Security Overview ()

download report

Transcript Security Overview ()

Application Security: Bake In or Add (Sometime) Later?

Jeff Kalwerisky Security Evangelist for Alpha Tech and VP, Information Security & Technical Training CPEinteractive, Inc.

Famous Quote

• • • • • “Who am I and Why Am I Here?”  Admiral James Stockdale, Vietnam war hero & Ross Perot’s V-P candidate in 1992 A recovering software developer Not an Alpha developer Sole focus: Information Security – AKA Keeping “them” away from the crown jewels Security Evangelist for Alpha for many years

The Title of This Short Talk

• • • • The $64K question: Should security be baked into all apps or can it be added on later?

The answer is Yes!

In fact, attention to security begins on that very first design whiteboard It then continues into prototyping, development, testing, live deployment, and maintenance – Whether Alpha Anywhere © , Xbasic, Java, even COBOL

Thinking About Security Starts Here  Information Security

“Just the Facts, Ma’am”

Of the top 100 Android & iOS apps have been successfully hacked

Of popular mobile apps have security baked in and use tools to defend against hack attacks

Why Should I Care?

Revenue Loss Unauthorized Access to Sensitive Data Intellectual Property Theft Fraud Altered user Experience Brand Damage

What Really Keeps CxOs Up at Night • • COMPLIANCE!

With an alphabet soup of regulations and standards (GLBA)

The Men in Black: Auditors

Not to Mention Career-Limiting

• CIO and CEO of Target fired after embarrassing security breach which compromised 40-million(!) customer credit and debit cards


Not All (Mobile) Apps Are Equal

High Risk Apps . . .

Location-Aware Collect Personal Info Use remote servers to handle user data Access sensitive databases

Low(er) Risk Apps . . .

Alarm Clock To-Do List with no connection Apps that never talk to the Web or Corporate databases

The Way

• • Basic security is built into the tool – Unlike many other development tools – We’re looking at ya, MS-Access . . .!

But it’s getting much more complex – BYOD, BYOA, COPE*, Cloud, Big Data Analytics, social media, the Internet of Things, . . . * Corporate-Owned, Personally-Enabled

Announcing . . .

• • • Alpha Anywhere © Security University A series of focused, online sessions Touching on many aspects of “real” security  C-I-A: Confidentiality-Integrity-Availability  The myriad virtues of Encryption Everywhere  Threat Modeling – finding those pesky security vulnerabilities BEFORE they bite you  From Design, through Development, into Production

The Ponemon Institute’s (Sad) Finding* *Exposing the Cybersecurity Cracks, July 2014

Another Ponemon Finding, July 2014

This is What We Want. Right?

Contact Me

Jeff Kalwerisky CPE Interactive, Inc.

[email protected]

Mobile 404-641-0634