SQL Database Design For Developers at php[tek] 2024
Web Application Security For Small and Medium Businesses
1. Qualys, Inc. Confidential
Will Bechtel – Director, Product Management
May 24, 2012
Web Application Security
For Small and Medium
Businesses
2. How do breaches occur?
• 81% utilized some form of hacking (+31%)
How are web apps involved?
• Web Applications….were associated with
over a third of total data loss
What can you do to help your
organization?
• 92% of incidents were discovered by a third party
• 97% of breaches were avoidable through simple or
intermediate controls
2
Why Web App Security Matters
2012 Verizon Data Breach Investigation Report
3. Why Web App Security Matters
3
Compromised Assets by percent of breaches and percent of records*
Type Category All Orgs Larger Orgs
POS server (store controller)
POS terminal
Desktop/Workstation
Automated Teller Machine (ATM)
Web/application server
Database server
Regular employee/end-user
Mail server
Payment card (credit, debit, etc.)
Cashier/Teller/Waiter
Pay at the Pump terminal
File server
Laptop/Netbook
Remote access server
Call Center Staff
Servers
User devices
User devices
User devices
Servers
Servers
People
Servers
Offline data
People
User devices
Servers
User devices
Servers
People
50%
35%
18%
8%
6%
6%
3%
3%
3%
2%
2%
1%
1%
1%
1%
1%
<1%
34%
21%
80%
96%
1%
2%
<1%
<1%
<1%
<1%
<1%
<1%
<1%
2%
2%
12%
13%
33%
33%
5%
10%
0%
2%
0%
5%
5%
7%
7%
<1%
<1%
36%
21%
82%
98%
<1%
2%
<1%
<1%
<1%
<1%
<1%
<1%
<1%
*Assets
involved
in
less
than
1%
of
breaches
are
not
shown
4. Web Application Security
Overview for SMB
4
Part of an overall security program
§ Should be founded in Governance and Policy
§ Should be based on standards and best practices
§ Must be supported by management to be effective
Third Party Applications
§ Purchased to support the business
§ Could be commercial off the shelf (COTS)
§ May be developed, customized or supported by 3rd party
Internally Developed
§ For many small and medium businesses, web app IS the business
§ Access to developers
§ May need to support customers
5. Web Application Security
Drivers
5
Compliance
§ Payment Card Industry (PCI)
§ Privacy Regulations
§ GLBA, SB1386, FCC
Partnerships
§ Must demonstrate current and ongoing security
§ Usually confirmed by 3rd party
Revenue and Brand Reputation Security
§ Loss of revenue while you stop to address issues or are taken down
by hackers
§ Loss of reputation that may be documented forever
§ Breach notification costs
7. Web Application Security
Conventional web application security program
7
Secure Development
§ Secure SDLC
§ Static Analysis
§ Dynamic Analysis
Secure Deployment
§ Vulnerability Scanning
§ Penetration Testing
Secure Operation
§ Web Application Firewall (WAF)
§ Penetration Testing
§ Vulnerability Assessment
§ Activity Monitoring
8. Web Application Security
SMB focus
8
Secure Development
§ Secure SDLC
− Internal development
§ Security Requirements
§ Secure Design
− 3rd Party
§ Review vendor secure dev process
§ Dynamic Analysis
− Automated scanning/Interactive Testing
Secure Deployment
§ Vulnerability Scanning
− Automated scanning
Secure Operation
§ Vulnerability Assessment
§ Activity Monitoring
9. Web Application Security
Dynamic Analysis/Vulnerability Scanning
9
Detect Web Application Security Flaws
§ Cost effective
§ OWASP Top 10 (SQL Injection, XSS, etc)
§ Authenticate, Crawl web application, Test
§ Create report of security flaws
§ Validation of issues/Remediation
§ Used by Compliance/Partners
10. Web Application Security
Dynamic Analysis/Vulnerability Scanning
10
Installed Software Scanners
§ Interactive use – targeted for trained appsec resources
§ Installed on workstation/server
§ Data management not included
Cloud SaaS Services
§ Highly automated
§ No installation, easy to setup, annual subscription
§ Data management included
11. Web Application Security
Summary
11
Part of an overall security program
§ Should be founded in Governance and Policy
§ Should be based on standards and best practices
§ Must be supported by management to be effective
Security in 3 Phases
§ Development
§ Deployment
§ Operation
Determine mix of cost effective controls
§ Ensure secure SDLC
§ Test for security flaws (Scan/Pen Test)
§ Monitor
12. Resources
§ Open Web Application Security Program- OWASP
http://www.owasp.org/
§ Web Application Security — How to Minimize the Risk of Attacks
http://www.qualys.com/forms/guides/was_minimize_risk/
§ Building a Web Application Security Program
http://www.qualys.com/forms/whitepapers/building_was_program/
§ Web Application Security for Dummies
http://www.qualys.com/forms/ebook/wasfordummies/
12
Web Application Security
More information