Application Security: Bake In or Add (Sometime) Later? Jeff Kalwerisky Security Evangelist for Alpha...
-
Upload
willis-merritt -
Category
Documents
-
view
214 -
download
0
Transcript of Application Security: Bake In or Add (Sometime) Later? Jeff Kalwerisky Security Evangelist for Alpha...
Application Security:Bake In or Add (Sometime) Later?
Jeff KalweriskySecurity Evangelist for Alpha Tech
and VP, Information Security & Technical Training
CPEinteractive, Inc.
Famous Quote• “Who am I and Why Am I Here?”
Admiral James Stockdale, Vietnam war hero & Ross Perot’s V-P candidate in 1992
• A recovering software developer• Not an Alpha developer• Sole focus: Information Security– AKA Keeping “them” away from the crown jewels
• Security Evangelist for Alpha for many years
• The $64K question: Should security be baked into all apps or can it be added on later?
• The answer is Yes!• In fact, attention to security begins on that very
first design whiteboard• It then continues into prototyping, development,
testing, live deployment, and maintenance– Whether Alpha Anywhere©, Xbasic, Java, even COBOL
The Title of This Short Talk
“Just the Facts, Ma’am”
Of popular mobile apps have security baked in and use tools to defend against hack attacks
Of the top 100 Android & iOS apps have been successfully hacked
Why Should I Care?
Revenue Loss Unauthorized Access to Sensitive Data Intellectual Property Theft
Fraud Altered user Experience Brand Damage
• COMPLIANCE!• With an alphabet soup of regulations and
standards
What Really Keeps CxOs Up at Night
PA-DSS 3.0PCI-DSS 3.0
(GLBA)
The Men in Black: Auditors
• CIO and CEO of Target fired after embarrassing security breach which compromised 40-million(!) customer credit and debit cards
Not to Mention Career-Limiting
X X
Not All (Mobile) Apps Are Equal
High Risk Apps . . .
Location-Aware
Collect Personal Info
Use remote servers tohandle user data
Access sensitive databases
Low(er) Risk Apps . . .
Alarm Clock
To-Do List with no connection
Apps that never talk to the Web or Corporate databases
• Basic security is built into the tool– Unlike many other development tools – We’re looking at ya, MS-Access . . .!
• But it’s getting much more complex– BYOD, BYOA, COPE*, Cloud, Big Data Analytics,
social media, the Internet of Things, . . .
The Way
* Corporate-Owned, Personally-Enabled
• Alpha Anywhere© Security University• A series of focused, online sessions• Touching on many aspects of “real” security
C-I-A: Confidentiality-Integrity-Availability The myriad virtues of Encryption Everywhere Threat Modeling – finding those pesky security
vulnerabilities BEFORE they bite you From Design, through Development, into Production
Announcing . . .
Contact Me
Jeff KalweriskyCPE Interactive, Inc.
Mobile 404-641-0634