (7)

Cloud Based Content Services

BMO jaarvergadering 2013

App Safari for Weddingplanners

IF-MAP protocol

MACPA 2013 Innovation Summit - Press Conference

Kuba Marchwicki - Speechstorm - Usability w mediach innych niż www

Virtual Recruiter – zwycięzca Startup Weekend Trójmiasto. Od pomysłu do biznesu

Similar to Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites

Certificates, Revocation and the new gTLD's Oh My!

CASCouncil

Digital Certificates @ ResellerClub

ResellerClub

Office365 in today's digital threats landscape: attacks & remedies from a hac...

Benedek Menesi

Office 365 in today's digital threats landscape: attacks & remedies from a ha...

panagenda

Symantec SSL Explained

Symantec Website Security

Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...

Meghan Weinreich

As the SaaS market continues to swell and become an integral component of business infrastructure, performance and security remains top-of-mind for both SaaS providers and their customers. Underperforming applications and those vulnerable to attacks will inevitably experience a negative impact on revenue, end-user engagement, brand reputation, and customer churn. View this presentation featuring our customer expert from School Loop, a SaaS portal for K-12 schools to communicate internally within schools and externally with students and parents. You will learn: -How School Loop accelerates performance of their application used by 3 million students and parents, even during periods of seasonal or spiky traffic -How to prevent breaches of confidential data and communications via SSL -The benefits of setting up a branded, user friendly custom domain for your customers -How you can ensure uptime against DDoS attacks with the help of Cloudflare

Cyber Security - Boundary Defense Mechanisms

Jim Kaplan CIA CFE

This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits. Session 4 of 10 This Webinar focuses on Boundary Defense Mechanisms • Denying communications with known malicious IP addresses • Rapidly deployment of filters on internal networks • Deploying network-based IDS sensors on Internet and extranet DMZ systems • Seeking unusual attack mechanisms • Implementing Network-based IPS devices • Implementing a secure Network Architecture • Implementing two-factor authentication • Designing internal network segmentation • Designing and implementing network perimeter proxy servers • Denying communications with known malicious IP addresses

Secure Socket Layer SSL Certificate.pptx

AnsarHasas1

SEO benefits | ssl certificate | Learn SEO

devbhargav1

In the digital age, cybersecurity is a paramount concern, and Google is committed to ensuring user safety and privacy. As part of their efforts, they've made SSL certificates a significant factor in search engine optimization (SEO). SSL (Secure Sockets Layer) certificates, indicated by the "https" in website URLs and the padlock symbol in browsers, are not only essential for security but also offer several SEO benefits. In this comprehensive guide, we'll delve into the advantages of having an SSL certificate for SEO.

How Cloud-Based Service Providers Can Integrate Strong Identity and Security

GlobalSign

Our Chief Product Officer, Lila Kee spoke at Cloud Computing Expo in New York. The talk is about how cloud-based service providers must build security and trust into their offerings. It is imperative that as these cloud-based service providers make identity, security, and privacy easy for their customers as customers become more reliant on these offerings. The slides include the best practices for cloud-based service providers and how a superior user experience that is backed by security features will enable business growth and reduce customer churn. You can find out more in our webinar: https://www.globalsign.com/en/lp/webinar-the-business-advantages-of-ssl-as-a-service/

Data security and compliancy in Office 365

Microsoft TechNet - Belgium and Luxembourg

Salesforce shield & summer 20 release

Devendra Sawant

SD-WAN - comSpark 2019

Advanced Technology Consulting (ATC)

Introduction to WebRTC on the Force.com Platform

Salesforce Developers

Security architecture best practices for saas applications

kanimozhin

More Databases. More Hackers. More Audits.

Imperva

Exploding data growth doesn’t mean you have to sacrifice data security or compliance readiness. The more clarity you have into where your sensitive data is and who is accessing it, the easier it is to secure and meet compliance regulations. Walk through this presentation to learn how to: - Detect and block cyber security events in real-time - Protect large and diverse data environments - Simplify compliance enforcements and reporting - Take control of escalating costs.

Cloud Security Standards: What to Expect and What to Negotiate V2.0

Cloud Standards Customer Council

Webinar presentation September 20, 2016. This deck introduces the CSCC’s deliverable, Cloud Security Standards: What to Expect and What to Negotiate V2.0, which was updated in August 2016 to reflect the latest developments in cloud security standards. The presentation is an overview of the various security standards, frameworks, and certifications that exist for cloud computing. This information will help cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers. Read the CSCC's deliverable here: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm

Adwebtech ssl presentation_beyond_https

Anju Gigoo

CompTIA Cybersecurity Analyst Certification Tips and Tricks

Joseph Holbrook, Chief Learning Officer (CLO)

By the end of this webinar you should be able to understand Top five skills needed to break into a career in information security analysis Tips and tricks to study for the CS0-001 IDS, Firewalls, etc CompTIA Cybersecurity Analyst (CSA+) is an international, vendor-neutral cybersecurity certification that applies behavioral analytics to improve the overall state of IT security. CSA+ validates critical knowledge and skills that are required to prevent, detect and combat cybersecurity threats.

Security Architecture Best Practices for SaaS Applications

Techcello

Similar to Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites (20)

Certificates, Revocation and the new gTLD's Oh My!

Digital Certificates @ ResellerClub

Office365 in today's digital threats landscape: attacks & remedies from a hac...

Office 365 in today's digital threats landscape: attacks & remedies from a ha...

Symantec SSL Explained

Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...

Cyber Security - Boundary Defense Mechanisms

Secure Socket Layer SSL Certificate.pptx

SEO benefits | ssl certificate | Learn SEO

How Cloud-Based Service Providers Can Integrate Strong Identity and Security

Data security and compliancy in Office 365

Salesforce shield & summer 20 release

SD-WAN - comSpark 2019

Introduction to WebRTC on the Force.com Platform

Security architecture best practices for saas applications

More Databases. More Hackers. More Audits.

Cloud Security Standards: What to Expect and What to Negotiate V2.0

Adwebtech ssl presentation_beyond_https

CompTIA Cybersecurity Analyst Certification Tips and Tricks

Security Architecture Best Practices for SaaS Applications

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

The Future of Platform Engineering

Jemma Hussein Allen

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

DevOps and Testing slides at DASA Connect

Kari Kakkonen

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Generating a custom Ruby SDK for your web service or Rails API using Smithy

g2nightmarescribd

Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Recently uploaded (20)