Documente Academic
Documente Profesional
Documente Cultură
Mano Paul
CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk Solutions
Mano.Paul(at)SecuRiskSolutions(dot)com
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 2
Who I am NOT!
NOT
ME
☺
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 3
What are we here to talk about?
Cybersecurity
Applications
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 4
Live Free or Die Hard
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 6
Cybersecurity
Pronounciation: sai-ber-si-kyur-a-te
Securing Cyberspace
Kinetic (physical) using Non-kinetic (electronic)
Definition: Measures taken to protect a
computer or computer system (as on the
Internet) against unauthorized access of attack.
Merriam-Webster’s
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 7
Why are we where we are?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 8
Why are we where we are? – Contd.
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 9
Securing Cyberspace – Easily said than done!
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 10
Cybersecurity Threat agents
Human
Non Human
– Malicious Software
– Technology
• VoIP
• Pervasive computing
• Web 2.0wned - Social Netmares
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 11
Malicious Software a.k.a. Malware
Malware
Proliferative Stealthware
Viruses &
Spyware &
Worms Trojans Rootkits
Adware
(Web Worms)
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 12
Slap in the face-book
Tax Refund
An Oxymoron Is IRS.gov and
Tax.gov the same?
I had to recently open the ‘Rootkits’ book
I sent my wife a link on facebook and then
The IRS is pleased? it
What currency
is this?
Hmmm
happened … $ with ,
facebook
And ofcourse
the legitimate
security warning!
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 13
What’s in common with these threats?
Are Applications
Run Applications
Exploit Applications
Applications
– The Weakest Link?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 14
What’s wiring this evolving world?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 16
Dude, where’s my data?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 17
Agar poolis ko mila tho?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 18
DAD against CIA – Data issues
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 19
Application vulnerabilities – Opening the door to Cybercrime
- Injection
- Script
- Overflow
- Disclosure
- Session
- Cryptographic Source: OWASP Top 10 2007
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 20
What we need – First Steps - Holistic Security!
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 21
Securing the Weak Link - People
SecuriTRAINED
– Aware
– Trained
– Educated
Certified Secure Software Lifecycle Professional
(CSSLP)
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 22
Securing the Weak Link - Process
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 23
Process – Secure Design!
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 24
Process – Writing Secure Code
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 25
Secure the Weak Link - Technology
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 26
Defense in Depth
Software Security
Input validation Session management
Authentication Parameter manipulation
Authorization Cryptography
Sensitive data protection Exception management
Configuration management Auditing / Logging
Web Server Database Server
Firewall
Firewall
Network Security
Routers
Firewalls
Switches
Host Security
Network Patches Accounts Ports
Services Files / directories Registry
Protocols Auditing / logging Shares
Host
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 27
Detained in Brazil/Brasil!
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 28
What Next?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 29
If history is any predictor of the future …
Thank you!
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 30
Applications ::
The new Cybersecurity frontier
Mano Paul
CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk Solutions
Mano.Paul(at)SecuRiskSolutions(dot)com
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 32
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 33
CSSLP™ - Certified Secure Software Lifecycle
Professional
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 34
Data Protection warrants Application Security!
In transit
In storage
In archives
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 35
What Cybersecurity is Not?
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 36