SlideShare ist ein Scribd-Unternehmen logo

15 Years of Web Security: The Rebellious Teenage Years

Als PPTX, PDF herunterladen
Jeremiah Grossman
Jeremiah Grossman

From Application Security California 2016

Technologie
1 von 30
15 years of Web Security The Rebellious Teenage Years Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg
Jeremiah Grossman Hacker 2015 OWASP WebAppSec Person of the Year Brazilian Jiu-Jitsu Black Belt
WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded 2001 Headquarters Santa Clara Employees 300+
WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. 7 of 18 Top Commercial Banks 10 of 50 Top Largest Banks 6 of 16 Top Software Companies 4 of 8 Top Consumer Financial Services 1000+ Active Customers #63 Fortune 500
My Areas of Focus  Threat Actors: Innovating, scaling, or both?  Intersection of security guarantees and cyber-insurance  Easing the burden of vulnerability remediation  Measuring the impact of SDLC security controls  Addressing the application security skill shortage
Threat Actors Hacktivists Organized Crime Nation State Terrorists?
WebApp Attacks Adversaries Use “This year, organized crime became the most frequently seen threat actor for Web App Attacks” Verizon 2015 Data Breach Investigations Report 1.5% 2.0% 3.4% 6.3% 6.8% 8.3% 8.3% 19.0% 40.5% 50.7% OS Commanding Forced Browsing Path Traversal XSS Brute Force Abuse of Functionality RFI SQLI Use of Backdoor or C2 Use of Stolen Credit Cards
Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75BN, according to the latest figures from Gartner”
Vulnerability Likelihood (1 or more) 70% 56% 47% 29% 26% 24% 16% 15% 11% 11% 8% 6% 6% 6% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Average Time-to-Fix (Days) 73 97 99 108 111 130 132 136 158 160 191 192 227 0 50 100 150 200 250
Windows of Exposure  A large percentage of websites are always vulnerable  60% of all Retail are always vulnerable  52% of all Healthcare and Social Assistance sites are always vulnerable  38% of all Information Technology websites are always vulnerable  39% of all Finance and Insurance websites are always vulnerable 60% 38% 52% 39% 9% 11% 11% 14% 10% 14% 12% 11% 11% 16% 11% 18% 11% 22% 14% 17% Retail Trade Information Health Care & Social Assistance Finance & Insurance Always Vulnerable Frequently Vulnerable (271-364 days a year) Regularly Vulnerable (151-270 days a year) Occasionally Vulnerable (31-150 days a year) Rarely Vulnerable (30 days or less a year)
Ranges of Expected Loss by Number of Records RECORDS PREDICTION (LOWER) AVERAGE (LOWER) EXPECTED AVERAGE (UPPER) PREDICTION (UPPER) 100 $1,170 $18,120 $25,450 $35,730 $555,660 1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730 10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400 100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200 1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090 10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950 100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100 Verizon 2015 Data Breach Investigations Report
Result: Every Year is the Year of the Hack “In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of Security professionals by CyberEdge
Downside Protection As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance.
Downside Protection “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.”
Downside Protection “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”
$3,800,000,000 $3,200,000,000 $1,000,000,000 Information Security Spending (Global) ~ $3.8 billion in new spending (+4.7%) Cyber-Security Insurance ~$3.2 billion in spending (+67%) Application Security Market (+15%) 2014 – 2015 New Security Investment vs. Cyber-Insurance
Ever notice how everything in the information security industry is sold “as is”? No Guarantees No Warranties No Return Policies
InfoSec is a $75 Billion Garage Sale
“The only two products not covered by product liability are religion and software, and software shall not escape much longer” Dan Geer CISO, In-Q-Tel
Software Security Maturity Metrics Analysis  The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models in application security programs at various organizations.  The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. 9% 29% 28% 30% 0% 10% 20% 30% 40%
If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 129 119 108 114 100 110 120 130 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 30% 35% 40% 45% 50% Board of Directors Executive Management Software Development Security Department Remediation Rate 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open
Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities. 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities. 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities. 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities. 25% of the respondents cite other reasons for resolving website vulnerabilities. 15% 6% 35% 19% 25% %ofRespondents
Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 20% 40% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Remediation Rate 14 21 28 28 10 0 10 20 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Number of Vulnerabilities
SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX REMEDIATION RATE Automated static analysis during the code review process + + - QA performs basic adversarial tests + - + Defects identified through operations monitoring fed back to development - + - Share results from security reviews with the QA + - +
There are No Best-Practices
Thank You Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg

Empfohlen

Digital Disruption of Life Insurance
Digital Disruption of Life InsuranceDigital Disruption of Life Insurance
Digital Disruption of Life InsuranceKevin Pledge
 
The Impact of Data in Technology Today
The Impact of Data in Technology TodayThe Impact of Data in Technology Today
The Impact of Data in Technology TodayNetApp
 
2016 Payments Predictions
2016 Payments Predictions2016 Payments Predictions
2016 Payments PredictionsNTT DATA Consulting, Inc.
 
The future of insurance distribution: New models for a digital customer
The future of insurance distribution: New models for a digital customerThe future of insurance distribution: New models for a digital customer
The future of insurance distribution: New models for a digital customerAccenture Insurance
 
Accenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mc
Accenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mcAccenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mc
Accenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mcPaperjam_redaction
 
Ghostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery, Inc.
 
Accenture four keys digital trust
Accenture four keys digital trustAccenture four keys digital trust
Accenture four keys digital trustOptimediaSpain
 
27 Facts on the Future of Business in a Digital Marketplace
27 Facts on the Future of Business in a Digital Marketplace27 Facts on the Future of Business in a Digital Marketplace
27 Facts on the Future of Business in a Digital MarketplaceApp Consultants
 

Empfohlen

Digital Disruption of Life Insurance
Digital Disruption of Life InsuranceDigital Disruption of Life Insurance
Digital Disruption of Life InsuranceKevin Pledge
 
The Impact of Data in Technology Today
The Impact of Data in Technology TodayThe Impact of Data in Technology Today
The Impact of Data in Technology TodayNetApp
 
2016 Payments Predictions
2016 Payments Predictions2016 Payments Predictions
2016 Payments PredictionsNTT DATA Consulting, Inc.
 
The future of insurance distribution: New models for a digital customer
The future of insurance distribution: New models for a digital customerThe future of insurance distribution: New models for a digital customer
The future of insurance distribution: New models for a digital customerAccenture Insurance
 
Accenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mc
Accenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mcAccenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mc
Accenture tech vision 2018 slideshare trend3_data_veracity_aw_a_mcPaperjam_redaction
 
Ghostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery, Inc.
 
Accenture four keys digital trust
Accenture four keys digital trustAccenture four keys digital trust
Accenture four keys digital trustOptimediaSpain
 
27 Facts on the Future of Business in a Digital Marketplace
27 Facts on the Future of Business in a Digital Marketplace27 Facts on the Future of Business in a Digital Marketplace
27 Facts on the Future of Business in a Digital MarketplaceApp Consultants
 
99 Facts on the Future of Business in the Digital Economy
99 Facts on the Future of Business in the Digital Economy99 Facts on the Future of Business in the Digital Economy
99 Facts on the Future of Business in the Digital Economyremoved_98c8d4827eb0208c4db118838b8f6010
 
Digital Economy
Digital EconomyDigital Economy
Digital EconomyTiffany St James
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
Governments Are Going Digital
Governments Are Going DigitalGovernments Are Going Digital
Governments Are Going DigitalBoston Consulting Group
 
Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Mateusz Maj
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
Digital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehDigital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehJude Umeh
 
Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 OurCrowd
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020Bernard Marr
 
Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte Canada
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020Ray Bugg
 
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...CharityComms
 
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersHow to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersStephenie Rodriguez
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 EdinburghRay Bugg
 
The Quantified Self
The Quantified SelfThe Quantified Self
The Quantified SelfSilicon Valley Bank
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 
Azure ARM’d and Ready
Azure ARM’d and ReadyAzure ARM’d and Ready
Azure ARM’d and Readymscug
 
RDO-Packstack Workshop
RDO-Packstack Workshop RDO-Packstack Workshop
RDO-Packstack Workshop Thamrongtawal Hashim
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical InterfaceJosh Clark
 

Weitere ähnliche Inhalte

Was ist angesagt?

Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Mateusz Maj
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
Digital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehDigital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehJude Umeh
 
Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 OurCrowd
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020Bernard Marr
 
Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte Canada
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020Ray Bugg
 
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...CharityComms
 
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersHow to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersStephenie Rodriguez
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 EdinburghRay Bugg
 

Was ist angesagt? (18)

99 Facts on the Future of Business in the Digital Economy
99 Facts on the Future of Business in the Digital Economy99 Facts on the Future of Business in the Digital Economy
99 Facts on the Future of Business in the Digital Economy
 
Digital Economy
Digital EconomyDigital Economy
Digital Economy
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud Report
 
Governments Are Going Digital
Governments Are Going DigitalGovernments Are Going Digital
Governments Are Going Digital
 
Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?Innovation in Insurance - necessity or luxury?
Innovation in Insurance - necessity or luxury?
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
Digital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude UmehDigital economy and law keynote by Jude Umeh
Digital economy and law keynote by Jude Umeh
 
Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015 Investment Trends: Where to invest your attention in 2015
Investment Trends: Where to invest your attention in 2015
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
 
Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015Deloitte TMT Predictions 2015
Deloitte TMT Predictions 2015
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020
 
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...The digital and social media trends to watch. 2015 and beyond seminar: are yo...
The digital and social media trends to watch. 2015 and beyond seminar: are yo...
 
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African TravellersHow to Catch Frogs - The Impact of Disruptive Technology to African Travellers
How to Catch Frogs - The Impact of Disruptive Technology to African Travellers
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 Edinburgh
 
The Quantified Self
The Quantified SelfThe Quantified Self
The Quantified Self
 

Andere mochten auch

Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 
Azure ARM’d and Ready
Azure ARM’d and ReadyAzure ARM’d and Ready
Azure ARM’d and Readymscug
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical InterfaceJosh Clark
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)Amazon Web Services
 
Launching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's BackLaunching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's Backjoshelman
 
Azure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsAzure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsITProceed
 
BIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - QuboleBIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - QuboleQubole
 
Fortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsFortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsAmazon Web Services
 
Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup Qubole
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsTommaso Di Bartolo
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in HealthcareNetApp
 
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...NoSQLmatters
 
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...Amazon Web Services
 
Qubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europeQubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europeJoydeep Sen Sarma
 

Andere mochten auch (20)

Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)
 
Azure ARM’d and Ready
Azure ARM’d and ReadyAzure ARM’d and Ready
Azure ARM’d and Ready
 
RDO-Packstack Workshop
RDO-Packstack Workshop RDO-Packstack Workshop
RDO-Packstack Workshop
 
The Physical Interface
The Physical InterfaceThe Physical Interface
The Physical Interface
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
 
Launching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's BackLaunching a Rocketship Off Someone Else's Back
Launching a Rocketship Off Someone Else's Back
 
Digital Portfolios
Digital Portfolios Digital Portfolios
Digital Portfolios
 
Azure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsAzure stream analytics by Nico Jacobs
Azure stream analytics by Nico Jacobs
 
BIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - QuboleBIPD Tech Tuesday Presentation - Qubole
BIPD Tech Tuesday Presentation - Qubole
 
Creating a fortigate vpn network & security blog
Creating a fortigate vpn network & security blogCreating a fortigate vpn network & security blog
Creating a fortigate vpn network & security blog
 
Fortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsFortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure Workloads
 
Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup Qubole presentation for the Cleveland Big Data and Hadoop Meetup
Qubole presentation for the Cleveland Big Data and Hadoop Meetup
 
Azure Document Db
Azure Document DbAzure Document Db
Azure Document Db
 
Creative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage StartupsCreative Traction Methodology - For Early Stage Startups
Creative Traction Methodology - For Early Stage Startups
 
IT in Healthcare
IT in HealthcareIT in Healthcare
IT in Healthcare
 
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
Benjamin Guinebertière - Microsoft Azure: Document DB and other noSQL databas...
 
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
AWS re:Invent 2016: How DataXu scaled its Attribution System to handle billio...
 
Qubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europeQubole hadoop-summit-2013-europe
Qubole hadoop-summit-2013-europe
 

Ähnlich wie 15 Years of Web Security: The Rebellious Teenage Years

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summarypatmisasi
 
Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2Stephanie Crates
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...Symantec
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Tracey Ong
 
2017 Scalar Security Study Summary
2017 Scalar Security Study Summary2017 Scalar Security Study Summary
2017 Scalar Security Study SummaryScalar Decisions
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
The July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk LandscapeThe July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk LandscapeCraig McGill
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls PresentationBill Lisse
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionDevOps.com
 
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us SolarWinds
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 

Ähnlich wie 15 Years of Web Security: The Rebellious Teenage Years (20)

15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]
 
2017 Scalar Security Study Summary
2017 Scalar Security Study Summary2017 Scalar Security Study Summary
2017 Scalar Security Study Summary
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
The July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk LandscapeThe July 2017 Cybersecurity Risk Landscape
The July 2017 Cybersecurity Risk Landscape
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls Presentation
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
CAPP Conference Survey
CAPP Conference SurveyCAPP Conference Survey
CAPP Conference Survey
 
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 

Mehr von Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 

Mehr von Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

15 Years of Web Security: The Rebellious Teenage Years

  • 1. 15 years of Web Security The Rebellious Teenage Years Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg
  • 2. Jeremiah Grossman Hacker 2015 OWASP WebAppSec Person of the Year Brazilian Jiu-Jitsu Black Belt
  • 3. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded 2001 Headquarters Santa Clara Employees 300+
  • 4. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. 7 of 18 Top Commercial Banks 10 of 50 Top Largest Banks 6 of 16 Top Software Companies 4 of 8 Top Consumer Financial Services 1000+ Active Customers #63 Fortune 500
  • 5. My Areas of Focus  Threat Actors: Innovating, scaling, or both?  Intersection of security guarantees and cyber-insurance  Easing the burden of vulnerability remediation  Measuring the impact of SDLC security controls  Addressing the application security skill shortage
  • 6. Threat Actors Hacktivists Organized Crime Nation State Terrorists?
  • 7.
  • 8. WebApp Attacks Adversaries Use “This year, organized crime became the most frequently seen threat actor for Web App Attacks” Verizon 2015 Data Breach Investigations Report 1.5% 2.0% 3.4% 6.3% 6.8% 8.3% 8.3% 19.0% 40.5% 50.7% OS Commanding Forced Browsing Path Traversal XSS Brute Force Abuse of Functionality RFI SQLI Use of Backdoor or C2 Use of Stolen Credit Cards
  • 9. Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75BN, according to the latest figures from Gartner”
  • 10. Vulnerability Likelihood (1 or more) 70% 56% 47% 29% 26% 24% 16% 15% 11% 11% 8% 6% 6% 6% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
  • 11. Average Time-to-Fix (Days) 73 97 99 108 111 130 132 136 158 160 191 192 227 0 50 100 150 200 250
  • 12. Windows of Exposure  A large percentage of websites are always vulnerable  60% of all Retail are always vulnerable  52% of all Healthcare and Social Assistance sites are always vulnerable  38% of all Information Technology websites are always vulnerable  39% of all Finance and Insurance websites are always vulnerable 60% 38% 52% 39% 9% 11% 11% 14% 10% 14% 12% 11% 11% 16% 11% 18% 11% 22% 14% 17% Retail Trade Information Health Care & Social Assistance Finance & Insurance Always Vulnerable Frequently Vulnerable (271-364 days a year) Regularly Vulnerable (151-270 days a year) Occasionally Vulnerable (31-150 days a year) Rarely Vulnerable (30 days or less a year)
  • 13. Ranges of Expected Loss by Number of Records RECORDS PREDICTION (LOWER) AVERAGE (LOWER) EXPECTED AVERAGE (UPPER) PREDICTION (UPPER) 100 $1,170 $18,120 $25,450 $35,730 $555,660 1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730 10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400 100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200 1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090 10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950 100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100 Verizon 2015 Data Breach Investigations Report
  • 14. Result: Every Year is the Year of the Hack “In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of Security professionals by CyberEdge
  • 15. Downside Protection As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance.
  • 16. Downside Protection “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.”
  • 17. Downside Protection “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”
  • 18. $3,800,000,000 $3,200,000,000 $1,000,000,000 Information Security Spending (Global) ~ $3.8 billion in new spending (+4.7%) Cyber-Security Insurance ~$3.2 billion in spending (+67%) Application Security Market (+15%) 2014 – 2015 New Security Investment vs. Cyber-Insurance
  • 19. Ever notice how everything in the information security industry is sold “as is”? No Guarantees No Warranties No Return Policies
  • 20. InfoSec is a $75 Billion Garage Sale
  • 21.
  • 22. “The only two products not covered by product liability are religion and software, and software shall not escape much longer” Dan Geer CISO, In-Q-Tel
  • 23. Software Security Maturity Metrics Analysis  The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models in application security programs at various organizations.  The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.
  • 24. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. 9% 29% 28% 30% 0% 10% 20% 30% 40%
  • 25. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 129 119 108 114 100 110 120 130 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 30% 35% 40% 45% 50% Board of Directors Executive Management Software Development Security Department Remediation Rate 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open
  • 26. Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities. 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities. 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities. 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities. 25% of the respondents cite other reasons for resolving website vulnerabilities. 15% 6% 35% 19% 25% %ofRespondents
  • 27. Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest. 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 20% 40% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Remediation Rate 14 21 28 28 10 0 10 20 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Average Number of Vulnerabilities
  • 28. SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX REMEDIATION RATE Automated static analysis during the code review process + + - QA performs basic adversarial tests + - + Defects identified through operations monitoring fed back to development - + - Share results from security reviews with the QA + - +
  • 30. Thank You Jeremiah Grossman Founder: WhiteHat Security, Inc. Twitter: @jeremiahg

Hinweis der Redaktion

  1. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  2. http://www.infosecurity-magazine.com/news/global-security-spend-set-to-top/ http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#2715e4857a0b676a557a2191 http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner http://www.gartner.com/newsroom/id/2828722 http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536 http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease http://techcrunch.com/2016/01/06/cockroaches-vs-unicorns-the-golden-age-of-cybersecurity-startups/
  3. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  4. http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?
  5. http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/ http://www.bna.com/cybersecurity-insurance-explosion-n57982065668/?elq=bcac7d48d68d4c18a9d273cb25bdf9ce&elqCampaignId=2283&elqaid=3786&elqat=1&elqTrackId=f1a8b4caaf024d8fac60cd7533b2b96b http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html http://www.cnbc.com/id/101804150 http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
  6. http://www.insurancejournal.com/news/national/2014/02/26/321638.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
  7. http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
  8. http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#2715e4857a0b676a557a2191
  9. https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg