Sebyde Services

Sebyde services overview One-time Scan Discuss requirements, prerequisites Test & Scan the web application Deliver reports; findings and compliance (i.e. PCI-DSS, Sox, …) Consult Subscription Quarterly (4 x / year) Monthly (12 x / year) Tailor made Our approach: Sebyde Security Cycle 60-80% of the Web applications / Websites have at least one weak point or vulnerability 75% of all hacks are pointed at Web applications / Websites IBM’s X-Force Report 2010: 55% of all security issues have a root cause at Web applications 81% of all Web applications do not comply with PCI DSS standards (Payment Card Industry) IDC Research: 25% of all companies are “exploited” through a weak spot in Web application security Unaware users are infected by Web applications which contain “Malware” Google : >2 Million searches every month about “How to hack”, “Download hacking tools” and similar information Facts in 2011 What has changed? 4. Security Assessment Assessment of several security aspects: Policies Procedures Technology Awareness Approach Fill in Sebyde Security Quick Scan Questionnaire Meet with Security expert of Sebyde BV Security baseline report Introduction information security What is information, Consequences of information loss, Security awareness, Value of information, Who is at risk, Vulnerable processes, Who is responsible, 8 steps program, … Day to day risks Possible threats and consequences, physical access, logical access, Dumpster Diving), Laptop theft, Password use, Malware (Virussen, Worms, Trojans), Clean Desktop policy, Social Engineering (Phishing, Pharming, Shoulder Surfing), … Internet usage Safe websurfing, Software, Networks, E-mail, Social networks, Save Chatting, … Privacy What is Privacy, Internet and privacy, Law and regulations, Compliance, … Measures What to do, what not to do, safety protocols, company policy, … Topics Half day session (in-house) General awareness of security Make employees aware about the risks and dangers of working with information systems and confidential company-data Many security related issues are explained Recognise possible risks Know what to do in case of an incident Enhances safe behaviour Day-to-day security 3. Security Awareness Training Governance In control Security awareness Business benefits Secure Development Realise: resolve issues Offer consultancy Change code Programming Analyse risks Measures to be taken Priorities Designers and developers, when creating an application, should take into account that the system will be attacked from day 1. Not only Use-cases but also Mis-Use-cases Application security must not be added at the end of the development cycle Application Security should be integrated into the Software Development Life Cycle (early testing) Software development and Security Many hack-methods in use Advanced automated tools on the market Several varieties of hacks 3700 entries in CVE database Often related to input fields IBM X-Force “Trend and Risk Report” >60% of all attacks are performed by “Cross Site Scripting” and “SQL Injection” Theft Information Privacy-sensitive info System failure Application not available Lost business Reputation Customer trust News media Costs: ∞ Indirect (ISP) Damage SEBYDE (se-bie-de) Secure by Design Derk Yntema 20+ years in ICT and IT Security (AHOLD) IT enterprise architect Portfoliomanager security Europe Rob Koch 20+ years in account management with software companies and the telecom industry IBM business partner About us History Scan your web application(s) for vulnerabilities Certified IBM Security Appscan® Standard Edition Clear, detailed reports with weak points and how to mitigate the issues Software rework support 1. Security Scan “Our research indicates 80-plus percent of development failures result directly from poor requirements gathering, management, and analysis.” IDC, November 2007 Solution : Secure by Design “Attack the cause .. Not the symptom” Security solutions are often add-on’s Firewalls; Intrusion prevention; Authentication; Encryption. Prevent vulnerabilities by designing and building web applications with hacking in mind. Create “Security by Design”. Create Awareness > 60% of all attacks !!! 1. SQL-Injection; 2. Cross Site Scripting (XSS); 3. Broken Authentication and Session Management; 4. Insecure Direct Object References; 5. Cross Site Request Forgery (CSRF); 6. Security Misconfiguration (NEW); 7. Failure to Restrict URL Access; 8. Unvalidated Redirects and Forwards (NEW); 9. Insecure Cryptographic Storage; 10. Insufficient Transport Layer Protection. OWASP Top 10 Internet has become a very important business platform Business uses the Internet for Marketing, Communication, Customer Services, etc 2011: 2,3 billion Internet users; 85% of the customers buy online; 200 trillion USD turnover Applications are “Web-based” or at least “Web-faced” connecting to the Internet Internet / Web-based applications Focus shift IT Security = Perimeter defense; Chinese walls Firewalls; Intrusion detection / prevention; Virus scanning; Etc. “As long as I shield my data from the outside we are protected” More walls bring more safety History IT Security But still … Test early Application security About us Towards Applications Databases Data Facts Hacking Web Application Security Solution Check: Scan your web application IBM Security Appscan® Standard Simulates an attack from user perspective 1500+ vulnerabilities JAVA, DotNet, Domino, PHP, SAP Evaluate scan results Vulnerability reports Executive summary & detailed information Compared with industry standards (i.e. PCI-DSS) Early on testing for vulnerabilities saves money: 80% of development costs are spent identifying and correcting defects. Fixing vulnerabilities when the application is in production costs 100 times more then fixing them in design phase. Costs Lower development costs No rework of applications No lost business Efficiency Business continuity Fewer incidents Less system failure Compliance MVO Security audit Industry standards PCI-DSS Risk Secure applications Raise software quality Improve Image Less reputation damage Governance In control Security awareness Business benefits web application vulnerability scanning Costs Lower development costs No rework of applications No lost business Efficiency Business continuity Fewer incidents Less system failure Compliance Detailed reports Security scan Industry standard reports Risk Secure applications Raise software quality Protect image Less reputation damage Internet From Infrastructure Scan your code Test early Save money Protect your reputation No system outage