Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Security For Small and Medium Businesses

352 views

Published on

Published in: Technology
  • Be the first to comment

Web Application Security For Small and Medium Businesses

  1. 1. Qualys, Inc. Confidential Will Bechtel – Director, Product Management May 24, 2012 Web Application Security For Small and Medium Businesses
  2. 2. How do breaches occur? •  81% utilized some form of hacking (+31%) How are web apps involved? •  Web Applications….were associated with over a third of total data loss What can you do to help your organization? •  92% of incidents were discovered by a third party •  97% of breaches were avoidable through simple or intermediate controls 2 Why Web App Security Matters 2012 Verizon Data Breach Investigation Report
  3. 3. Why Web App Security Matters 3 Compromised Assets by percent of breaches and percent of records* Type Category All Orgs Larger Orgs POS server (store controller) POS terminal Desktop/Workstation Automated Teller Machine (ATM) Web/application server Database server Regular employee/end-user Mail server Payment card (credit, debit, etc.) Cashier/Teller/Waiter Pay at the Pump terminal File server Laptop/Netbook Remote access server Call Center Staff Servers User devices User devices User devices Servers Servers People Servers Offline data People User devices Servers User devices Servers People 50% 35% 18% 8% 6% 6% 3% 3% 3% 2% 2% 1% 1% 1% 1% 1% <1% 34% 21% 80% 96% 1% 2% <1% <1% <1% <1% <1% <1% <1% 2% 2% 12% 13% 33% 33% 5% 10% 0% 2% 0% 5% 5% 7% 7% <1% <1% 36% 21% 82% 98% <1% 2% <1% <1% <1% <1% <1% <1% <1% *Assets  involved  in  less  than  1%  of  breaches  are  not  shown  
  4. 4. Web Application Security Overview for SMB 4 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Third Party Applications §  Purchased to support the business §  Could be commercial off the shelf (COTS) §  May be developed, customized or supported by 3rd party Internally Developed §  For many small and medium businesses, web app IS the business §  Access to developers §  May need to support customers
  5. 5. Web Application Security Drivers 5 Compliance §  Payment Card Industry (PCI) §  Privacy Regulations §  GLBA, SB1386, FCC Partnerships §  Must demonstrate current and ongoing security §  Usually confirmed by 3rd party Revenue and Brand Reputation Security §  Loss of revenue while you stop to address issues or are taken down by hackers §  Loss of reputation that may be documented forever §  Breach notification costs
  6. 6. Web Application Security Conventional web application security program 6
  7. 7. Web Application Security Conventional web application security program 7 Secure Development §  Secure SDLC §  Static Analysis §  Dynamic Analysis Secure Deployment §  Vulnerability Scanning §  Penetration Testing Secure Operation §  Web Application Firewall (WAF) §  Penetration Testing §  Vulnerability Assessment §  Activity Monitoring
  8. 8. Web Application Security SMB focus 8 Secure Development §  Secure SDLC −  Internal development §  Security Requirements §  Secure Design −  3rd Party §  Review vendor secure dev process §  Dynamic Analysis −  Automated scanning/Interactive Testing Secure Deployment §  Vulnerability Scanning −  Automated scanning Secure Operation §  Vulnerability Assessment §  Activity Monitoring
  9. 9. Web Application Security Dynamic Analysis/Vulnerability Scanning 9 Detect Web Application Security Flaws §  Cost effective §  OWASP Top 10 (SQL Injection, XSS, etc) §  Authenticate, Crawl web application, Test §  Create report of security flaws §  Validation of issues/Remediation §  Used by Compliance/Partners
  10. 10. Web Application Security Dynamic Analysis/Vulnerability Scanning 10 Installed Software Scanners §  Interactive use – targeted for trained appsec resources §  Installed on workstation/server §  Data management not included Cloud SaaS Services §  Highly automated §  No installation, easy to setup, annual subscription §  Data management included
  11. 11. Web Application Security Summary 11 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Security in 3 Phases §  Development §  Deployment §  Operation Determine mix of cost effective controls §  Ensure secure SDLC §  Test for security flaws (Scan/Pen Test) §  Monitor
  12. 12. Resources §  Open Web Application Security Program- OWASP http://www.owasp.org/ §  Web Application Security — How to Minimize the Risk of Attacks http://www.qualys.com/forms/guides/was_minimize_risk/ §  Building a Web Application Security Program http://www.qualys.com/forms/whitepapers/building_was_program/ §  Web Application Security for Dummies http://www.qualys.com/forms/ebook/wasfordummies/ 12 Web Application Security More information
  13. 13. Thank You Will Bechtel– wbechtel@qualys.com

×