Protect Your Applications with Intelligent SecurityPresented by:

Learn from the Experts

Chris Drake

Founder & CEOFireHost

Jeremiah Grossman

Founder & CTOWhiteHat Security

Today’s Agenda

• Explore the Evolving Threat Landscape in Today’sBusiness Environment

• Discuss Specific Vulnerabilities and related Security at the Web Application Layer

• Analyze Current Security Funding Trends & Strategies

• Present Strategies for Addressing Threats and Vulnerabilities in an Economically Rational Manner

• Address Your QuestionsSubmit your questions throughout the webinar via chat. We’ll address them live at the end or follow up offline

Jeremiah Grossman

Founder & CTOWhiteHat Security

• Renounced worldwide as an expert on web security

• Co-founder of the Web Application Security Consortium

• Recently named InfoWorld’s Top 25 CTO’s for 2007

• Credited with the discovery of many cutting-edge attack and defense techniques

• Co-author of the recently published book, Cross-Site Scripting Attacks

Chris Drake

Founder & CEOFireHost

• Leading FireHost with 100 percent year-over-year growth

• Established as a go-to resource for secure cloud hosting

• Paratrooper in the 82nd Airborne Division at Fort Bragg

• Sought after speaker and writer on cloud, hosting, and security

• Awarded Tech Titans Emerging CEO of the Year for 2013 and Dallas Business Journal’s “40 under Forty” business leaders

Headlines on Security Breaches Targeting Web ApplicationsCyber-attacks Cost $1 Million on Average to Resolve

- InfoSecurity magazine, October 10, 2013

Why the state of application security is not so healthy

- CSO magazine, September 23, 2013

Adobe deals with data breach affecting2.9 million customers

- Software Development Times, October 7, 2013

More than Half Of Companies Suffered A Web Application Security Breach In Last 18 Months

- Dark Reading, Sept. 18, 2012

World's Biggest Data Breaches: Selected losses greater than 30,000 records

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Key Trends in Securing Applications & Resources• 86% of all websites had at least one serious vulnerability.

• The average number of serious vulnerabilities identified per website was 56, continuing the downward trend from 79 in 2011 and 230 in 2010.

• 61% of all serious vulnerabilities were resolved. Less than 63 percent in 2011 but still up from 53% in 2010 and far better than 2007 when it was 35%.

• 53% of organizations said their software projects contain an application library or framework that centralizes and enforces security controls.

• 85% of organizations said they perform some amount of application security testing in pre-production website environments.

• 39% of organizations said they perform some amount of Static Code Analysis on their websites' underlying applications.

• 55% of organizations said they have a Web Application Firewall (WAF) in some state of deployment.

Source: Website Security Statistics Report, WhiteHat Security, May 2013

Top 15 Vulnerability Classes (2012)

Likelihood that at least one serious* vulnerability will appear in a website

Info

rmation L

eaka

ge

Cro

ss-S

ite S

crip

ting

Conte

nt

Spoofing

Bru

te F

orc

e

Cro

ss-S

ite R

equest

Forg

ery

Fingerp

rinting

Insu

ffici

ent

Tra

nsp

ort

Laye

r...

Sess

ion F

ixation

UR

L R

edir

ect

or

Abuse

Insu

ffici

ent

Auth

ori

zation

Dir

ect

ory

Indexi

ng

Abuse

of

Funct

ionalit

y

Pre

dic

table

Reso

urc

e L

oca

tion

SQ

L In

ject

ion

HTTP R

esp

onse

Split

ting

54% 52%

32%26% 25%

22% 21%

14% 13% 11% 11% 9% 8% 7%4%

Attack types are not evolving….

SQL Injection

Directory Traversal

Cross-Site Request Forgery

Cross-Site Scripting

0% 5% 10% 15% 20% 25% 30% 35% 40%

18%

23%

26%

33%

20%

22%

24%

34%

Comparison of Superfecta Cyber Attacks Between Q2 2013 and Q3 2013

2013 Q3

2013 Q2

Attack Statistics Total Attacks Blocked

Quarter over Quarter Delta

Filtered by IPRM

Quarter over Quarter Delta

Percentage IPRM Filtered

2013 Q3 31,808,175 32% 17,488,853 77% 54%

2013 Q2 23,926,025   9,876,834   41%

Source: FireHost, October 2013

Web Applications: The Largest Threat

Verizon / United States Secret Service Data Breach Investigation Report

54% of attacks are on the web application layer

92% of web application attacks resulted in over 90% of record access

2012

Spending on SecurityThe biggest line item in [non-security] spendingSHOULD match the biggest line item in security

IT IT SECURITY

1

2

3

3

2

1

Applications

Host

Network

Barriers to Addressing Vulnerabilities at the Web Application Layer

Source: SANS Institute, October 2013

Ide

nti

fyin

g a

ll a

pp

lica

tio

ns

La

ck o

f fu

nd

ing

/ma

na

ge

me

nt

bu

y-i

n

La

ck o

f in

teg

rate

d b

uy-i

n b

etw

ee

n

secu

rity

…

La

ck o

f a

pp

lica

tio

n s

ecu

rity

skill

s

La

ck o

f te

chn

ica

l re

sou

rce

s

Le

ga

cy C

od

e

Inte

gra

ted

lif

ecy

cle

ma

na

ge

me

nt

Oth

er

0%

5%

10%

15%

20%

25%

30%

First

Second

Third

Managing Risk and Security in Mixed and Outsourced Environments

If 2013 is the year enterprises begin implementing their hybrid cloud strategies, as the experts are predicting, then it follows that this will also be the year when hybrid cloud security takes center stage.

-- Network World, February 11, 2013 Christine Burns Rudalevige

Security tops the list of concerns that IT has with cloud services, according to the InformationWeek survey; 51% of respondents cited security defects as their greatest concern, a figure that remains unchanged from 2012.

-- Network Computing, August 20, 2013 Tony Kontzer

Key Take Home Points

1. Ensure you’re properly investing in application security threats

Classify your data and setting security/uptime requirements for each

Isolate your mixed IT/application environments (internal or hosted)

2.

3.

&Questions

Answers

Chris Drake

Founder & CEOFireHost

Jeremiah Grossman

Founder & CTOWhiteHat Security

Thank You

linkedin.com/in/chrisdraketx linkedin.com/in/grossmanjeremiah

@chrisdrake @jeremiahg