infoShare 2011 - Paweł Krawczyk - Why care about application security (open)

Why care about application security?

Paweł Krawczyk (IPSec.pl)pawel.krawczyk@hush.com

Sony PSN• April 2011• PSN & Qriosity outage• 80m records lost• May 3

– Another 25m records– Sony Online

Entertainment outage

Small issues are important

Challenger 1986

Sony 2011

• Top hack (2009)• 130 million personal records

– Credit card numbers

Fast & furious...

Source: datalossdb.org

$$$• Settlements

– Visa = $60.0m– AmEx = $ 3.5m– Consumer = $ 4.8m

• Ponemon Institute estimate– At $60 cost per record = $7.8b– Now $140 (2010)– Indirect costs (e.g. lost business)

Source: datalossdb.org

NYSE

Sou

rce:

dat

alos

sdb.

org

Side effect• CC’s prices drop on „black market”• 2008$10-20• 2009$2-6

Numbers from: Finjan, Kaspersky

Grace periodfor startups?

Source: dereknewton.com

Farming

Sou

rce:

his

tory

fork

ids.

org

Malware farming• Mass 500k websites infections

–2011 (LizaMoon), 2008• Results for website owners

– Blacklisted in: Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.

Your website• Blacklisted

– Google Safe Browsing, Microsoft Phishing Filter, OpenDNS etc.

Best ways to get hacked• Guaranteed

– Use ancient Wordpress, Joomla, PHPbb...– Use trivial passwords for FTP, SSH...

• Likely– Write your own application...

Tumblr

Source: niebezpiecznik.pl, Reddit

Bad news live long

Source: niebezpiecznik.pl

.pl

As seen on 23 March 2011

Wyższa Szkoła Policji

Sou

rce:

pra

wo.

vagl

a.pl

Sąd Okręgowy w Częstochowie

Sou

rce:

pra

wo.

vagl

a.pl

Data protection laws• Poland - up to 50’000 PLN fines

– May issue order to stop processing data• Audit reports are public

– Would you trust them in future?

Going international?

GBP 5,6m

GBP 17,5m

GBP 3m

How to fix stuff?

Sou

rce:

NA

SA

, Wik

iped

ia (A

pollo

13

- 197

0)

Is

Security

Enemy of economy?

Security

is

Economy

Eliminate bugs early

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

Early code audit

It’s cheaper than...

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

PentestLate code audit

And way cheaper than...

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

Hack!

How?• Dough Hubbard „The Failure of Risk

Management”• Security Assurance Maturity Model

(OpenSAMM)• Security Development Lifecycle (SDL)

Ask peers• OWASP

– Open Web Application Security Project– www.owasp.org

• ISSA– Information Systems Security

Association– www.issa.org.pl

Questions, comments?

pawel.krawczyk@hush.com