firehost webinar: protect your application with intelligent security
DESCRIPTION
Learn from the experts how to effectively secure your online business. Join FireHost’s CEO, Chris Drake, and WhiteHat Security’s CTO, Jeremiah Grossman as they identify current threats, and reveal how examining billions of attempted attacks at a macro level has identified a new way for enterprises to make intelligent decisions about better protecting their information assets.TRANSCRIPT
Protect Your Applications with Intelligent SecurityPresented by:
Learn from the Experts
Chris Drake
Founder & CEOFireHost
Jeremiah Grossman
Founder & CTOWhiteHat Security
Today’s Agenda
• Explore the Evolving Threat Landscape in Today’sBusiness Environment
• Discuss Specific Vulnerabilities and related Security at the Web Application Layer
• Analyze Current Security Funding Trends & Strategies
• Present Strategies for Addressing Threats and Vulnerabilities in an Economically Rational Manner
• Address Your QuestionsSubmit your questions throughout the webinar via chat. We’ll address them live at the end or follow up offline
Jeremiah Grossman
Founder & CTOWhiteHat Security
• Renounced worldwide as an expert on web security
• Co-founder of the Web Application Security Consortium
• Recently named InfoWorld’s Top 25 CTO’s for 2007
• Credited with the discovery of many cutting-edge attack and defense techniques
• Co-author of the recently published book, Cross-Site Scripting Attacks
Chris Drake
Founder & CEOFireHost
• Leading FireHost with 100 percent year-over-year growth
• Established as a go-to resource for secure cloud hosting
• Paratrooper in the 82nd Airborne Division at Fort Bragg
• Sought after speaker and writer on cloud, hosting, and security
• Awarded Tech Titans Emerging CEO of the Year for 2013 and Dallas Business Journal’s “40 under Forty” business leaders
Headlines on Security Breaches Targeting Web ApplicationsCyber-attacks Cost $1 Million on Average to Resolve
- InfoSecurity magazine, October 10, 2013
Why the state of application security is not so healthy
- CSO magazine, September 23, 2013
Adobe deals with data breach affecting2.9 million customers
- Software Development Times, October 7, 2013
More than Half Of Companies Suffered A Web Application Security Breach In Last 18 Months
- Dark Reading, Sept. 18, 2012
World's Biggest Data Breaches: Selected losses greater than 30,000 records
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Key Trends in Securing Applications & Resources• 86% of all websites had at least one serious vulnerability.
• The average number of serious vulnerabilities identified per website was 56, continuing the downward trend from 79 in 2011 and 230 in 2010.
• 61% of all serious vulnerabilities were resolved. Less than 63 percent in 2011 but still up from 53% in 2010 and far better than 2007 when it was 35%.
• 53% of organizations said their software projects contain an application library or framework that centralizes and enforces security controls.
• 85% of organizations said they perform some amount of application security testing in pre-production website environments.
• 39% of organizations said they perform some amount of Static Code Analysis on their websites' underlying applications.
• 55% of organizations said they have a Web Application Firewall (WAF) in some state of deployment.
Source: Website Security Statistics Report, WhiteHat Security, May 2013
Top 15 Vulnerability Classes (2012)
Likelihood that at least one serious* vulnerability will appear in a website
Info
rmation L
eaka
ge
Cro
ss-S
ite S
crip
ting
Conte
nt
Spoofing
Bru
te F
orc
e
Cro
ss-S
ite R
equest
Forg
ery
Fingerp
rinting
Insu
ffici
ent
Tra
nsp
ort
Laye
r...
Sess
ion F
ixation
UR
L R
edir
ect
or
Abuse
Insu
ffici
ent
Auth
ori
zation
Dir
ect
ory
Indexi
ng
Abuse
of
Funct
ionalit
y
Pre
dic
table
Reso
urc
e L
oca
tion
SQ
L In
ject
ion
HTTP R
esp
onse
Split
ting
54% 52%
32%26% 25%
22% 21%
14% 13% 11% 11% 9% 8% 7%4%
Attack types are not evolving….
SQL Injection
Directory Traversal
Cross-Site Request Forgery
Cross-Site Scripting
0% 5% 10% 15% 20% 25% 30% 35% 40%
18%
23%
26%
33%
20%
22%
24%
34%
Comparison of Superfecta Cyber Attacks Between Q2 2013 and Q3 2013
2013 Q3
2013 Q2
Attack Statistics Total Attacks Blocked
Quarter over Quarter Delta
Filtered by IPRM
Quarter over Quarter Delta
Percentage IPRM Filtered
2013 Q3 31,808,175 32% 17,488,853 77% 54%
2013 Q2 23,926,025 9,876,834 41%
Source: FireHost, October 2013
Web Applications: The Largest Threat
Verizon / United States Secret Service Data Breach Investigation Report
54% of attacks are on the web application layer
92% of web application attacks resulted in over 90% of record access
2012
Spending on SecurityThe biggest line item in [non-security] spendingSHOULD match the biggest line item in security
IT IT SECURITY
1
2
3
3
2
1
Applications
Host
Network
Barriers to Addressing Vulnerabilities at the Web Application Layer
Source: SANS Institute, October 2013
Ide
nti
fyin
g a
ll a
pp
lica
tio
ns
La
ck o
f fu
nd
ing
/ma
na
ge
me
nt
bu
y-i
n
La
ck o
f in
teg
rate
d b
uy-i
n b
etw
ee
n
secu
rity
…
La
ck o
f a
pp
lica
tio
n s
ecu
rity
skill
s
La
ck o
f te
chn
ica
l re
sou
rce
s
Le
ga
cy C
od
e
Inte
gra
ted
lif
ecy
cle
ma
na
ge
me
nt
Oth
er
0%
5%
10%
15%
20%
25%
30%
First
Second
Third
Managing Risk and Security in Mixed and Outsourced Environments
If 2013 is the year enterprises begin implementing their hybrid cloud strategies, as the experts are predicting, then it follows that this will also be the year when hybrid cloud security takes center stage.
-- Network World, February 11, 2013 Christine Burns Rudalevige
Security tops the list of concerns that IT has with cloud services, according to the InformationWeek survey; 51% of respondents cited security defects as their greatest concern, a figure that remains unchanged from 2012.
-- Network Computing, August 20, 2013 Tony Kontzer
Key Take Home Points
1. Ensure you’re properly investing in application security threats
Classify your data and setting security/uptime requirements for each
Isolate your mixed IT/application environments (internal or hosted)
2.
3.
&Questions
Answers
Chris Drake
Founder & CEOFireHost
Jeremiah Grossman
Founder & CTOWhiteHat Security
Thank You
linkedin.com/in/chrisdraketx linkedin.com/in/grossmanjeremiah
@chrisdrake @jeremiahg