17-18th of November, Warsaw

Size: px

Start display at page:

Download "17-18th of November, Warsaw"

Donald Greer
8 years ago
Views:

1 17-18th of November, Warsaw Moni Stern CHECKMARX

2 < SAST is MUST/>

3 Agenda > /> The Problem /> The Results /> Challenges and Solution /> The Tools /> Awareness

4 What s the Problem? 92% of exploitable vulnerabilities are in software

5 What analysts say Gartner: Application Security Testing of Cloud Services Providers Is a Must NIST: 92% of exploitable vulnerabilities are in software SANS.ORG: Application Vulnerabilities exceed OS Vulnerabilities OWASP: Application Security is no longer a choice Watchfire: 90% of sites are vulnerable to application attacks Symantec: 78% percent of easily exploitable vulnerabilities affected Web applications

ORG: Application Vulnerabilities exceed OS Vulnerabilities OWASP: Application Security is no longer a

6 What CISOs say > 1 What CISOs say CISO Survey 13% Other What are the main areas of risk for your organization? 51% Application Security 36% Infrastructure

7 The result Hacking Team Latest Adoult friend finder Anthem 80,000,000 AshleyMadison.com CarPhone Warehouse Carefirst Australian innigration Department Experian / T- mobile Home Depot 56,000,000 MSpy IRS Premera Slack JP Morgan Chase 76,000,000 Mozilla Sony Pictures Talktalk Us Office of Personnel Management (2 nd Breach) Staples US Office of Persinnel Management Uber AOL 2,400,000 Advocate Adobe 36,000,000 Dominos Pizza Ebay 145,000,000 Drupal Evernote 50,000,000 Facebook Indiana University European Central Bank Florida Courts Japan Airlines Korea Credit Bureau MacRumours Neiman Marcus Livig Social 50,000,000 Florida departmen t of juvenile justice NASDAQ New york Taxis OVH Target 70,000,000 UbiSoft unknown Yahoo Japan Twiter ups Ubuntu Vodafone Twitch.tv

Office of Personnel Management (2 nd Breach) Staples US Office of Persinnel Management Uber 2014 2013 AOL 2,400,000 Advocate Adobe 36,000,000 Dominos Pizza Ebay 145,000,000 Drupal Evernote

8 Results in Poland? What security measurement you take upon project completion? > Pen Testing Who has performed SAST? Are you really secure?

9 BB vs. WB & Manual Code Review Issue Black-Box Manual Code Coverage - Types Low Low Requires highly skilled auditors SAST Full Detection Low Low + 1:6 Client 1:24 Server Mitigation Difficult Complex, not optimized Easy S-SDLC No No Yes Optimizati on No No Yes-High bezpieczeństwa Black Box White Box / SAST Source webapsec.org

Requires highly skilled auditors SAST Full Detection Low Low + 1:6 Client 1:24

10 What CISOs say >2 Top 5 Sources of AppSec risk within organizations 1. Lack of awareness My experience in Poland/ Central Europe 1 st SAST in OWASP conf. EE 2015; ATS Almost no SAST sold (HP, IBM), except some Global companies Trained ~50 Auditors Sold few systems, delivered > 10 projects 2. Insecure code development 3. Poor testing methodologies 4. Lack of budget 5. Staffing (lack of security skills within the team)

EE 2015; ATS Almost no SAST sold (HP, IBM), except some Global companies Trained ~50 Auditors Sold few

11 What CISOs say > Insecure Code Development & lack of security staff Solution: S-SDLC Deploy SAST at the beginning like QA. SA>>QA Increase security by pin-pointing where and how to fix

12 What CISOs say >2 Poor/ inadequate testing methodologies Solution: Source Repository Deploy S-SDLC Use Frameworks (example: ESAPI and other) Adapt to your private frameworks Developers Build Management Suggestions Auditors Bug Tracking

(example: ESAPI and other) Adapt to your private

cost of damages / loss > $200M Total cost of system upgrades > $100M $7600 Per breach Remediation Costs: ROI from

13 What CISOs say: > What CISOs say >2 Lack of budget Solution: Immediate ROI by decreasing cost of breach & minimizing remediation costs The damages: Breach reported Dec M credit records stolen 46% drop in profits Q4/2013 Total cost of damages / loss > $200M Total cost of system upgrades > $100M $7600 Per breach Remediation Costs: ROI from Reduced Pen testing + Manual code review SAST $80 Per breach $240 Per breach $960 Per breach Development Build QA/Testing Production

14 The good news: Rapidly Growing SAST Market AST Market Forecast 2 By 2017, 50% of enterprises will use SAST, and 80% will use DAST solutions, up from 20% and 60%, respectively, in By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service, up from less than 1% today. By 2017, 25% of application runtime environments will have built-in self-protection capabilities, up from less than 1% in ($ in Millions) $900 $800 $700 $600 $500 $400 $300 $200 $100 $0 Security Testing Spending Outlook ~15% CAGR 2012A 2013A 2014E 2015E 2016E 2017E (1) Source: Company estimate (2) Source: Gartner

By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service, up from less than 1% today.

15 2016 The SAST year for Poland Commercial products (Checkmarx, HP, IBM, Veracode) OWASP List of SAST products Awareness: Have fun with Game of Hacks Educate developers through gamification order a free Secure Development Kit If you don t request budget now, no 2016

with Game of Hacks Educate developers through gamification order

16 SAST IS MUST! dziękuję bardzo

17 17-18th of November, Warsaw Thanks for your attention!

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright