Thursday
Jan262012
Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011
Thursday, January 26, 2012 at 1:23PM LASCON 2011: October 27, 2011
- Talk title:A Statistical Journey through the Web Application Security Landscape
- Jeremiah Grossman (@jeremiahg, personal website, slideshare)
Jeremiah Grossman is the founder of White Hat Security, where my good friend Stephanie Fohn is currently CEO (she helped us with our first initiatives and product launches at Tripwire over a decade ago, for which I'll be forever grateful). Jeremiah is also very well-known for his work on metrics and benchmarking all aspects of vulnerabilities.
4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?
View more presentations from Jeremiah Grossman
Here are my notes/tweets from Jeremiah's presentation:
- "Statistical analysis of web application security landscape": "he & daughter flew 4K miles to be here"
- "For last 10 yrs, I've been doing nothing but web app security; it's important, as 5 of 7 most valuable companies are technology companies [the remaining two companies being in the oil extraction business]"
- "And for that matter, even oil companies are technology driven"
- "My passion has become how breaches happen. My hope is that we can trace that backwards to prevent."
- "The VzW Data Breach Report continues to be a must-read report"
- "in 2009, 95% breaches were remote org criminal grps hacking svrs & apps"
- "in 2011: web application breaches increased last year, made up nearly 40% of overall attacks."
- "...and those stats were before countless big breaches: Sony, NASDAQ, Gawker, etc..."
- "What we should learn:"
- these breach could happen to anyone.
- even one vulnerability is enough to result in significant disruption business."
- Attack techniques of choice: SQL injection, PHP local file include, password reuse, DoS, malware" not sophisticated * (See any @hdmoore presentation to get a sense of of lethal use of employment of password reuse to p0wn)
- "First citation of SQL Injection attack: Christmas 1998. It's a 13 year old threat"
- "What makes new breaches unique is the relentless of the attacker; I would argue that Sony was not materially worse than average".
- Q: (Someone asked about the recent BofA outage, suspected to be a security breach) A: Here's a news article on the BofA operational/deployment probs
- "Avg annual amt of serious vulns in yr 2007-2011: 1111, 795, 480, 230, 148" ('serious': potential breach/data loss)
- "We're seeing a downward trend: introducing 10-11 vulns/month; Majority in retail, financial svc, telecomm"
- "Financial services companies do significantly worse than banking." (Whoa! ASPs do worse than banks!)
- "Worst industry is Retail, which is most affected by PCI. Don't see security effect of PCI DSS"
- Note: Very interesting: Retail sector also has very low deploy rates, compared to FiServ/Banking. That doesn't match my own experience...
- WhiteHat Security Top 10: Info leakage 64%, cross-site scripting 64%, content spoofing 43%; cross-site forgery 24%
- (Dude, I would love to help u do data visualization like Dr. Hans Rosling, to show temporal axis :) Like this
- 50% of banking will fix in 30 days. Challenge is remediation; (Obvious, right?)
- "We see steady improvement in resolved vulnerability: incr at 5% year over year"
- "Here is the big question: Why do vulns go unfixed?
- No one responsible/owns code
- Dev group doesn't understand/respect the vuln;
- Lack of budget
- Code owned by vendor;
- Decommissioning soon
- Risk of exploitation acceptable
- Vuln conflicts w/biz use case
- Compliance doesn't require fix
- Feature enhancement are prioritized ahead of security fixes" (<--- surprised this isn't #1 or #2)
- "Testing speed & frequency matters; how quickly you can vuln data to developers; within 1 wk -> less than 1h to fix"
- "Dev learns in 1month: 1-3 h to fix; 1 year: more than 10h" (b/c of retasking, relearning, etc. Continuous testing key)
- "Why do breaches happen? Policy. Showing IT Budget game: ask CFO to divvy budget to Apps, Host, Network"
- Theory: Allocation of CFO vs. CISO budget are 180 deg out of phase: http://t.co/5TOkaqay
- Making case that CSOs prioritize network, host, then app: mismatch to actual risk.
- Ideas on remedying this results in difficult choices
- reallocate resources away from firwalls, IDS, AV towards app security"
- Justify brand-new app security spending (difficult in this econ)
- Let breaches continue to happen"
Reader Comments (2)
Seeing those large security companies hacked is scary. No one is safe.
I have the exact same problem! I have no idea how to get rid of them.