Website Attack Prevention

Eoin Keary

CTO/Founder edgescan.com

OWASP Leader/Member/Ireland Founder

OWASP Global Board Member (2009-2014)

2015 - Year in Review

2016 – First 90 days

• 83,000 impacted by breach at Gyft Inc

• 63,000 records exposed at UCF (Florida)

• 15,000 credit cards Bailey's Inc.

• Hyatt data beach 250 hotels in 50 countries

• Neiman Marcus – 5,200 accounts

• TaxSlayer – 8,800 customers

How NOT to become a statistic?

Lets use Statistics….

Where did you get these numbers?

• December 2014 – November 2015• Assessing 000’s of Assets• Assets = Web applications & hosts

3.5

19

11.5 1113.5

5.5

14.510.5

8

3

INDUSTRY SPLIT

Security by NumbersLikelihood of a vulnerability being discovered – Web Applications

Security by Numbers

Likelihood of a vulnerability being discovered (root cause) – Hosting Layer

Security by Numbers

Security by NumbersRisk Density

Security by Numbers

2 out of every 3 servers contained high-medium risk SSL/TLS

cryptography weakness

Thoughts – Patching & Component Management

“Of all the vulnerabilities discovered in 2015, 63% could have been mitigated via patch, configuration and component management combined.”

Thoughts - Component security

Building bricks – Frameworks / Components

(Spring, JQuery, Jade, Angular, Hibernate)

90% of application code is framework

63%* don’t monitor component security

* http://www.sonatype.com/about/2014-open-source-software-development-survey

Web Applications

App Server

SSL/TLS

Databases

Services

Operating Systems

Networks

Full Stack Security

Levelling the Playing Field

Wrap-Up - Prevention

• Security -> more than point-in-time

• Component Security is being overlooked

• Maintenance and component security are key -Full-Stack Patching!

• Continuous testing – ever changing

www.edgescan.com

© BCC Risk Advisory Ltd 2016.

Thanks

eoin@edgescan.com@eoinkeary

edgescan™ 2015 Vulnerability Stats Report:

https://edgescan.com/2015-edgescan-stats-report.pdf