The State Of Website Security And The Truth About Accountability and “Best-Practices”

Presented at AppSec USA 2013, Nov. 21, 2013, 11 a.m. (50 minutes)

Whether you read the Verizon Data Breach Incidents Report, the Trustwave Global Security Report, the Symantec Internet Security Threat Report, or essentially all other reports throughout the industry, the story is the same -- websites and Web applications are one of, if not the leading target of, cyber-attack. This has been the case for years. Website breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation, and loss of customers. Given modern society's ever-increasing reliance on the Web, the impact of a breach and the associated costs are going up, and fast.  At WhiteHat Security we asked customers to answer roughly a dozen very specific survey questions about their SDLC and application security program. Questions such as:  • How often do you preform security tests on your code during QA?  • What is your typical rate of production code change?  • Do you perform static code analysis?  • Have you deployed a Web Application Firewall?  • Who in your organization is accountable in the event of a breach?  • We even asked: has your website been breached? We received responses to this survey from 76 organizations, and then correlated those responses with WhiteHat Sentinel website vulnerability data. The results were both stunning and counter-intuitive. The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches are far more complicated than we ever imagined. This is exactly the kind of research the application security industry must gather in order to advance the state-of-the-art. To cost-effectively make applications and websites measurably more secure.

Presenters:

• Jeremiah Grossman - Founder - WhiteHat Security
  Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu Jitsu Black Belt. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!

Links:

• https://appsecusa2013.sched.com/event/148T5tQ/the-state-of-website-security-and-the-truth-about-accountability-and-best-practices

Similar Presentations:

• AppSec USA 2015 / Ah mom, why do I need to eat my vegetables?
• AppSec USA 2017 / Test Driven Security in the DevOps pipeline
• AppSec USA 2015 / Security as Code: A New Frontier