Web Application Security Increasing customer s awareness Laurent

Зарегистрируйтесь, чтобы просмотреть полный документ!

Web Application Security : Increasing customer’s awareness Laurent PETROQUE System Engineer, F 5 Networks l. petroque@f 5. com OWASP-Day Università La Sapienza Rome 10 th September 2007 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http: //www. owasp. org

Application Security: Trends and Drivers <“Webification” of applications <Intelligent browsers and applications <Public awareness of data security <Increasing regulatory requirements <The next attackable frontier <Targeted attacks OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Almost every web application is vulnerable! < 70% of websites at immediate risk of being hacked! - Accunetix – Jan 2007 http: //www. acunetix. com/news/security-audit-results. htm < “ 8 out of 10 websites vulnerable to attack” - White. Hat “security report – Nov 2006” https: //whitehatsec. market 2 lead. com/go/whitehatsec/webappstats 1106 < “ 75 percent of hacks happen at the application. ” Gartner “Security at the Application Level” < “ 64 percent of developers are not confident in their ability to write secure applications. ” - Microsoft Developer Research OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy -

Spreading Web Application Security < Groups: q q Risk assessment group Security officer Application guys Network guys < Segments q q q PCI compliance SOX Compliance Financials Healthcare E-Commerce OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Why this is important < Unique value to customers < Dramatically improve attach rate < Position bigger platforms < Position new and more services < Introduce to new groups within the organization q Security impacts the entire process OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Understand the customer’s Business Problem - not just the technical problem. Customer’s business problem isn’t always a security breach < Compliance < Business enabler < Extension q Acquisition or new partnership < Company security policy q q q Install WAF Audit Code Recurring pen testing < Monitoring layer 7 OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Understand the customer’s Business Problem - not just the technical problem. Sometimes it is pure security < Failed security audit < Discovered vulnerability < Hacked < Critical/high profile application OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Who is responsible for application security? Web developers? Network Security? Engineering services? DBA? OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Know who we are talking with < Network guys – keep it simple !!! Talk about how easy/fast it is to deploy. Remember! They are in the network business since they don’t like applications. . . < Many times they are responsible for entire security and now they are expected to protect an application layer ? How can they do that ? < Application guys – show them policy – the application map OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Know who we are talking with < Security guys – They know a lot about network security but less about web application security < They are often isolated in the organization q Attached to General management < Show them how to inflate an application security message < Benefit from this knowledge q q In front of developers for instance New technology validation OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Speaking to execs < Protects stakeholders from regulatory violations < Increases and simplifies compliance q q PCI Sarbanes-Oxley < Brand protection < Provides insurance, assurance and accountability < Improves business agility < Provides risk insight and risk mitigation < Continuous improve of confidentiality, availability and accuracy of business information and process OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

PCI Awareness campaign in Italy < We ran a phoning campaign < 75 companies contacted < Enormous awareness job still to complete < Huge business potential detected < Strong on Web Application Security OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Sarbanes-Oxley Compliance < Huge potential with SOX “The requirements for SOX compliance apply to any system that processes or maintains financial data” < Most of applications are moving to Web < Even those maintaining “financial data” < Impact numerous organizations < Execs are more than receptive OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

What customers want from Sarbanes-Oxley < User Authentication < Password Management < Access controls < Input validation < Exception handling < Secure data storage and transmission < Logging < Monitoring and alerting q System hardening < Change management q Application development q Periodic security assesments and audits OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Polizia Postale Statistics for 2005 OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Polizia Postale Statistics for 2006 OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy

Скачать презентацию Web Application Security Increasing customer s awareness Laurent

651086c7e2dfd05fff658fe24a800ccb.ppt

Количество слайдов: 17