Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time

Similar documents
Network Security Testing

Mobile App Security: Who Else is on Your Device? August 27, 2013

Cyber Analysis Tools:

Big Data Trust and Reputation, Privacy Cyber Threat Intelligence

A Network Administrator s Guide to Web App Security

Dorian Grey & The Net: Social Media Monitoring. November 18, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time

BYOD to the Cloud May 28, 2013

GRC/Cyber Insurance. February 18, Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf

Static & Dynamic Analysis for Web Applications. OWASP Atlanta Chapter March 2010 Meeting. The OWASP Foundation

Why You Need an Application Security Program

Application security testing: Protecting your application and data

The monsters under the bed are real World Tour

SAST, DAST and Vulnerability Assessments, = 4

October 10, Report on Web Applications #13-205

Comparing Application Security Tools

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Asset Management In A Consumerized World

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Harness Your Robot Army for Total Vulnerability Management

Enterprise Application Security Program

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Security Information and Event Management

Deep Security Vulnerability Protection Summary

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM

DOES OPEN MEAN VULNERABLE?

The Case for Information Assurance

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

The Truth About Enterprise Mobile Security Products

Attacks from the Inside

Application Security 101. A primer on Application Security best practices

Identity Management: Are You Really a Dog Surfing on the Internet? June 25, 2013

Microsoft STRIDE (six) threat categories

Security Vulnerabilities in Open Source Java Libraries. Patrycja Wegrzynowicz CTO, Yonita, Inc.

PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv

INDUSTRY OVERVIEW: HEALTHCARE

ON24 Platform 10 Webcasting Industry Standard for Demand Generation and Customer Engagement

Mobile Application Security Study

Introduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:

Vulnerability management lifecycle: defining vulnerability management

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

A Case for Managed Security

Penetration Testing Ninjitsu 2: Crouching Netcat, Hidden Vulnerabilities. By Ed Skoudis

Successful Strategies for QA- Based Security Testing

2013 Ruby on Rails Exploits. CS 558 Allan Wirth

Using Nessus In Web Application Vulnerability Assessments

Securing the Database Stack

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Application Code Development Standards

Attacks 2011: How Complexity Evaded Defenses and Strategies for Prevention TOMER TELLER CHECK POINT SOFTWARE TECHNOLOGIES. Session Classification:

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Procedure of Secure Development Tool Adoption Study

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

2015 TRUSTWAVE GLOBAL SECURITY REPORT

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

SECURITY ASPECTS OF OPEN SOURCE

Benchmarking Web Application Scanners for YOUR Organization

Cybersecurity Vulnerability Management:

State of Security. Top Five Critical Issues Affecting Servers. Decisive Security Intelligence You Can Use. Read Our Predictions for 2013 and Beyond

Information Security for Modern Enterprises

Why The Security You Bought Yesterday, Won t Save You Today

How to Reduce Web Vulnerability Scanning Times

Application Security Program Management with Vulnerability Manager

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Web Application Security: Connecting the Dots

2012 Application Security Gap Study: A Survey of IT Security & Developers

Learning Course Curriculum

Turning your managed Anti-Virus

Injecting Trojans via Patch Management Software & Other Evil Deeds. Chris Farrow/Steve Manzuik BlackHat Europe 2005

The Hacker Strategy. Dave Aitel Security Research

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web Conferencing Glossary

INDUSTRY OVERVIEW: FINANCIAL

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

SAFECode Security Development Lifecycle (SDL)

Computer Networks & Computer Security

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Software Security Testing

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline

InfoSphere Guardium Tech Talk Data privacy and dynamic masking for web applications: InfoSphere Guardium for Applications

BCS Bristol Autumn School Testing your App. Jim Thomas Director of Software Testing

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Interactive Application Security Testing (IAST)

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

IBM. Vulnerability scanning and best practices

Best Practices Top 10: Keep your e-marketing safe from threats

of firms with remote users say Web-borne attacks impacted company financials.

Transcription:

Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1

T Sponsored by: #ISSAWebConf 2

Welcome Conference Moderator Phillip Griffin CISM, ISSA Fellow, and ISSA Educational Advisory Council Member April 28, 2015 Start Time: 9am US Pacific 12pm US Eastern/5pm London Time 3

Speaker Introduction Mark Kadrich- Chief Information Security & Privacy Officer, San Diego Health Connect Tim Jarrett- Director, Enterprise Security Strategy, Veracode Remember to type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function. 4

Open Software and Trust Better than Free? Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect

Another Model Medical TV Shows Medical Procedures Advice Advised by experts Popularity Waning but still viewed by millions! Legal TV Shows Courtroom Procedures Legal Descriptions of Crimes Forensic Investigations Advised by experts 6

Some Medical Numbers Grays Anatomy (4.5) 5.85 Million Viewers! Discuss and depict medical procedures every week Dr. Allan Hamilton, Neurosurgeon and Medical Advisor Doctor OZ (1.6) 2.08 Million Viewers! Viewer Rating of 7.2! (People LOVE him) Medical advice by a doctor! Some issues but people STILL watch Sharing of information via social networks 7

Some Legal Numbers Law & Order Franchise (1.64) NCIS Franchise (2.48+2.13+1.63) CSI Franchise (1.5+1.29) HOLY COW BATMAN OVER 20 MILLION VIEWERS! 8

Some Statistics 18.5* Million software developers in the world 11 Million are professionals 7.5 Million are hobbyists 7.7 Million Physicians in the world 7.7 Million are professionals 0.0 Million are hobbyists 1.3 Million Lawyers in the US ALONE 1 Million are active Unknown how many hobbyist lawyers there are... a man who is his own lawyer has a fool for a client... *TechRepublic 9

Why This is Important Because you have... Good, Fast Coders Good, Slow Coders Bad, Fast Coders Bad, Slow Coders Where do you think the largest population of coders is? 10

Argument for Open Source Security Many eyes looking at code Open nature of code means better security Obfuscation isn t a good security plan 11

Open Means Free Range No guarantee of security tools No assurance of review No agreed upon metrics No measurable level of quality 12

Closed Code Statistics 85% of bugs removed from code before release Average is 15-50 errors per KLOC MS has reduced this to 10-20 per KLOC in-house MS has further reduced this to.5 per KLOC Linux has 10M LOC or potentially 5000 errors... 13

It s About Trust To really trust code you must have a rigorous testing and validation methodology Shuttle Code had ZERO errors in 500,000 lines of code. "Harlan Mills pioneered 'cleanroom development', a technique that has been able to achieve rates as low as 3 defects per 1000 lines of code during in-house testing and 0.1 defect per 1000 lines of code in released product(cobb and Mills 1990). A few projects - for example, the spaceshuttle software - have achieved a level of 0 defects in 500,000 lines of code using a system of format development methods, peer reviews, and statistical testing." 14

Thank You! Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect 15

Question and Answer Mark S. Kadrich CISO & Privacy Officer, San Diego Health Connect To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 16

Thank you! Mark S. Kadrich CISO & Privacy Officer, San Diego Health Connect 17

Open Software and Trust Better Than Free? Tim Jarrett Director, Enterprise Security Strategy VERACODE #ISSAWebConf

2014: The year of open software bugs 19

Heartbleed Remotely exploitable information leak vulnerability in OpenSSL Allows attackers to steal credentials, private keys, emails, and other sensitive data Web applications provide the critical attack vector, but could be on any system Observed frequency: 1 in 3600 web sites About 34% of organizations tested had at least one vulnerable site 20

Shellshock Remotely exploitable application-layer vulnerability in Bash Allows attackers to run arbitrary code on the target system (totally controlling it) Web applications provide the critical attack vector, but could be on any system Observed frequency: 1 in 450 web applications 21

For context 6.00% 5.65% 5.00% 4.00% 3.00% 2.00% Heartbleed Shellshock SQL Injection 1.00% 0.00% 0.03% 0.22% Vulnerability Prevalence SQL Injection prevalence data source: Veracode dynamic scan data, authenticated and unauthenticated scans, 2014 22

So why are these bugs such a big deal??? Likelihood of success Reward = Chosen attack Effort 23

Also 24

And 25

And 26

Why doesn t my catch this? Antivirus: Because these aren t malicious programs, they re parts of programs you (and your organization) use every day. And there s no signature you can scan for. Source code scanner: Because these vulnerabilities are generally in compiled libraries that your developers include and don t have source for. 27

Successful approaches Web vulnerability scanning Software composition analysis Static analysis 28

Web vulnerability scanning Uses web scanning (making browsing requests, filling out forms) to find known vulnerabilities Example products: Qualys, Veracode Benefits Require no developer involvement Look for component vulnerabilities the same way they ll be exploited Server side or app vulns Drawbacks Imprecise identification of vulnerable components; must use per-vulnerability attacks Requires good crawling 29

Software composition analysis Enumerates the known components used by applications Associates with vulnerability data Example products: Sonatype, Veracode Benefits Comprehensive application coverage Generates an inventory that can be mined when new vulnerabilities appear Drawbacks Requires development team involvement Doesn t help for some vulnerabilities (e.g. Shellshock) that leverage components on the server 30

Static analysis Fully models all the paths of the application Looks for poor coding practices that can be exploited Example products: HP Fortify, Veracode Benefits Comprehensive application coverage Best way to find unsafe coding practices that enable exploitation of a server component vuln Drawbacks Requires development team involvement (usually) Only good for some types of vulns (would miss Heartbleed) 31

A scan is not enough Inventory: What components are my applications using? Policy: How do Security and development manage component security issues? Program: How does Security roll out the new standards to the organization? Plan: How will you respond when the next Heartbleed is found? 32

THANK YOU Twitter: @tojarrett 33

Thank You Tim Jarrett Director, Enterprise Security Strategy VERACODE Twitter: @tojarrett 34

Question and Answer Tim Jarrett Director, Enterprise Security Strategy VERACODE Twitter: @tojarrett To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrowsto open this function. 35

Thank you! Tim Jarrett Director, Enterprise Security Strategy VERACODE 36

Open Panel with Audience Q&A Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect Tim Jarrett Director, Enterprise Security Strategy VERACODE To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 37

Closing Remarks I would like to thank Mark and Tim for lending their time and expertise to this ISSA Educational Program. Thank you to VERACODE for sponsoring this webinar. Thank you Citrix for donating the Webcast service. #ISSAWebConf 38

CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link http://www.surveygizmo.com/s3/2119251/issa-web- Conference-April-28-2015-Open-Software-and-Trust- Better-Than-Free #ISSAWebConf 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information