SlideShare ist ein Scribd-Unternehmen logo

Failed - Why Security Fails And What To Do v08.1204a

Rafal Los
Rafal Los

Security (particularly web application security) programs and efforts more often than not.. .fail. You can do something about it, this presentation gives you a bit of the overview of how to start to understand and succeed from our point of view.

Technologie
1 von 18
HP Application Security Center ViViT – Madison, WI (Dec. 4, 2009) 1 12 March 2009
Your Security Will Fail … you just don’t know it yet. Rafal M. Los Sr. Security Solutions Specialist © 2006 Hewlett-Packard Development Company, L.P. 22 MarchThe information contained herein is subject to change without notice 1 2009
Today’s Agenda •Quick Scan of Headliners −Incidents & data theft •5 Reasons Security Is Failing −Security not user-friendly −Decentralized data storage −Consumerization −Passing the buck (aka – liability) −Consumer apathy •How You Will Succeed −Magic pixie dust 3 12 March 2009
4 12 March 2009
5 12 March 2009
Quick Scan of Recent Headlines India vs. Pakistan in “cyber-war” • − India hacked Pakistan’s websites, Pakistan retaliates(A1) US Pentagon web sites “penetrated” by Chinese • − “No sites are safe” say the Chinese hackers(A2) • Corporate sites hacked − Hackers attacking corporate sites(A3-A5) Hacking your way into Harvard (A6) • Santa’s Gmail account hacked! • − Is no one safe? Not even Santa!? (A7) 6 12 March 2009
Security Fails Because… 7 12 March 2009
Security Fails Because… • Security is not user-friendly − Secure is not second nature • Seat belts, dead-bolt locks, locking your car − Secure is possible, but requires a PhD • Configuring your computer to be “secure” • Using minimal browser-capabilities (NoScript?) − Security measures are complex • Tokens, digital certificates, “widgets” and “gadgets” • Anti-virus, Anti-Malware, SPAM, trojans, ClickJacking − Usability is arch enemy of security • Why? 8 12 March 2009
Security Fails Because… • Data storage is de-centralized − How many devices carry “data” • iPod, USB Memory stick, cell phone • Many, many other devices store information − Castle theory is impossible • No “centralized” data store to build defenses around − Data in all formats • Spreadsheets, databases, txt files, PSTs, PDFs, PPTs, DOCs, et al − No one knows where data lives • Is *your* corporate data centralized? • Can anyone identify data/types/locations for all data? 9 12 March 2009
Security Fails Because… • Consumerization drives non-securable technologies − Vendors build for “wow factor” • Cool sells • Secure does not − Viral marketing works • iPhone, iPod vs. Windows Mobile, Zune − Corporations cannot deal with all the gadgets • Gadgets don’t include enterprise features • No way to secure this stuff! − It just shows up one day • New devices show up on the corp. network every day 10 12 March 2009
Security Fails Because… • Businesses pass the [risk] buck − “Not my problem” mentality • Contracts write liability down the chain • Customers responsible for own security − Contracts are brutal • Corporations pass liability to vendors − Corporations don’t understand impact • Liability is one thing, public opinion… another • Customers don’t care for liability write-offs − The pen is mightier (so is the blog) • Bloggers, digital media exposes breaches 11 12 March 2009
Security Fails Because… End-users still don’t get it • − End-users still apathetic about security • Who cares if my computer is hacked? • What would hackers want with my information? − Wait until your identity is stolen… • Costs are huge in dollars and time − End-users think corporations protect them • … but companies don’t do enough • … but no one can protect you from yourself − Apathy to outrage • “Why didn’t someone tell me”… when it’s too late 12 12 March 2009
Security Has No End-Game • Live to fight another day − Mitigate immediate risks − Secure what you can − Educate and empower end-users − Make it simple stupid • People, Process, Tools are the foundation − People: educate, empower, assist − Process: easier to do the right thing, not the wrong − Tools: don’t replace people, make them efficient 13 12 March 2009
You Can Succeed 14 12 March 2009
You Can Succeed People: Providing guidance on secure application development •Educate and empower •HP ASC Security Team can help! Process: Security cannot be an afterthought Tools: Coverage for the entire SDLC. •Repeatable processes • WebInspect •Secure coding practices • QAInspect •Web Security Policies and Standards • DevInspect • AMP platform 15 12 March 2009
Are You Ready? Take the First Step. 16 12 March 2009
“The Journey of a thousand miles must begin with a single step” -- Chinese proverb Rafal “Raf” M. Los Sr. Security Solutions Consultant - HP Application Security Center Direct - (404) 606-6056 - email: Rafal@hp.com http://www.communities.hp.com/securitysoftware/blogs/rafal/
Appendix References A. 1. http://www.arsalanonline.com/2008/11/indian-website-hacked-pakistani-hackers-response-to-ogra-website- hacking/ 2. http://www.cnn.com/2008/TECH/03/07/china.hackers/index.html 3. http://www.engadgethd.com/tag/Tweeter/ 4. http://www.pcworld.com/printable/article/id,148007/printable.html 5. http://cyberinsecure.com/businessweek-online-content-hit-by-sql-injection/ 6. http://www.accessmylibrary.com/coms2/summary_0286-8459030_ITM 7. http://preachsecurity.blogspot.com/2008/12/santas-gmail-hacked-is-nothing-sacred.html 18 12 March 2009

Empfohlen

Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicTotal Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicRafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Rafal Los
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 

Empfohlen

Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicTotal Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicRafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Rafal Los
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!Rafal Los
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkRafal Los
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsRafal Los
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Weitere ähnliche Inhalte

Mehr von Rafal Los

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!Rafal Los
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkRafal Los
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsRafal Los
 

Mehr von Rafal Los (20)

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web Applications
 

Kürzlich hochgeladen

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Kürzlich hochgeladen (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Failed - Why Security Fails And What To Do v08.1204a

  • 1. HP Application Security Center ViViT – Madison, WI (Dec. 4, 2009) 1 12 March 2009
  • 2. Your Security Will Fail … you just don’t know it yet. Rafal M. Los Sr. Security Solutions Specialist © 2006 Hewlett-Packard Development Company, L.P. 22 MarchThe information contained herein is subject to change without notice 1 2009
  • 3. Today’s Agenda •Quick Scan of Headliners −Incidents & data theft •5 Reasons Security Is Failing −Security not user-friendly −Decentralized data storage −Consumerization −Passing the buck (aka – liability) −Consumer apathy •How You Will Succeed −Magic pixie dust 3 12 March 2009
  • 4. 4 12 March 2009
  • 5. 5 12 March 2009
  • 6. Quick Scan of Recent Headlines India vs. Pakistan in “cyber-war” • − India hacked Pakistan’s websites, Pakistan retaliates(A1) US Pentagon web sites “penetrated” by Chinese • − “No sites are safe” say the Chinese hackers(A2) • Corporate sites hacked − Hackers attacking corporate sites(A3-A5) Hacking your way into Harvard (A6) • Santa’s Gmail account hacked! • − Is no one safe? Not even Santa!? (A7) 6 12 March 2009
  • 8. Security Fails Because… • Security is not user-friendly − Secure is not second nature • Seat belts, dead-bolt locks, locking your car − Secure is possible, but requires a PhD • Configuring your computer to be “secure” • Using minimal browser-capabilities (NoScript?) − Security measures are complex • Tokens, digital certificates, “widgets” and “gadgets” • Anti-virus, Anti-Malware, SPAM, trojans, ClickJacking − Usability is arch enemy of security • Why? 8 12 March 2009
  • 9. Security Fails Because… • Data storage is de-centralized − How many devices carry “data” • iPod, USB Memory stick, cell phone • Many, many other devices store information − Castle theory is impossible • No “centralized” data store to build defenses around − Data in all formats • Spreadsheets, databases, txt files, PSTs, PDFs, PPTs, DOCs, et al − No one knows where data lives • Is *your* corporate data centralized? • Can anyone identify data/types/locations for all data? 9 12 March 2009
  • 10. Security Fails Because… • Consumerization drives non-securable technologies − Vendors build for “wow factor” • Cool sells • Secure does not − Viral marketing works • iPhone, iPod vs. Windows Mobile, Zune − Corporations cannot deal with all the gadgets • Gadgets don’t include enterprise features • No way to secure this stuff! − It just shows up one day • New devices show up on the corp. network every day 10 12 March 2009
  • 11. Security Fails Because… • Businesses pass the [risk] buck − “Not my problem” mentality • Contracts write liability down the chain • Customers responsible for own security − Contracts are brutal • Corporations pass liability to vendors − Corporations don’t understand impact • Liability is one thing, public opinion… another • Customers don’t care for liability write-offs − The pen is mightier (so is the blog) • Bloggers, digital media exposes breaches 11 12 March 2009
  • 12. Security Fails Because… End-users still don’t get it • − End-users still apathetic about security • Who cares if my computer is hacked? • What would hackers want with my information? − Wait until your identity is stolen… • Costs are huge in dollars and time − End-users think corporations protect them • … but companies don’t do enough • … but no one can protect you from yourself − Apathy to outrage • “Why didn’t someone tell me”… when it’s too late 12 12 March 2009
  • 13. Security Has No End-Game • Live to fight another day − Mitigate immediate risks − Secure what you can − Educate and empower end-users − Make it simple stupid • People, Process, Tools are the foundation − People: educate, empower, assist − Process: easier to do the right thing, not the wrong − Tools: don’t replace people, make them efficient 13 12 March 2009
  • 14. You Can Succeed 14 12 March 2009
  • 15. You Can Succeed People: Providing guidance on secure application development •Educate and empower •HP ASC Security Team can help! Process: Security cannot be an afterthought Tools: Coverage for the entire SDLC. •Repeatable processes • WebInspect •Secure coding practices • QAInspect •Web Security Policies and Standards • DevInspect • AMP platform 15 12 March 2009
  • 16. Are You Ready? Take the First Step. 16 12 March 2009
  • 17. “The Journey of a thousand miles must begin with a single step” -- Chinese proverb Rafal “Raf” M. Los Sr. Security Solutions Consultant - HP Application Security Center Direct - (404) 606-6056 - email: Rafal@hp.com http://www.communities.hp.com/securitysoftware/blogs/rafal/
  • 18. Appendix References A. 1. http://www.arsalanonline.com/2008/11/indian-website-hacked-pakistani-hackers-response-to-ogra-website- hacking/ 2. http://www.cnn.com/2008/TECH/03/07/china.hackers/index.html 3. http://www.engadgethd.com/tag/Tweeter/ 4. http://www.pcworld.com/printable/article/id,148007/printable.html 5. http://cyberinsecure.com/businessweek-online-content-hit-by-sql-injection/ 6. http://www.accessmylibrary.com/coms2/summary_0286-8459030_ITM 7. http://preachsecurity.blogspot.com/2008/12/santas-gmail-hacked-is-nothing-sacred.html 18 12 March 2009