SlideShare uma empresa Scribd logo

Web Application Security For Small and Medium Businesses

Sasha Nunke
Sasha Nunke
Tecnologia
1 de 13
Baixar para ler offline
Qualys, Inc. Confidential Will Bechtel – Director, Product Management May 24, 2012 Web Application Security For Small and Medium Businesses
How do breaches occur? •  81% utilized some form of hacking (+31%) How are web apps involved? •  Web Applications….were associated with over a third of total data loss What can you do to help your organization? •  92% of incidents were discovered by a third party •  97% of breaches were avoidable through simple or intermediate controls 2 Why Web App Security Matters 2012 Verizon Data Breach Investigation Report
Why Web App Security Matters 3 Compromised Assets by percent of breaches and percent of records* Type Category All Orgs Larger Orgs POS server (store controller) POS terminal Desktop/Workstation Automated Teller Machine (ATM) Web/application server Database server Regular employee/end-user Mail server Payment card (credit, debit, etc.) Cashier/Teller/Waiter Pay at the Pump terminal File server Laptop/Netbook Remote access server Call Center Staff Servers User devices User devices User devices Servers Servers People Servers Offline data People User devices Servers User devices Servers People 50% 35% 18% 8% 6% 6% 3% 3% 3% 2% 2% 1% 1% 1% 1% 1% <1% 34% 21% 80% 96% 1% 2% <1% <1% <1% <1% <1% <1% <1% 2% 2% 12% 13% 33% 33% 5% 10% 0% 2% 0% 5% 5% 7% 7% <1% <1% 36% 21% 82% 98% <1% 2% <1% <1% <1% <1% <1% <1% <1% *Assets  involved  in  less  than  1%  of  breaches  are  not  shown  
Web Application Security Overview for SMB 4 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Third Party Applications §  Purchased to support the business §  Could be commercial off the shelf (COTS) §  May be developed, customized or supported by 3rd party Internally Developed §  For many small and medium businesses, web app IS the business §  Access to developers §  May need to support customers
Web Application Security Drivers 5 Compliance §  Payment Card Industry (PCI) §  Privacy Regulations §  GLBA, SB1386, FCC Partnerships §  Must demonstrate current and ongoing security §  Usually confirmed by 3rd party Revenue and Brand Reputation Security §  Loss of revenue while you stop to address issues or are taken down by hackers §  Loss of reputation that may be documented forever §  Breach notification costs
Web Application Security Conventional web application security program 6
Web Application Security Conventional web application security program 7 Secure Development §  Secure SDLC §  Static Analysis §  Dynamic Analysis Secure Deployment §  Vulnerability Scanning §  Penetration Testing Secure Operation §  Web Application Firewall (WAF) §  Penetration Testing §  Vulnerability Assessment §  Activity Monitoring
Web Application Security SMB focus 8 Secure Development §  Secure SDLC −  Internal development §  Security Requirements §  Secure Design −  3rd Party §  Review vendor secure dev process §  Dynamic Analysis −  Automated scanning/Interactive Testing Secure Deployment §  Vulnerability Scanning −  Automated scanning Secure Operation §  Vulnerability Assessment §  Activity Monitoring
Web Application Security Dynamic Analysis/Vulnerability Scanning 9 Detect Web Application Security Flaws §  Cost effective §  OWASP Top 10 (SQL Injection, XSS, etc) §  Authenticate, Crawl web application, Test §  Create report of security flaws §  Validation of issues/Remediation §  Used by Compliance/Partners
Web Application Security Dynamic Analysis/Vulnerability Scanning 10 Installed Software Scanners §  Interactive use – targeted for trained appsec resources §  Installed on workstation/server §  Data management not included Cloud SaaS Services §  Highly automated §  No installation, easy to setup, annual subscription §  Data management included
Web Application Security Summary 11 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Security in 3 Phases §  Development §  Deployment §  Operation Determine mix of cost effective controls §  Ensure secure SDLC §  Test for security flaws (Scan/Pen Test) §  Monitor
Resources §  Open Web Application Security Program- OWASP http://www.owasp.org/ §  Web Application Security — How to Minimize the Risk of Attacks http://www.qualys.com/forms/guides/was_minimize_risk/ §  Building a Web Application Security Program http://www.qualys.com/forms/whitepapers/building_was_program/ §  Web Application Security for Dummies http://www.qualys.com/forms/ebook/wasfordummies/ 12 Web Application Security More information
Thank You Will Bechtel– wbechtel@qualys.com

Recomendados

APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskLumension
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Marco Di Martino
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Zoho Corporation
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1TECHNOLOGY CONTROL CO.
 
Top 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSOTop 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSOSecureAuth
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 

Recomendados

APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskLumension
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Marco Di Martino
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Zoho Corporation
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1TECHNOLOGY CONTROL CO.
 
Top 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSOTop 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSOSecureAuth
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Qualys
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy Network Intelligence India
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationQualys
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Qualys
 
eG Overview
eG OvervieweG Overview
eG Overviewbs5034
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysRisk Analysis Consultants, s.r.o.
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...Ivanti
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Choosing The Right Enterprise Antispyware Solution
Choosing The Right Enterprise Antispyware SolutionChoosing The Right Enterprise Antispyware Solution
Choosing The Right Enterprise Antispyware SolutionMark J. Feldman
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceSoumitra Bhattacharyya
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
The Cloud - What's different
The Cloud - What's differentThe Cloud - What's different
The Cloud - What's differentChen-Tien Tsai
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?ObserveIT
 
Security Essentials
Security EssentialsSecurity Essentials
Security EssentialsAshley Deuble
 
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array NetworksVirtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks Array Networks
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Top 5 IT challenges for 2017
Top 5 IT challenges for 2017Top 5 IT challenges for 2017
Top 5 IT challenges for 2017ManageEngine, Zoho Corporation
 
ikh323-01
ikh323-01ikh323-01
ikh323-01Anung Ariwibowo
 
Orange Language Travel Guide
Orange Language Travel GuideOrange Language Travel Guide
Orange Language Travel GuideOrange BG
 

Mais conteúdo relacionado

Mais procurados

Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Qualys
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationQualys
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Qualys
 
eG Overview
eG OvervieweG Overview
eG Overviewbs5034
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...Ivanti
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Choosing The Right Enterprise Antispyware Solution
Choosing The Right Enterprise Antispyware SolutionChoosing The Right Enterprise Antispyware Solution
Choosing The Right Enterprise Antispyware SolutionMark J. Feldman
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceSoumitra Bhattacharyya
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
The Cloud - What's different
The Cloud - What's differentThe Cloud - What's different
The Cloud - What's differentChen-Tien Tsai
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?ObserveIT
 
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array NetworksVirtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks Array Networks
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 

Mais procurados (20)

Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & Remediation
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
 
eG Overview
eG OvervieweG Overview
eG Overview
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
Choosing The Right Enterprise Antispyware Solution
Choosing The Right Enterprise Antispyware SolutionChoosing The Right Enterprise Antispyware Solution
Choosing The Right Enterprise Antispyware Solution
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration Testing
 
The Cloud - What's different
The Cloud - What's differentThe Cloud - What's different
The Cloud - What's different
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?
 
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
 
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array NetworksVirtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
Top 5 IT challenges for 2017
Top 5 IT challenges for 2017Top 5 IT challenges for 2017
Top 5 IT challenges for 2017
 

Destaque

Orange Language Travel Guide
Orange Language Travel GuideOrange Language Travel Guide
Orange Language Travel GuideOrange BG
 
Advanced OpenSplice Programming - Part I
Advanced OpenSplice Programming - Part IAdvanced OpenSplice Programming - Part I
Advanced OpenSplice Programming - Part IAngelo Corsaro
 
DrupalCamp Arad - Drupal 7 as a framework - an overview of available APIs
DrupalCamp Arad - Drupal 7 as a framework - an overview of available APIsDrupalCamp Arad - Drupal 7 as a framework - an overview of available APIs
DrupalCamp Arad - Drupal 7 as a framework - an overview of available APIsValentin Bora
 
A Similarity Measure for Large Color Differences
A Similarity Measure for Large Color DifferencesA Similarity Measure for Large Color Differences
A Similarity Measure for Large Color Differencesnmoroney
 
Jules Cheret (1836-1933) y sus contemporáneos
Jules Cheret (1836-1933) y sus contemporáneosJules Cheret (1836-1933) y sus contemporáneos
Jules Cheret (1836-1933) y sus contemporáneosalmudenaresad
 
Visita aeropuerto 2º ciclo 13 14
Visita aeropuerto 2º ciclo 13 14Visita aeropuerto 2º ciclo 13 14
Visita aeropuerto 2º ciclo 13 14XXX XXX
 
Sunshine coast literacy_jan_2015
Sunshine coast literacy_jan_2015Sunshine coast literacy_jan_2015
Sunshine coast literacy_jan_2015Faye Brownlie
 
How Do You Measure The Power Of Words
How Do You Measure The Power Of WordsHow Do You Measure The Power Of Words
How Do You Measure The Power Of WordsPrashant Gandhi
 
Premios dia del libro 2016
Premios dia del libro 2016Premios dia del libro 2016
Premios dia del libro 2016XXX XXX
 
Focus 1 - construirea unui software functional, utilizabil si intuitiv
Focus 1 - construirea unui software functional, utilizabil si intuitivFocus 1 - construirea unui software functional, utilizabil si intuitiv
Focus 1 - construirea unui software functional, utilizabil si intuitivValentin Bora
 
Ralph credsdeck 12
Ralph credsdeck 12Ralph credsdeck 12
Ralph credsdeck 12Jay Armitage
 
DDS Web Programming with dscript
DDS Web Programming with dscriptDDS Web Programming with dscript
DDS Web Programming with dscriptAngelo Corsaro
 
Ultra-scalable Architectures for Telecommunications and Web 2.0 Services
Ultra-scalable Architectures for Telecommunications and Web 2.0 ServicesUltra-scalable Architectures for Telecommunications and Web 2.0 Services
Ultra-scalable Architectures for Telecommunications and Web 2.0 ServicesMauricio Arango
 

Destaque (20)

ikh323-01
ikh323-01ikh323-01
ikh323-01
 
Orange Language Travel Guide
Orange Language Travel GuideOrange Language Travel Guide
Orange Language Travel Guide
 
Advanced OpenSplice Programming - Part I
Advanced OpenSplice Programming - Part IAdvanced OpenSplice Programming - Part I
Advanced OpenSplice Programming - Part I
 
Carbonara coding
Carbonara codingCarbonara coding
Carbonara coding
 
DrupalCamp Arad - Drupal 7 as a framework - an overview of available APIs
DrupalCamp Arad - Drupal 7 as a framework - an overview of available APIsDrupalCamp Arad - Drupal 7 as a framework - an overview of available APIs
DrupalCamp Arad - Drupal 7 as a framework - an overview of available APIs
 
A Similarity Measure for Large Color Differences
A Similarity Measure for Large Color DifferencesA Similarity Measure for Large Color Differences
A Similarity Measure for Large Color Differences
 
Jules Cheret (1836-1933) y sus contemporáneos
Jules Cheret (1836-1933) y sus contemporáneosJules Cheret (1836-1933) y sus contemporáneos
Jules Cheret (1836-1933) y sus contemporáneos
 
Embrace Change
Embrace ChangeEmbrace Change
Embrace Change
 
Visita aeropuerto 2º ciclo 13 14
Visita aeropuerto 2º ciclo 13 14Visita aeropuerto 2º ciclo 13 14
Visita aeropuerto 2º ciclo 13 14
 
Sunshine coast literacy_jan_2015
Sunshine coast literacy_jan_2015Sunshine coast literacy_jan_2015
Sunshine coast literacy_jan_2015
 
How Do You Measure The Power Of Words
How Do You Measure The Power Of WordsHow Do You Measure The Power Of Words
How Do You Measure The Power Of Words
 
Premios dia del libro 2016
Premios dia del libro 2016Premios dia del libro 2016
Premios dia del libro 2016
 
Focus 1 - construirea unui software functional, utilizabil si intuitiv
Focus 1 - construirea unui software functional, utilizabil si intuitivFocus 1 - construirea unui software functional, utilizabil si intuitiv
Focus 1 - construirea unui software functional, utilizabil si intuitiv
 
Ralph credsdeck 12
Ralph credsdeck 12Ralph credsdeck 12
Ralph credsdeck 12
 
DDS Web Programming with dscript
DDS Web Programming with dscriptDDS Web Programming with dscript
DDS Web Programming with dscript
 
ikp321-05
ikp321-05ikp321-05
ikp321-05
 
Infinite Banking & Personal Economics
Infinite Banking & Personal EconomicsInfinite Banking & Personal Economics
Infinite Banking & Personal Economics
 
Future Of Opt Outs
Future Of Opt OutsFuture Of Opt Outs
Future Of Opt Outs
 
OpenSplice Cache
OpenSplice CacheOpenSplice Cache
OpenSplice Cache
 
Ultra-scalable Architectures for Telecommunications and Web 2.0 Services
Ultra-scalable Architectures for Telecommunications and Web 2.0 ServicesUltra-scalable Architectures for Telecommunications and Web 2.0 Services
Ultra-scalable Architectures for Telecommunications and Web 2.0 Services
 

Semelhante a Web Application Security For Small and Medium Businesses

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxdaniahendric
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Enterprise Management Associates
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Encontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de AplicacionesEncontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de AplicacionesSoftware Guru
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsCA Technologies
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
 
web application security
web application security web application security
web application security ahmed sami
 

Semelhante a Web Application Security For Small and Medium Businesses (20)

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docx
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Encontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de AplicacionesEncontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de Aplicaciones
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analytics
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
web application security
web application security web application security
web application security
 

Mais de Sasha Nunke

Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecuritySasha Nunke
 
Cost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementCost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementSasha Nunke
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
ABC's of Securing Educational Networks
ABC's of Securing Educational NetworksABC's of Securing Educational Networks
ABC's of Securing Educational NetworksSasha Nunke
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101Sasha Nunke
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceSasha Nunke
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowSasha Nunke
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 

Mais de Sasha Nunke (9)

Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App Security
 
Cost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementCost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability management
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
ABC's of Securing Educational Networks
ABC's of Securing Educational NetworksABC's of Securing Educational Networks
ABC's of Securing Educational Networks
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Último (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Web Application Security For Small and Medium Businesses

  • 1. Qualys, Inc. Confidential Will Bechtel – Director, Product Management May 24, 2012 Web Application Security For Small and Medium Businesses
  • 2. How do breaches occur? •  81% utilized some form of hacking (+31%) How are web apps involved? •  Web Applications….were associated with over a third of total data loss What can you do to help your organization? •  92% of incidents were discovered by a third party •  97% of breaches were avoidable through simple or intermediate controls 2 Why Web App Security Matters 2012 Verizon Data Breach Investigation Report
  • 3. Why Web App Security Matters 3 Compromised Assets by percent of breaches and percent of records* Type Category All Orgs Larger Orgs POS server (store controller) POS terminal Desktop/Workstation Automated Teller Machine (ATM) Web/application server Database server Regular employee/end-user Mail server Payment card (credit, debit, etc.) Cashier/Teller/Waiter Pay at the Pump terminal File server Laptop/Netbook Remote access server Call Center Staff Servers User devices User devices User devices Servers Servers People Servers Offline data People User devices Servers User devices Servers People 50% 35% 18% 8% 6% 6% 3% 3% 3% 2% 2% 1% 1% 1% 1% 1% <1% 34% 21% 80% 96% 1% 2% <1% <1% <1% <1% <1% <1% <1% 2% 2% 12% 13% 33% 33% 5% 10% 0% 2% 0% 5% 5% 7% 7% <1% <1% 36% 21% 82% 98% <1% 2% <1% <1% <1% <1% <1% <1% <1% *Assets  involved  in  less  than  1%  of  breaches  are  not  shown  
  • 4. Web Application Security Overview for SMB 4 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Third Party Applications §  Purchased to support the business §  Could be commercial off the shelf (COTS) §  May be developed, customized or supported by 3rd party Internally Developed §  For many small and medium businesses, web app IS the business §  Access to developers §  May need to support customers
  • 5. Web Application Security Drivers 5 Compliance §  Payment Card Industry (PCI) §  Privacy Regulations §  GLBA, SB1386, FCC Partnerships §  Must demonstrate current and ongoing security §  Usually confirmed by 3rd party Revenue and Brand Reputation Security §  Loss of revenue while you stop to address issues or are taken down by hackers §  Loss of reputation that may be documented forever §  Breach notification costs
  • 6. Web Application Security Conventional web application security program 6
  • 7. Web Application Security Conventional web application security program 7 Secure Development §  Secure SDLC §  Static Analysis §  Dynamic Analysis Secure Deployment §  Vulnerability Scanning §  Penetration Testing Secure Operation §  Web Application Firewall (WAF) §  Penetration Testing §  Vulnerability Assessment §  Activity Monitoring
  • 8. Web Application Security SMB focus 8 Secure Development §  Secure SDLC −  Internal development §  Security Requirements §  Secure Design −  3rd Party §  Review vendor secure dev process §  Dynamic Analysis −  Automated scanning/Interactive Testing Secure Deployment §  Vulnerability Scanning −  Automated scanning Secure Operation §  Vulnerability Assessment §  Activity Monitoring
  • 9. Web Application Security Dynamic Analysis/Vulnerability Scanning 9 Detect Web Application Security Flaws §  Cost effective §  OWASP Top 10 (SQL Injection, XSS, etc) §  Authenticate, Crawl web application, Test §  Create report of security flaws §  Validation of issues/Remediation §  Used by Compliance/Partners
  • 10. Web Application Security Dynamic Analysis/Vulnerability Scanning 10 Installed Software Scanners §  Interactive use – targeted for trained appsec resources §  Installed on workstation/server §  Data management not included Cloud SaaS Services §  Highly automated §  No installation, easy to setup, annual subscription §  Data management included
  • 11. Web Application Security Summary 11 Part of an overall security program §  Should be founded in Governance and Policy §  Should be based on standards and best practices §  Must be supported by management to be effective Security in 3 Phases §  Development §  Deployment §  Operation Determine mix of cost effective controls §  Ensure secure SDLC §  Test for security flaws (Scan/Pen Test) §  Monitor
  • 12. Resources §  Open Web Application Security Program- OWASP http://www.owasp.org/ §  Web Application Security — How to Minimize the Risk of Attacks http://www.qualys.com/forms/guides/was_minimize_risk/ §  Building a Web Application Security Program http://www.qualys.com/forms/whitepapers/building_was_program/ §  Web Application Security for Dummies http://www.qualys.com/forms/ebook/wasfordummies/ 12 Web Application Security More information
  • 13. Thank You Will Bechtel– wbechtel@qualys.com