web application security for small and medium businesses
DESCRIPTION
TRANSCRIPT
Qualys, Inc. Confidential
Will Bechtel – Director, Product Management
May 24, 2012
Web Application Security For Small and Medium
Businesses
How do breaches occur? • 81% utilized some form of hacking (+31%) How are web apps involved? • Web Applications….were associated with
over a third of total data loss
What can you do to help your organization? • 92% of incidents were discovered by a third party • 97% of breaches were avoidable through simple or
intermediate controls
2
Why Web App Security Matters 2012 Verizon Data Breach Investigation Report
Why Web App Security Matters
3
Compromised Assets by percent of breaches and percent of records*
Type Category All Orgs Larger Orgs POS server (store controller) POS terminal Desktop/Workstation Automated Teller Machine (ATM)
Web/application server Database server
Regular employee/end-user
Mail server Payment card (credit, debit, etc.) Cashier/Teller/Waiter Pay at the Pump terminal File server Laptop/Netbook Remote access server Call Center Staff
Servers User devices User devices User devices
Servers Servers
People Servers Offline data People User devices Servers User devices Servers People
50% 35% 18%
8%
6% 6%
3% 3% 3% 2% 2% 1% 1% 1% 1%
1% <1% 34% 21%
80% 96%
1% 2%
<1% <1% <1% <1% <1% <1% <1%
2% 2%
12% 13%
33% 33%
5% 10%
0% 2% 0% 5% 5% 7% 7%
<1% <1% 36% 21%
82% 98%
<1% 2%
<1% <1% <1% <1% <1% <1% <1%
*Assets involved in less than 1% of breaches are not shown
Web Application Security Overview for SMB
4
Part of an overall security program § Should be founded in Governance and Policy § Should be based on standards and best practices § Must be supported by management to be effective
Third Party Applications § Purchased to support the business § Could be commercial off the shelf (COTS) § May be developed, customized or supported by 3rd party
Internally Developed § For many small and medium businesses, web app IS the business § Access to developers § May need to support customers
Web Application Security Drivers
5
Compliance § Payment Card Industry (PCI) § Privacy Regulations § GLBA, SB1386, FCC
Partnerships § Must demonstrate current and ongoing security § Usually confirmed by 3rd party
Revenue and Brand Reputation Security § Loss of revenue while you stop to address issues or are taken down
by hackers § Loss of reputation that may be documented forever § Breach notification costs
Web Application Security Conventional web application security program
6
Web Application Security Conventional web application security program
7
Secure Development § Secure SDLC § Static Analysis § Dynamic Analysis
Secure Deployment § Vulnerability Scanning § Penetration Testing
Secure Operation § Web Application Firewall (WAF) § Penetration Testing § Vulnerability Assessment § Activity Monitoring
Web Application Security SMB focus
8
Secure Development § Secure SDLC
− Internal development § Security Requirements § Secure Design
− 3rd Party § Review vendor secure dev process
§ Dynamic Analysis − Automated scanning/Interactive Testing
Secure Deployment § Vulnerability Scanning
− Automated scanning Secure Operation
§ Vulnerability Assessment § Activity Monitoring
Web Application Security Dynamic Analysis/Vulnerability Scanning
9
Detect Web Application Security Flaws § Cost effective § OWASP Top 10 (SQL Injection, XSS, etc) § Authenticate, Crawl web application, Test § Create report of security flaws § Validation of issues/Remediation § Used by Compliance/Partners
Web Application Security Dynamic Analysis/Vulnerability Scanning
10
Installed Software Scanners § Interactive use – targeted for trained appsec resources § Installed on workstation/server § Data management not included
Cloud SaaS Services § Highly automated § No installation, easy to setup, annual subscription § Data management included
Web Application Security Summary
11
Part of an overall security program § Should be founded in Governance and Policy § Should be based on standards and best practices § Must be supported by management to be effective
Security in 3 Phases § Development § Deployment § Operation
Determine mix of cost effective controls § Ensure secure SDLC § Test for security flaws (Scan/Pen Test) § Monitor
Resources § Open Web Application Security Program- OWASP
http://www.owasp.org/ § Web Application Security — How to Minimize the Risk of Attacks
http://www.qualys.com/forms/guides/was_minimize_risk/
§ Building a Web Application Security Program http://www.qualys.com/forms/whitepapers/building_was_program/
§ Web Application Security for Dummies http://www.qualys.com/forms/ebook/wasfordummies/
12
Web Application Security More information
Thank You
Will Bechtel– [email protected]