Upload
infoshare
View
1.092
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Why care about application security?
Paweł Krawczyk (IPSec.pl)[email protected]
Sony PSN• April 2011• PSN & Qriosity outage• 80m records lost• May 3
– Another 25m records– Sony Online
Entertainment outage
Small issues are important
Challenger 1986
Sony 2011
• Top hack (2009)• 130 million personal records
– Credit card numbers
Fast & furious...
Source: datalossdb.org
$$$• Settlements
– Visa = $60.0m– AmEx = $ 3.5m– Consumer = $ 4.8m
• Ponemon Institute estimate– At $60 cost per record = $7.8b– Now $140 (2010)– Indirect costs (e.g. lost business)
Source: datalossdb.org
NYSE
Sou
rce:
dat
alos
sdb.
org
Side effect• CC’s prices drop on „black market”• 2008$10-20• 2009$2-6
Numbers from: Finjan, Kaspersky
Grace periodfor startups?
Source: dereknewton.com
Farming
Sou
rce:
his
tory
fork
ids.
org
Malware farming• Mass 500k websites infections
–2011 (LizaMoon), 2008• Results for website owners
– Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
Your website• Blacklisted
– Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.
Best ways to get hacked• Guaranteed
– Use ancient Wordpress, Joomla, PHPbb...– Use trivial passwords for FTP, SSH...
• Likely– Write your own application...
Tumblr
Source: niebezpiecznik.pl, Reddit
Bad news live long
Source: niebezpiecznik.pl
.pl
As seen on 23 March 2011
Wyższa Szkoła Policji
Sou
rce:
pra
wo.
vagl
a.pl
Sąd Okręgowy w Częstochowie
Sou
rce:
pra
wo.
vagl
a.pl
Data protection laws• Poland - up to 50’000 PLN fines
– May issue order to stop processing data• Audit reports are public
– Would you trust them in future?
Going international?
GBP 5,6m
GBP 17,5m
GBP 3m
How to fix stuff?
Sou
rce:
NA
SA
, Wik
iped
ia (A
pollo
13
- 197
0)
Is
Security
Enemy of economy?
Security
is
Economy
Eliminate bugs early
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
Early code audit
It’s cheaper than...
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
PentestLate code audit
And way cheaper than...
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
Hack!
How?• Dough Hubbard „The Failure of Risk
Management”• Security Assurance Maturity Model
(OpenSAMM)• Security Development Lifecycle (SDL)
Ask peers• OWASP
– Open Web Application Security Project– www.owasp.org
• ISSA– Information Systems Security
Association– www.issa.org.pl
Questions, comments?