The document discusses the importance of application security, highlighting significant data breaches and their financial implications for companies, such as Sony's losses from the 2011 PSN outage. It emphasizes the necessity of building security into the software development life cycle to reduce costs associated with vulnerabilities and data loss. The presentation also touches on strategies for improving security practices and the potential economic impact of inadequate security measures.

1. Why care about application security?Paweł Krawczyk (IPSec.pl)pawel.krawczyk@hush.comPresentation licensed under CC BY-NChttp://creativecommons.org/licenses/by-nc/3.0/

2. Sony PSNApril 2011PSN & Qriosity outage80m records lostMay 3Another 25m recordsSony Online Entertainment outage

3. Small issues are importantSony 2011Challenger 1986

4. Top hack (2009)130 million personal recordsCredit card numbers

5. Fast & furious...Source: datalossdb.org

6. $$$SettlementsVisa = $60.0mAmEx = $ 3.5mConsumer = $ 4.8mPonemon Institute estimateAt $60 cost per record = $7.8bNow $140 (2010)Indirect costs (e.g. lost business)Source: datalossdb.org

7. What indirect costs? NYSESource: datalossdb.org

8. Side effectCC’s prices drop on „black market”2008 $10-202009 $2-6Numbers from: Finjan, Kaspersky

9. Is there a grace periodfor startups?

11. Source: dereknewton.com

12. FarmingSource: historyforkids.org

13. Malware farmingMass 500k websites infections2011 (LizaMoon), 2008

18. Your websiteBlacklistedGoogle Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.

19. BestwaystogethackedGuaranteedUse ancient Wordpress, Joomla, PHPbb...Use trivial passwords for FTP, SSH...LikelyWrite your own application...

20. TumblrSource: niebezpiecznik.pl, Reddit

21. Bad news live longSource: niebezpiecznik.pl

22. .plAs seen on 23 March 2011

23. Wyższa Szkoła PolicjiSource: prawo.vagla.pl

24. Sąd Okręgowy w CzęstochowieSource: prawo.vagla.pl

25. Data protection lawsPoland - up to 50’000 PLN finesMay issue order to stop processing dataAudit reports are publicWould you trust them in future?

26. Going international?GBP 5,6mGBP 17,5mGBP 3m

27. How to fix stuff?Source: NASA, Wikipedia (Apollo 13 - 1970)

28. IsSecurityEnemy of economy?

29. SecurityisEconomy

30. Eliminate bugs earlyEarly code auditApplied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

31. It’s cheaper than...PentestLate code auditApplied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

32. And way cheaper than...Hack!Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

33. How?Dough Hubbard „The Failure of Risk Management”Security Assurance Maturity Model (OpenSAMM)Security Development Lifecycle (SDL)

34. Outsourcing?Tell them what you need (precisely)UML, BPMN Specify assurance levelOWASP ASVSTrust but verifySupplier due dilligence, audit, pentest

35. Ask peersOWASPOpen Web Application Security Projectwww.owasp.orgISSAInformation Systems Security Associationwww.issa.org.pl