Loading in 2 Seconds...
Loading in 2 Seconds...
Web Application Security : Increasing customer’s awareness. Laurent PETROQUE System Engineer, F5 Networks email@example.com. Application Security: Trends and Drivers. “Webification” of applications Intelligent browsers and applications Public awareness of data security
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Web Application Security :Increasing customer’s awareness Laurent PETROQUE System Engineer, F5 Networks firstname.lastname@example.org
Application Security: Trends and Drivers • “Webification” of applications • Intelligent browsers and applications • Public awareness of data security • Increasing regulatory requirements • The next attackable frontier • Targeted attacks
Almost every web application is vulnerable! • 70% of websites at immediate risk of being hacked! - Accunetix – Jan 2007http://www.acunetix.com/news/security-audit-results.htm • “8 out of 10 websites vulnerable to attack” - WhiteHat “security report – Nov 2006”https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106 • “75 percent of hacks happen at the application.”- Gartner “Security at the Application Level” • “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research
Spreading Web Application Security • Groups: • Risk assessment group • Security officer • Application guys • Network guys • Segments • PCI compliance • SOX Compliance • Financials • Healthcare • E-Commerce
Why this is important • Unique value to customers • Dramatically improve attach rate • Position bigger platforms • Position new and more services • Introduce to new groups within the organization • Security impacts the entire process
Understand the customer’s Business Problem - not just the technical problem. Customer’s business problem isn’t always a security breach • Compliance • Business enabler • Extension • Acquisition or new partnership • Company security policy • Install WAF • Audit Code • Recurring pen testing • Monitoring layer 7
Understand the customer’s Business Problem - not just the technical problem. Sometimes it is pure security • Failed security audit • Discovered vulnerability • Hacked • Critical/high profile application
Who is responsible for application security? Web developers? Network Security? Engineering services? DBA?
Know who we are talking with • Network guys – keep it simple !!! Talk about how easy/fast it is to deploy. Remember! They are in the network business since they don’t like applications... • Many times they are responsible for entire security and now they are expected to protect an application layer ? How can they do that ? • Application guys – show them policy – the application map
Know who we are talking with • Security guys – They know a lot about network security but less about web application security • They are often isolated in the organization • Attached to General management • Show them how to inflate an application security message • Benefit from this knowledge • In front of developers for instance • New technology validation
Speaking to execs • Protects stakeholders from regulatory violations • Increases and simplifies compliance • PCI • Sarbanes-Oxley • Brand protection • Provides insurance, assurance and accountability • Improves business agility • Provides risk insight and risk mitigation • Continuous improve of confidentiality, availability and accuracy of business information and process
PCI Awarenesscampaign in Italy • We ran a phoning campaign • 75 companies contacted • Enormous awareness job still to complete • Huge business potential detected • Strong on Web Application Security
Sarbanes-Oxley Compliance • Huge potential with SOX • “The requirements for SOX compliance apply to any system that processes or maintains financial data” • Most of applications are moving to Web • Even those maintaining “financial data” • Impact numerous organizations • Execs are more than receptive
What customers want from Sarbanes-Oxley • User Authentication • Password Management • Access controls • Input validation • Exception handling • Secure data storage and transmission • Logging • Monitoring and alerting • System hardening • Change management • Application development • Periodic security assesments and audits
Polizia Postale Statistics for 2005
Polizia Postale Statistics for 2006