1 / 17

Web Application Security : Increasing customer’s awareness

Web Application Security : Increasing customer’s awareness. Laurent PETROQUE System Engineer, F5 Networks l.petroque@f5.com. Application Security: Trends and Drivers. “Webification” of applications Intelligent browsers and applications Public awareness of data security

Download Presentation

Web Application Security : Increasing customer’s awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Application Security :Increasing customer’s awareness Laurent PETROQUE System Engineer, F5 Networks l.petroque@f5.com

  2. Application Security: Trends and Drivers • “Webification” of applications • Intelligent browsers and applications • Public awareness of data security • Increasing regulatory requirements • The next attackable frontier • Targeted attacks

  3. Almost every web application is vulnerable! • 70% of websites at immediate risk of being hacked! - Accunetix – Jan 2007http://www.acunetix.com/news/security-audit-results.htm • “8 out of 10 websites vulnerable to attack” - WhiteHat “security report – Nov 2006”https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106 • “75 percent of hacks happen at the application.”- Gartner “Security at the Application Level” • “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research

  4. Spreading Web Application Security • Groups: • Risk assessment group • Security officer • Application guys • Network guys • Segments • PCI compliance • SOX Compliance • Financials • Healthcare • E-Commerce

  5. Why this is important • Unique value to customers • Dramatically improve attach rate • Position bigger platforms • Position new and more services • Introduce to new groups within the organization • Security impacts the entire process

  6. Understand the customer’s Business Problem - not just the technical problem. Customer’s business problem isn’t always a security breach • Compliance • Business enabler • Extension • Acquisition or new partnership • Company security policy • Install WAF • Audit Code • Recurring pen testing • Monitoring layer 7

  7. Understand the customer’s Business Problem - not just the technical problem. Sometimes it is pure security • Failed security audit • Discovered vulnerability • Hacked • Critical/high profile application

  8. Who is responsible for application security? Web developers? Network Security? Engineering services? DBA?

  9. Know who we are talking with • Network guys – keep it simple !!! Talk about how easy/fast it is to deploy. Remember! They are in the network business since they don’t like applications... • Many times they are responsible for entire security and now they are expected to protect an application layer ? How can they do that ? • Application guys – show them policy – the application map

  10. Know who we are talking with • Security guys – They know a lot about network security but less about web application security • They are often isolated in the organization • Attached to General management • Show them how to inflate an application security message • Benefit from this knowledge • In front of developers for instance • New technology validation

  11. Speaking to execs • Protects stakeholders from regulatory violations • Increases and simplifies compliance • PCI • Sarbanes-Oxley • Brand protection • Provides insurance, assurance and accountability • Improves business agility • Provides risk insight and risk mitigation • Continuous improve of confidentiality, availability and accuracy of business information and process

  12. PCI Awarenesscampaign in Italy • We ran a phoning campaign • 75 companies contacted • Enormous awareness job still to complete • Huge business potential detected • Strong on Web Application Security

  13. Sarbanes-Oxley Compliance • Huge potential with SOX • “The requirements for SOX compliance apply to any system that processes or maintains financial data” • Most of applications are moving to Web • Even those maintaining “financial data” • Impact numerous organizations • Execs are more than receptive

  14. What customers want from Sarbanes-Oxley • User Authentication • Password Management • Access controls • Input validation • Exception handling • Secure data storage and transmission • Logging • Monitoring and alerting • System hardening • Change management • Application development • Periodic security assesments and audits

  15. Polizia Postale Statistics for 2005

  16. Polizia Postale Statistics for 2006

More Related