Website Attack Prevention - ISIN · OWASP Global Board Member (2009- ... Building bricks...
Transcript of Website Attack Prevention - ISIN · OWASP Global Board Member (2009- ... Building bricks...
Eoin Keary
CTO/Founder edgescan.com
OWASP Leader/Member/Ireland Founder
OWASP Global Board Member (2009-2014)
2016 – First 90 days
• 83,000 impacted by breach at Gyft Inc
• 63,000 records exposed at UCF (Florida)
• 15,000 credit cards Bailey's Inc.
• Hyatt data beach 250 hotels in 50 countries
• Neiman Marcus – 5,200 accounts
• TaxSlayer – 8,800 customers
Where did you get these numbers?
• December 2014 – November 2015• Assessing 000’s of Assets• Assets = Web applications & hosts
3.5
19
11.5 1113.5
5.5
14.510.5
8
3
INDUSTRY SPLIT
Security by Numbers
2 out of every 3 servers contained high-medium risk SSL/TLS
cryptography weakness
Thoughts – Patching & Component Management
“Of all the vulnerabilities discovered in 2015, 63% could have been mitigated via patch, configuration and component management combined.”
Thoughts - Component security
Building bricks – Frameworks / Components
(Spring, JQuery, Jade, Angular, Hibernate)
90% of application code is framework
63%* don’t monitor component security
* http://www.sonatype.com/about/2014-open-source-software-development-survey
Web Applications
App Server
SSL/TLS
Databases
Services
Operating Systems
Networks
Full Stack Security
Wrap-Up - Prevention
• Security -> more than point-in-time
• Component Security is being overlooked
• Maintenance and component security are key -Full-Stack Patching!
• Continuous testing – ever changing
www.edgescan.com
© BCC Risk Advisory Ltd 2016.
Thanks
[email protected]@eoinkeary
edgescan™ 2015 Vulnerability Stats Report:
https://edgescan.com/2015-edgescan-stats-report.pdf