Qualys, Inc. Confidential

Will Bechtel – Director, Product Management

May 24, 2012

Web Application Security For Small and Medium

Businesses

How do breaches occur? •  81% utilized some form of hacking (+31%) How are web apps involved? •  Web Applications….were associated with

over a third of total data loss

What can you do to help your organization? •  92% of incidents were discovered by a third party •  97% of breaches were avoidable through simple or

intermediate controls

2

Why Web App Security Matters 2012 Verizon Data Breach Investigation Report

Why Web App Security Matters

3

Compromised Assets by percent of breaches and percent of records*

Type Category All Orgs Larger Orgs POS server (store controller) POS terminal Desktop/Workstation Automated Teller Machine (ATM)

Web/application server Database server

Regular employee/end-user

Mail server Payment card (credit, debit, etc.) Cashier/Teller/Waiter Pay at the Pump terminal File server Laptop/Netbook Remote access server Call Center Staff

Servers User devices User devices User devices

Servers Servers

People Servers Offline data People User devices Servers User devices Servers People

50% 35% 18%

8%

6% 6%

3% 3% 3% 2% 2% 1% 1% 1% 1%

1% <1% 34% 21%

80% 96%

1% 2%

<1% <1% <1% <1% <1% <1% <1%

2% 2%

12% 13%

33% 33%

5% 10%

0% 2% 0% 5% 5% 7% 7%

<1% <1% 36% 21%

82% 98%

<1% 2%

<1% <1% <1% <1% <1% <1% <1%

*Assets  involved  in  less  than  1%  of  breaches  are  not  shown  

Web Application Security Overview for SMB

4

Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective

Third Party Applications §  Purchased to support the business §  Could be commercial off the shelf (COTS) §  May be developed, customized or supported by 3rd party

Internally Developed §  For many small and medium businesses, web app IS the business §  Access to developers §  May need to support customers

Web Application Security Drivers

5

Compliance §  Payment Card Industry (PCI) §  Privacy Regulations §  GLBA, SB1386, FCC

Partnerships §  Must demonstrate current and ongoing security §  Usually confirmed by 3rd party

Revenue and Brand Reputation Security §  Loss of revenue while you stop to address issues or are taken down

by hackers §  Loss of reputation that may be documented forever §  Breach notification costs

Web Application Security Conventional web application security program

6

Web Application Security Conventional web application security program

7

Secure Development §  Secure SDLC §  Static Analysis §  Dynamic Analysis

Secure Deployment §  Vulnerability Scanning §  Penetration Testing

Secure Operation §  Web Application Firewall (WAF) §  Penetration Testing §  Vulnerability Assessment §  Activity Monitoring

Web Application Security SMB focus

8

Secure Development §  Secure SDLC

−  Internal development §  Security Requirements §  Secure Design

−  3rd Party §  Review vendor secure dev process

§  Dynamic Analysis −  Automated scanning/Interactive Testing

Secure Deployment §  Vulnerability Scanning

−  Automated scanning Secure Operation

§  Vulnerability Assessment §  Activity Monitoring

Web Application Security Dynamic Analysis/Vulnerability Scanning

9

Detect Web Application Security Flaws §  Cost effective §  OWASP Top 10 (SQL Injection, XSS, etc) §  Authenticate, Crawl web application, Test §  Create report of security flaws §  Validation of issues/Remediation §  Used by Compliance/Partners

Web Application Security Dynamic Analysis/Vulnerability Scanning

10

Installed Software Scanners §  Interactive use – targeted for trained appsec resources §  Installed on workstation/server §  Data management not included

Cloud SaaS Services §  Highly automated §  No installation, easy to setup, annual subscription §  Data management included

Web Application Security Summary

11

Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective

Security in 3 Phases §  Development §  Deployment §  Operation

Determine mix of cost effective controls §  Ensure secure SDLC §  Test for security flaws (Scan/Pen Test) §  Monitor

Resources §  Open Web Application Security Program- OWASP

http://www.owasp.org/ §  Web Application Security — How to Minimize the Risk of Attacks

http://www.qualys.com/forms/guides/was_minimize_risk/

§  Building a Web Application Security Program http://www.qualys.com/forms/whitepapers/building_was_program/

§  Web Application Security for Dummies http://www.qualys.com/forms/ebook/wasfordummies/

12

Web Application Security More information

Thank You

Will Bechtel– wbechtel@qualys.com