SlideShare ist ein Scribd-Unternehmen logo
1 von 44
Downloaden Sie, um offline zu lesen
Alison Gianotto (aka “snipe”)WHO AM I?
• Former	
  agency	
  CTO/CSO	
  
• Security	
  &	
  privacy	
  advocate	
  
• 20	
  years	
  in	
  IT	
  &	
  so<ware	
  development	
  
• Co-­‐author	
  of	
  a	
  few	
  PHP/MySQL	
  books	
  
• Survivor	
  of	
  more	
  corporate	
  audits	
  than	
  I	
  
care	
  to	
  remember	
  
• @snipeyhead	
  on	
  TwiJer	
  
1	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
IT IS IMPOSSIBLE TO ANTICIPATE
EVERY RISK.
2	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
Srsly.
IT IS INAPPROPRIATE TO MITIGATE
EVERY RISK.
3	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
No, Srsly.
WHY PEOPLE HACK
4	
  
• To	
  steal/sell	
  idenOOes,	
  credit	
  card	
  numbers,	
  corporate	
  secrets,	
  
military	
  secrets	
  
• Fun/Notoriety	
  
• PoliOcal	
  (“HackOvism”)	
  
• Revenge	
  
• Blackhat	
  SEO	
  
• ExtorOon/Ransomware	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
MEGA BREACHES: RESULTING IN
PERSONAL DETAILS OF >= 10
MILLION IDENTITIES EXPOSED IN AN
INDIVIDUAL INCIDENT.
5	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
THERE WERE EIGHT MEGA-
BREACHES IN 2013, COMPARED
WITH ONLY ONE IN 2012.
6	
  
Source:	
  Symantec	
  Internet	
  Security	
  Threat	
  Report	
  2014	
  ::	
  Volume	
  19,	
  Published	
  April	
  2014	
  	
  
+700%
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
OCT 2013: ADOBE
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, SOURCE
IMPACTED: 152 MILLION USERS
7	
  
Source:	
  Symantec	
  Internet	
  Security	
  Threat	
  Report	
  2014	
  ::	
  Volume	
  19,	
  Published	
  April	
  2014	
  	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
DEC 2013: TARGET
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, PINS
IMPACTED: 110 MILLION USERS
8	
  
Source:	
  Symantec	
  Internet	
  Security	
  Threat	
  Report	
  2014	
  ::	
  Volume	
  19,	
  Published	
  April	
  2014	
  	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
BREACHGrowth
•  credit  card  info
•  birth  dates
•  government  ID  numbers
•  home  addresses
•  medical  records
•  phone  numbers
•  financial  informa9on
•  email  addresses
•  login
•  passwords
Data Stolen
9	
  
232	
  
552	
  
0	
   100	
   200	
   300	
   400	
   500	
   600	
  
2011	
  
2013	
  
Iden))es	
  Stolen	
  by	
  Year	
  (in	
  Millions)	
  
Source:	
  Symantec	
  Internet	
  Security	
  Threat	
  Report	
  2014	
  ::	
  Volume	
  19,	
  Published	
  April	
  2014	
  	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
190,000
464,000
570,000
2011	
   2012	
   2013	
  
ATTACKS
10	
  
Source:	
  Symantec	
  Internet	
  Security	
  Threat	
  Report	
  2014	
  ::	
  Volume	
  19,	
  Published	
  April	
  2014	
  	
  
Per Day
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
SOMETIMES YOUR EFFORTS TO
MITIGATE RISK CAN INCREASE
YOUR ATTACK SURFACE.
11	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
Because THAT’S fair.
DEFENSE IN DEPTH PROMISES
12	
  
• MiOgates	
  single	
  points	
  of	
  failure.	
  (“Bus	
  factor”)	
  
• Requires	
  more	
  effort	
  on	
  the	
  part	
  of	
  the	
  aJacker,	
  
theoreOcally	
  exhausOng	
  aJacker	
  resources.	
  	
  
Except...
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
DEFENSE IN DEPTH CHALLENGES
13	
  
• Larger,	
  more	
  complicated	
  systems	
  are	
  harder	
  to	
  maintain.	
  	
  
• Can	
  lead	
  to	
  more	
  cracks	
  for	
  bad	
  guys	
  to	
  poke	
  at	
  
• More	
  surfaces	
  that	
  can	
  get	
  be	
  overlooked	
  	
  
• The	
  bad	
  guys	
  have	
  nearly	
  limitless	
  resources.	
  We	
  don’t.	
  	
  
• AJacks	
  are	
  commodiOzed	
  now.	
  	
  Botnets	
  for	
  $2/hour.	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
HACKERS ARE NOT YOUR ONLY
PROBLEM.
14	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
Sorry. :(
CIA
Confidentiality,
Integrity &
Availability
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
CONFIDENTIALITY IS A SET OF
RULES THAT LIMITS ACCESS TO
INFORMATION
16	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.
17	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
AVAILABILITY IS A GUARANTEE OF
READY ACCESS TO THE INFO BY
AUTHORIZED PEOPLE.
18	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
APPSEC STRATEGY
PICK	
  TWO	
  
19	
  
ABSOLUTELY	
  F*CKED	
  UTTERLY	
  F*CKED	
  
COMPLETELY	
  F*CKED	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
CREATING A RISK MATRIX
20	
  
• Type	
  of	
  resource	
  
• Third-­‐Party	
  
• Diagram	
  ID	
  
• DescripOon	
  
• Triggering	
  AcOon	
  
• Consequence	
  of	
  Failure	
  
• Risk	
  of	
  Failure	
  
• Probability	
  of	
  Failure	
  
• User	
  Impact	
  
• Method	
  used	
  for	
  monitoring	
  
this	
  risk	
  
• Efforts	
  to	
  MiOgate	
  in	
  Case	
  of	
  
Failure	
  
• Contact	
  info	
  
Grab	
  a	
  starter	
  template	
  here!	
  	
  
hJp://snipe.ly/risk_matrix	
  	
  
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
20 THINGS YOU CAN START
DOING TODAY.
21	
  
Dooo eeeeeet.
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#1. CAPTURE ALL THE FLAGS!
22	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
23	
  
•  Strip	
  specific	
  messaging	
  from	
  login	
  forms.	
  
•  Use	
  solid	
  password+salOng	
  like	
  bcrypt.	
  
•  Implement	
  brute-­‐force	
  prevenOon	
  for	
  all	
  login	
  systems.	
  
•  Encrypt	
  everything,	
  where	
  feasible.	
  
•  Supress	
  debugging	
  and	
  server	
  informaOon	
  (language/
framework	
  versions,	
  web	
  server	
  versions,	
  stack-­‐traces,	
  
etc.)	
  
WHAT DEVS LEARN FROM CTF
dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
24	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#2. START EVERY PROJECT
RISK-FIRST.
25	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#3. BUILD A CLEAR INVENTORY
OF SURFACE AREAS AND THEIR
VALUE.
26	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#4. RISK MATRIX FOR EVERY
MAJOR PROJECT OR PRODUCT.
27	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#5. KNOW WHAT HAPPENS
WHEN THIRD-PARTY SERVICES
FAIL.
28	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#6. TRUST YOUR GUT. WHEN
SOMETHING DOESN’T LOOK
RIGHT, IT PROBABLY ISN’T.
29	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#7. KEEP YOUR SYSTEMS AS
SIMPLE AS POSSIBLE.
30	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#8. INCREASED TRANSPARENCY
REDUCES RISK ACROSS
DEPARTMENTS.
31	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#9. GET TO KNOW YOUR USERS’
BEHAVIOR. BE SUSPICIOUS IF IT
CHANGES FOR NO REASON.
32	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#10. AUTOMATE EVERYTHING.
33	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#11. LOG (ALMOST) EVERYTHING.
KNOW WHERE YOUR LOGS ARE.
34	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#12. ALWAYS EMPLOY THE
PRINCIPLE OF “LEAST
PRIVILEGE”.
35	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#13. ONLY COLLECT THE DATA
YOU ABSOLUTELY NEED.
36	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#14. IMPLEMENT TWO-FACTOR
AUTHENTICATION. IT’S EASIER
THAN YOU THINK.
37	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#15. CREATE A DATA RECOVERY
PLAN AND TEST IT. NO, REALLY.
TEST IT. MORE THAN ONCE.
38	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#16. MOAR PAPERWORK!
39	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#17. LEVERAGE BUILT-IN
VALIDATION/SANITIZATION
FROM FRAMEWORKS.
40	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#18. PERFORM REGULAR WHITE-
BOX AND BLACK-BOX TESTING.
41	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#19. PAY ATTENTION TO YOUR
ALERTS.
42	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
#20. BECOME A PASSIONATE
SECURITY AMBASSADOR FOR
YOUR USERS.
43	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  
Alison Gianotto (aka “snipe”)THANK YOU!
• @snipeyhead	
  on	
  TwiJer	
  
• snipe@snipe.net	
  
44	
  dotScale	
  May	
  2014	
  -­‐	
  #dotScale	
  

Weitere ähnliche Inhalte

Andere mochten auch

Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016Mickaël Rémond
 
¿Qué hacen nuestros hijos en Internet?
¿Qué hacen nuestros hijos en Internet?¿Qué hacen nuestros hijos en Internet?
¿Qué hacen nuestros hijos en Internet?Pepe Saura
 
XOOPS 2.5.x Operations Guide
XOOPS 2.5.x Operations GuideXOOPS 2.5.x Operations Guide
XOOPS 2.5.x Operations Guidexoopsproject
 
Business leder uddannelsen 2013
Business leder uddannelsen 2013Business leder uddannelsen 2013
Business leder uddannelsen 2013ClausMarkmann
 
Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...
Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...
Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...Priya Jain
 
New base energy news issue 836 dated 24 april 2016
New base energy news issue  836 dated 24 april  2016New base energy news issue  836 dated 24 april  2016
New base energy news issue 836 dated 24 april 2016Khaled Al Awadi
 
Agrimech August 2015
Agrimech August 2015Agrimech August 2015
Agrimech August 2015rkmedcom
 
Diapositivas steve jobs, jairo rodriguez suarez
Diapositivas steve jobs, jairo rodriguez suarezDiapositivas steve jobs, jairo rodriguez suarez
Diapositivas steve jobs, jairo rodriguez suarezjairorodriguez95
 
Dignidades De La Orden
Dignidades De La OrdenDignidades De La Orden
Dignidades De La OrdenSuany Rosario
 
Opendata y RISP, la continuidad de una politica publica
Opendata y RISP, la continuidad de una politica publicaOpendata y RISP, la continuidad de una politica publica
Opendata y RISP, la continuidad de una politica publicaEmilioGarciaGarcia
 
Mediterranean Sensations - Argos Tarragona
Mediterranean Sensations - Argos TarragonaMediterranean Sensations - Argos Tarragona
Mediterranean Sensations - Argos TarragonaArgos Serveis Culturals
 
How and why to implement haccp in food businesses in developing countries
How and why to implement haccp in food businesses in developing  countriesHow and why to implement haccp in food businesses in developing  countries
How and why to implement haccp in food businesses in developing countriessayednaim
 
CHÁ DE OLIVEIRA: COMO PREPARAR?
CHÁ DE OLIVEIRA: COMO PREPARAR?CHÁ DE OLIVEIRA: COMO PREPARAR?
CHÁ DE OLIVEIRA: COMO PREPARAR?Oliveira
 
URBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONS
URBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONSURBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONS
URBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONSURBACT
 
Mirador la cárcava
Mirador la cárcavaMirador la cárcava
Mirador la cárcavamariotalhara
 

Andere mochten auch (20)

Ws io t dotscale juin 2015 - introduction bluemix
Ws io t dotscale   juin 2015 - introduction bluemixWs io t dotscale   juin 2015 - introduction bluemix
Ws io t dotscale juin 2015 - introduction bluemix
 
OpenZFS dotScale
OpenZFS dotScaleOpenZFS dotScale
OpenZFS dotScale
 
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
 
¿Qué hacen nuestros hijos en Internet?
¿Qué hacen nuestros hijos en Internet?¿Qué hacen nuestros hijos en Internet?
¿Qué hacen nuestros hijos en Internet?
 
XOOPS 2.5.x Operations Guide
XOOPS 2.5.x Operations GuideXOOPS 2.5.x Operations Guide
XOOPS 2.5.x Operations Guide
 
Business leder uddannelsen 2013
Business leder uddannelsen 2013Business leder uddannelsen 2013
Business leder uddannelsen 2013
 
Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...
Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...
Application Form for HEC Recruitment 2016 Apply Online for 133 Management Tra...
 
New base energy news issue 836 dated 24 april 2016
New base energy news issue  836 dated 24 april  2016New base energy news issue  836 dated 24 april  2016
New base energy news issue 836 dated 24 april 2016
 
Els Racons
Els RaconsEls Racons
Els Racons
 
Agrimech August 2015
Agrimech August 2015Agrimech August 2015
Agrimech August 2015
 
Diapositivas steve jobs, jairo rodriguez suarez
Diapositivas steve jobs, jairo rodriguez suarezDiapositivas steve jobs, jairo rodriguez suarez
Diapositivas steve jobs, jairo rodriguez suarez
 
Dignidades De La Orden
Dignidades De La OrdenDignidades De La Orden
Dignidades De La Orden
 
Jayuya zama
Jayuya zamaJayuya zama
Jayuya zama
 
Opendata y RISP, la continuidad de una politica publica
Opendata y RISP, la continuidad de una politica publicaOpendata y RISP, la continuidad de una politica publica
Opendata y RISP, la continuidad de una politica publica
 
Mediterranean Sensations - Argos Tarragona
Mediterranean Sensations - Argos TarragonaMediterranean Sensations - Argos Tarragona
Mediterranean Sensations - Argos Tarragona
 
How and why to implement haccp in food businesses in developing countries
How and why to implement haccp in food businesses in developing  countriesHow and why to implement haccp in food businesses in developing  countries
How and why to implement haccp in food businesses in developing countries
 
CHÁ DE OLIVEIRA: COMO PREPARAR?
CHÁ DE OLIVEIRA: COMO PREPARAR?CHÁ DE OLIVEIRA: COMO PREPARAR?
CHÁ DE OLIVEIRA: COMO PREPARAR?
 
URBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONS
URBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONSURBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONS
URBACT: Links Project - COMMON SET OF PRINCIPLES AND RECOMMENDATIONS
 
QASA Strategic Consulting - Company Profile
QASA Strategic Consulting - Company ProfileQASA Strategic Consulting - Company Profile
QASA Strategic Consulting - Company Profile
 
Mirador la cárcava
Mirador la cárcavaMirador la cárcava
Mirador la cárcava
 

Ähnlich wie dotScale 2014

LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteAlison Gianotto
 
Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Alison Gianotto
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Slides from GraphDay Santa Clara
Slides from GraphDay Santa ClaraSlides from GraphDay Santa Clara
Slides from GraphDay Santa ClaraNeo4j
 
Year of pawnage - Ian trump
Year of pawnage  - Ian trumpYear of pawnage  - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developerSteve Poole
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.
Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.
Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.Andreas Klinger
 
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas JamborData Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas JamborTurner and Associates, Inc.
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
QUIRKS - Janvier 2015
QUIRKS - Janvier 2015QUIRKS - Janvier 2015
QUIRKS - Janvier 2015Ipsos France
 
Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...
Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...
Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...Return Path
 
Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update Symantec Website Security
 
The Path to Truly Understanding Your MongoDB Data
The Path to Truly Understanding Your MongoDB DataThe Path to Truly Understanding Your MongoDB Data
The Path to Truly Understanding Your MongoDB DataMongoDB
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
How to Get Instant Credibility with the Best Prospects
How to Get Instant Credibility with the Best ProspectsHow to Get Instant Credibility with the Best Prospects
How to Get Instant Credibility with the Best ProspectsRingLead
 

Ähnlich wie dotScale 2014 (20)

LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
 
Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Slides from GraphDay Santa Clara
Slides from GraphDay Santa ClaraSlides from GraphDay Santa Clara
Slides from GraphDay Santa Clara
 
Year of pawnage - Ian trump
Year of pawnage  - Ian trumpYear of pawnage  - Ian trump
Year of pawnage - Ian trump
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 
Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.
Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.
Startup Metrics, a love story. All slides of an 6h Lean Analytics workshop.
 
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas JamborData Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
Security News Bytes June 2014
Security News Bytes June 2014Security News Bytes June 2014
Security News Bytes June 2014
 
QUIRKS - Janvier 2015
QUIRKS - Janvier 2015QUIRKS - Janvier 2015
QUIRKS - Janvier 2015
 
Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...
Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...
Using Return Path Data to Protect Your Brand: Security Breakout Session - Sao...
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update
 
The Path to Truly Understanding Your MongoDB Data
The Path to Truly Understanding Your MongoDB DataThe Path to Truly Understanding Your MongoDB Data
The Path to Truly Understanding Your MongoDB Data
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
How to Get Instant Credibility with the Best Prospects
How to Get Instant Credibility with the Best ProspectsHow to Get Instant Credibility with the Best Prospects
How to Get Instant Credibility with the Best Prospects
 

Mehr von Alison Gianotto

Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesAlison Gianotto
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsAlison Gianotto
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for PagesAlison Gianotto
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Alison Gianotto
 

Mehr von Alison Gianotto (8)

Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and Policies
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
 
DNS 101 for Non-Techs
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
 

Kürzlich hochgeladen

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 

Kürzlich hochgeladen (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 

dotScale 2014

  • 1. Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  &  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   1  dotScale  May  2014  -­‐  #dotScale  
  • 2. IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 2  dotScale  May  2014  -­‐  #dotScale   Srsly.
  • 3. IT IS INAPPROPRIATE TO MITIGATE EVERY RISK. 3  dotScale  May  2014  -­‐  #dotScale   No, Srsly.
  • 4. WHY PEOPLE HACK 4   • To  steal/sell  idenOOes,  credit  card  numbers,  corporate  secrets,   military  secrets   • Fun/Notoriety   • PoliOcal  (“HackOvism”)   • Revenge   • Blackhat  SEO   • ExtorOon/Ransomware   dotScale  May  2014  -­‐  #dotScale  
  • 5. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 5  dotScale  May  2014  -­‐  #dotScale  
  • 6. THERE WERE EIGHT MEGA- BREACHES IN 2013, COMPARED WITH ONLY ONE IN 2012. 6   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700% dotScale  May  2014  -­‐  #dotScale  
  • 7. OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 7   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  • 8. DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 8   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  • 9. BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 9   232   552   0   100   200   300   400   500   600   2011   2013   Iden))es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  • 10. 190,000 464,000 570,000 2011   2012   2013   ATTACKS 10   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day dotScale  May  2014  -­‐  #dotScale  
  • 11. SOMETIMES YOUR EFFORTS TO MITIGATE RISK CAN INCREASE YOUR ATTACK SURFACE. 11  dotScale  May  2014  -­‐  #dotScale   Because THAT’S fair.
  • 12. DEFENSE IN DEPTH PROMISES 12   • MiOgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreOcally  exhausOng  aJacker  resources.     Except... dotScale  May  2014  -­‐  #dotScale  
  • 13. DEFENSE IN DEPTH CHALLENGES 13   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Can  lead  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiOzed  now.    Botnets  for  $2/hour.   dotScale  May  2014  -­‐  #dotScale  
  • 14. HACKERS ARE NOT YOUR ONLY PROBLEM. 14  dotScale  May  2014  -­‐  #dotScale   Sorry. :(
  • 16. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 16  dotScale  May  2014  -­‐  #dotScale  
  • 17. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 17  dotScale  May  2014  -­‐  #dotScale  
  • 18. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 18  dotScale  May  2014  -­‐  #dotScale  
  • 19. APPSEC STRATEGY PICK  TWO   19   ABSOLUTELY  F*CKED  UTTERLY  F*CKED   COMPLETELY  F*CKED   dotScale  May  2014  -­‐  #dotScale  
  • 20. CREATING A RISK MATRIX 20   • Type  of  resource   • Third-­‐Party   • Diagram  ID   • DescripOon   • Triggering  AcOon   • Consequence  of  Failure   • Risk  of  Failure   • Probability  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiOgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix     dotScale  May  2014  -­‐  #dotScale  
  • 21. 20 THINGS YOU CAN START DOING TODAY. 21   Dooo eeeeeet. dotScale  May  2014  -­‐  #dotScale  
  • 22. #1. CAPTURE ALL THE FLAGS! 22  dotScale  May  2014  -­‐  #dotScale  
  • 23. 23   •  Strip  specific  messaging  from  login  forms.   •  Use  solid  password+salOng  like  bcrypt.   •  Implement  brute-­‐force  prevenOon  for  all  login  systems.   •  Encrypt  everything,  where  feasible.   •  Supress  debugging  and  server  informaOon  (language/ framework  versions,  web  server  versions,  stack-­‐traces,   etc.)   WHAT DEVS LEARN FROM CTF dotScale  May  2014  -­‐  #dotScale  
  • 24. 24  dotScale  May  2014  -­‐  #dotScale  
  • 25. #2. START EVERY PROJECT RISK-FIRST. 25  dotScale  May  2014  -­‐  #dotScale  
  • 26. #3. BUILD A CLEAR INVENTORY OF SURFACE AREAS AND THEIR VALUE. 26  dotScale  May  2014  -­‐  #dotScale  
  • 27. #4. RISK MATRIX FOR EVERY MAJOR PROJECT OR PRODUCT. 27  dotScale  May  2014  -­‐  #dotScale  
  • 28. #5. KNOW WHAT HAPPENS WHEN THIRD-PARTY SERVICES FAIL. 28  dotScale  May  2014  -­‐  #dotScale  
  • 29. #6. TRUST YOUR GUT. WHEN SOMETHING DOESN’T LOOK RIGHT, IT PROBABLY ISN’T. 29  dotScale  May  2014  -­‐  #dotScale  
  • 30. #7. KEEP YOUR SYSTEMS AS SIMPLE AS POSSIBLE. 30  dotScale  May  2014  -­‐  #dotScale  
  • 31. #8. INCREASED TRANSPARENCY REDUCES RISK ACROSS DEPARTMENTS. 31  dotScale  May  2014  -­‐  #dotScale  
  • 32. #9. GET TO KNOW YOUR USERS’ BEHAVIOR. BE SUSPICIOUS IF IT CHANGES FOR NO REASON. 32  dotScale  May  2014  -­‐  #dotScale  
  • 33. #10. AUTOMATE EVERYTHING. 33  dotScale  May  2014  -­‐  #dotScale  
  • 34. #11. LOG (ALMOST) EVERYTHING. KNOW WHERE YOUR LOGS ARE. 34  dotScale  May  2014  -­‐  #dotScale  
  • 35. #12. ALWAYS EMPLOY THE PRINCIPLE OF “LEAST PRIVILEGE”. 35  dotScale  May  2014  -­‐  #dotScale  
  • 36. #13. ONLY COLLECT THE DATA YOU ABSOLUTELY NEED. 36  dotScale  May  2014  -­‐  #dotScale  
  • 37. #14. IMPLEMENT TWO-FACTOR AUTHENTICATION. IT’S EASIER THAN YOU THINK. 37  dotScale  May  2014  -­‐  #dotScale  
  • 38. #15. CREATE A DATA RECOVERY PLAN AND TEST IT. NO, REALLY. TEST IT. MORE THAN ONCE. 38  dotScale  May  2014  -­‐  #dotScale  
  • 39. #16. MOAR PAPERWORK! 39  dotScale  May  2014  -­‐  #dotScale  
  • 40. #17. LEVERAGE BUILT-IN VALIDATION/SANITIZATION FROM FRAMEWORKS. 40  dotScale  May  2014  -­‐  #dotScale  
  • 41. #18. PERFORM REGULAR WHITE- BOX AND BLACK-BOX TESTING. 41  dotScale  May  2014  -­‐  #dotScale  
  • 42. #19. PAY ATTENTION TO YOUR ALERTS. 42  dotScale  May  2014  -­‐  #dotScale  
  • 43. #20. BECOME A PASSIONATE SECURITY AMBASSADOR FOR YOUR USERS. 43  dotScale  May  2014  -­‐  #dotScale  
  • 44. Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   44  dotScale  May  2014  -­‐  #dotScale