Security (particularly web application security) programs and efforts more often than not.. .fail. You can do something about it, this presentation gives you a bit of the overview of how to start to understand and succeed from our point of view.
3. Today’s Agenda
•Quick Scan of Headliners
−Incidents & data theft
•5 Reasons Security Is Failing
−Security not user-friendly
−Decentralized data storage
−Consumerization
−Passing the buck (aka – liability)
−Consumer apathy
•How You Will Succeed
−Magic pixie dust
3 12 March 2009
6. Quick Scan of Recent Headlines
India vs. Pakistan in “cyber-war”
•
− India hacked Pakistan’s websites, Pakistan
retaliates(A1)
US Pentagon web sites “penetrated” by Chinese
•
− “No sites are safe” say the Chinese hackers(A2)
• Corporate sites hacked
− Hackers attacking corporate sites(A3-A5)
Hacking your way into Harvard (A6)
•
Santa’s Gmail account hacked!
•
− Is no one safe? Not even Santa!? (A7)
6 12 March 2009
8. Security Fails Because…
• Security is not user-friendly
− Secure is not second nature
• Seat belts, dead-bolt locks, locking your car
− Secure is possible, but requires a PhD
• Configuring your computer to be “secure”
• Using minimal browser-capabilities (NoScript?)
− Security measures are complex
• Tokens, digital certificates, “widgets” and “gadgets”
• Anti-virus, Anti-Malware, SPAM, trojans, ClickJacking
− Usability is arch enemy of security
• Why?
8 12 March 2009
9. Security Fails Because…
• Data storage is de-centralized
− How many devices carry “data”
• iPod, USB Memory stick, cell phone
• Many, many other devices store information
− Castle theory is impossible
• No “centralized” data store to build defenses around
− Data in all formats
• Spreadsheets, databases, txt
files, PSTs, PDFs, PPTs, DOCs, et al
− No one knows where data lives
• Is *your* corporate data centralized?
• Can anyone identify data/types/locations for all data?
9 12 March 2009
10. Security Fails Because…
• Consumerization drives non-securable
technologies
− Vendors build for “wow factor”
• Cool sells
• Secure does not
− Viral marketing works
• iPhone, iPod vs. Windows Mobile, Zune
− Corporations cannot deal with all the gadgets
• Gadgets don’t include enterprise features
• No way to secure this stuff!
− It just shows up one day
• New devices show up on the corp. network every day
10 12 March 2009
11. Security Fails Because…
• Businesses pass the [risk] buck
− “Not my problem” mentality
• Contracts write liability down the chain
• Customers responsible for own security
− Contracts are brutal
• Corporations pass liability to vendors
− Corporations don’t understand impact
• Liability is one thing, public opinion… another
• Customers don’t care for liability write-offs
− The pen is mightier (so is the blog)
• Bloggers, digital media exposes breaches
11 12 March 2009
12. Security Fails Because…
End-users still don’t get it
•
− End-users still apathetic about security
• Who cares if my computer is hacked?
• What would hackers want with my information?
− Wait until your identity is stolen…
• Costs are huge in dollars and time
− End-users think corporations protect them
• … but companies don’t do enough
• … but no one can protect you from yourself
− Apathy to outrage
• “Why didn’t someone tell me”… when it’s too late
12 12 March 2009
13. Security Has No End-Game
• Live to fight another day
− Mitigate immediate risks
− Secure what you can
− Educate and empower end-users
− Make it simple stupid
• People, Process, Tools are the foundation
− People: educate, empower, assist
− Process: easier to do the right thing, not the wrong
− Tools: don’t replace people, make them efficient
13 12 March 2009
15. You Can Succeed
People: Providing guidance on secure application
development
•Educate and empower
•HP ASC Security Team can help!
Process: Security cannot be an afterthought
Tools: Coverage for the entire SDLC.
•Repeatable processes
• WebInspect
•Secure coding practices
• QAInspect
•Web Security Policies and Standards
• DevInspect
• AMP platform
15 12 March 2009
17. “The Journey of a
thousand miles must
begin with a single step”
-- Chinese proverb
Rafal “Raf” M. Los
Sr. Security Solutions Consultant - HP Application Security Center
Direct - (404) 606-6056 - email: Rafal@hp.com
http://www.communities.hp.com/securitysoftware/blogs/rafal/