Big Data for Web Application Security

Presented at Black Hat USA 2013, Aug. 1, 2013, 10:15 a.m. (60 minutes)

The security posture of an application is directly proportional to the amount of information that is known about the application. Although the advantages of analytics from a data science perspective are well known and well documented, the advantages of analytics from a web application security perspective are neither well known nor well documented. How can we, as web application security practitioners, take advantage of big data stacks to improve the security posture of our applications? This talk will dive into the ways that big data analytics can be taken advantage of to create effective defenses for web applications today. We'll outline the fundamental problems that can and should be solved with big data and outline the classes of security mechanisms that simply, based on their nature, cannot be solved with big data. Once an understanding of the domain is established, we'll explore several specific examples that outline how one security team uses big data every day to solve hard, interesting problems and create a safer experience for its users.

Presenters:

• Kyle Barry - Etsy
  Kyle Barry is a senior software engineer on the security team at Etsy. As a member of the security team, Kyle is their lead security engineer. He has recently finished rolling out two factor authentication for millons of Etsy users in over 80 countries. Prior to the security team, Kyle worked on the first versions of Etsy's social features including Treasury, and their activity feed. Kyle's work focuses on security engineering and fraud prevention. His most recent talk was on using Splunk for internal fraud prevention.
• Mike Arpaia - Etsy
  Mike Arpaia is a Software Engineer on the security team at Etsy. Before working at Etsy, Mike worked at iSEC Partners, a leading information security consulting firm where he specialized in mobile application, web application and mobile operating system security. Before working at iSEC, Mike worked at another leading information security consulting firm and co-founded the Stevens Cyber Defense Team at Stevens Institute of Technology where he remains an advisor to the group. Mike has previously presented at over a dozen security conferences in 7 US states and 3 countries including Black Hat Europe, Source Boston, DEF CON and Nordic Security Conference on topics such as secure mobile development, mobile exploit intelligence, mobile operating system security and information security education.

Links:

• https://www.blackhat.com/us-13/archives.html#Arpaia
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Big Data for Web Application Security.mp4
• https://www.youtube.com/watch?v=rRNvE81IwHc

Similar Presentations:

• Black Hat USA 2021 / The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures
• DEF CON 29 (2021) / The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures
• BSidesSF 2015 / Analyze This!