3. WhiteHat Security
We help secure the Web
by finding application
vulnerabilities, in the
source code all the way
through to production,
and help companies get
them fixed, before the
bad guys exploit them.
Founded
2001
Headquarters
Santa
Clara
Employees
300+
4. WhiteHat Security
We help secure the Web
by finding application
vulnerabilities, in the
source code all the way
through to production,
and help companies get
them fixed, before the
bad guys exploit them.
7 of 18
Top Commercial
Banks
10 of 50
Top Largest
Banks
6 of 16
Top Software
Companies
4 of 8
Top Consumer
Financial Services
1000+
Active Customers
#63
Fortune 500
5. My Areas of Focus
Threat Actors: Innovating, scaling, or both?
Intersection of security guarantees and cyber-insurance
Easing the burden of vulnerability remediation
Measuring the impact of SDLC security controls
Addressing the application security skill shortage
8. WebApp Attacks Adversaries Use
“This year, organized
crime became the
most frequently
seen threat actor for
Web App Attacks”
Verizon 2015 Data Breach
Investigations Report
1.5%
2.0%
3.4%
6.3%
6.8%
8.3%
8.3%
19.0%
40.5%
50.7%
OS Commanding
Forced Browsing
Path Traversal
XSS
Brute Force
Abuse of Functionality
RFI
SQLI
Use of Backdoor or C2
Use of Stolen Credit Cards
9. Security Industry Spends Billions
“2015 Global spending on
information security is set to
grow by close to 5% this year to
top $75BN, according to the
latest figures from Gartner”
12. Windows of Exposure
A large percentage of websites are
always vulnerable
60% of all Retail are always vulnerable
52% of all Healthcare and Social
Assistance sites are always vulnerable
38% of all Information Technology
websites are always vulnerable
39% of all Finance and Insurance
websites are always vulnerable
60%
38%
52%
39%
9%
11%
11%
14%
10%
14%
12%
11%
11%
16%
11%
18%
11%
22%
14%
17%
Retail Trade
Information
Health Care &
Social Assistance
Finance &
Insurance
Always Vulnerable
Frequently Vulnerable (271-364 days a year)
Regularly Vulnerable (151-270 days a year)
Occasionally Vulnerable (31-150 days a year)
Rarely Vulnerable (30 days or less a year)
13. Ranges of Expected Loss by Number of Records
RECORDS PREDICTION
(LOWER)
AVERAGE
(LOWER)
EXPECTED AVERAGE
(UPPER)
PREDICTION
(UPPER)
100 $1,170 $18,120 $25,450 $35,730 $555,660
1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730
10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400
100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200
1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090
10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950
100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100
Verizon 2015 Data Breach Investigations Report
14. Result: Every Year is the Year of the Hack
“In 2014, 71% of security professionals said their
networks were breached. 22% of them victimized
6 or more times.
This increased from 62% and 16% respectively
from 2013. 52% said their organizations will likely
be successfully hacked in the next 12 months.
This is up from 39% in 2013.”
Survey of Security professionals by CyberEdge
15. Downside Protection
As of 2014, American businesses
were expected to pay up to $2 billion
on cyber-insurance premiums, a 67%
spike from $1.2 billion spent in 2013.
Current expectations by one industry
watcher suggest 100% growth in
insurance premium activity, possibly
130% growth.
It’s usually the firms that are best
prepared for cyber attacks that wind
up buying insurance.
16. Downside Protection
“Target spent $248 million after hackers
stole 40 million payment card accounts
and the personal information of up to 70
million customers. The insurance payout,
according to Target, will be $90 million.”
“Home Depot reported $43 million in
expenses related to its September 2014
hack, which affected 56 million credit and
debit card holders. Insurance covered
only $15 million.”
17. Downside Protection
“Anthem has $150 million to $200 million
in cyber coverage, including excess
layers, sources say.”
“Insurers providing excess layers of cyber
coverage include: Lloyd’s of London
syndicates: operating units of Liberty
Mutual Holding Co.; Zurich Insurance
Group; and CNA Financial Corp.,
sources say.”
22. “The only two products not
covered by product liability
are religion and software,
and software shall not
escape much longer”
Dan Geer
CISO, In-Q-Tel
23. Software Security Maturity Metrics Analysis
The analysis is based on 118 responses on a survey sent to
security professionals to measure maturity models in
application security programs at various organizations.
The responses obtained in the survey are correlated with the
data available in Sentinel to get deeper insights. Statistics
pulled from Sentinel are for 2014 timeframe.
24. If an organization experiences a website(s) data or system breach, which
part of the organization is held accountable and what is it’s performance?
56% of all respondents
did not have any part of
the organization held
accountable in case of
data or system breach.
9%
29% 28% 30%
0%
10%
20%
30%
40%
25. If an organization experiences a website(s) data or system breach, which
part of the organization is held accountable and what is it’s performance?
129
119
108
114
100
110
120
130
Board of
Directors
Executive
Management
Software
Development
Security
Department
Average Time to Fix (Days)
44% 43%
37%
43%
30%
35%
40%
45%
50%
Board of
Directors
Executive
Management
Software
Development
Security
Department
Remediation Rate
10 10
17
25
0
10
20
30
Board of
Directors
Executive
Management
Software
Development
Security
Department
Average Number of Vulns Open
26. Please rank your organization’s drivers for resolving website vulnerabilities.
“1” being your lowest priority, “5” being your highest.
15% of the respondents cite
Compliance as the primary reason for
resolving website vulnerabilities.
6% of the respondents cite Corporate
Policy as the primary reason for
resolving website vulnerabilities.
35% of the respondents cite Risk
Reduction as the primary reason for
resolving website vulnerabilities.
19% of the respondents cite Customer
or Partner Demand as the primary
reason for resolving website
vulnerabilities.
25% of the respondents cite other
reasons for resolving website
vulnerabilities.
15%
6%
35%
19%
25%
%ofRespondents
27. Please rank your organization’s drivers for resolving website vulnerabilities.
“1” being your lowest priority, “5” being your highest.
132
86 78
163 150
0
50
100
150
200
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Average Time to Fix (Days)
55%
21%
40%
50%
33%
0%
20%
40%
60%
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Average Remediation Rate
14
21
28 28
10
0
10
20
30
Compliance Corporate
Policy
Risk
Reduction
Customer or
Partner
Demand
Other
Average Number of Vulnerabilities
28. SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX
REMEDIATION
RATE
Automated static analysis
during the code review
process
+ + -
QA performs basic
adversarial tests + - +
Defects identified through
operations monitoring fed
back to development
- + -
Share results from security
reviews with the QA + - +