About Gene Kim

I've been researching high-performing technology organizations since 1999. I'm the multiple award-winning CTO, Tripwire founder, co-author of The DevOps Handbook, The Phoenix Project, and Visible Ops. I'm an DevOps Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

SEARCH BLOG
« Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote | Main | Talk Notes: The Infosec Perspective of DevOps: James Wickett: LASCON 2011 »
Thursday
Jan262012

Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011

LASCON 2011: October 27, 2011

Jeremiah Grossman is the founder of White Hat Security, where my good friend Stephanie Fohn is currently CEO (she helped us with our first initiatives and product launches at Tripwire over a decade ago, for which I'll be forever grateful). Jeremiah is also very well-known for his work on metrics and benchmarking all aspects of vulnerabilities.

Here are my notes/tweets from Jeremiah's presentation:

  • "Statistical analysis of web application security landscape": "he & daughter flew 4K miles to be here"
  • "For last 10 yrs, I've been doing nothing but web app security; it's important, as 5 of 7 most valuable companies are technology companies [the remaining two companies being in the oil extraction business]"
    • "And for that matter, even oil companies are technology driven"
  • "My passion has become how breaches happen. My hope is that we can trace that backwards to prevent."
  • "The VzW Data Breach Report continues to be a must-read report"
    • "in 2009, 95% breaches were remote org criminal grps hacking svrs & apps"
    • "in 2011: web application breaches increased last year, made up nearly 40% of overall attacks."
    • "...and those stats were before countless big breaches: Sony, NASDAQ, Gawker, etc..."
  • "What we should learn:"
    1. these breach could happen to anyone.
    2. even one vulnerability is enough to result in significant disruption business."
    3. Attack techniques of choice: SQL injection, PHP local file include, password reuse, DoS, malware" not sophisticated * (See any @hdmoore presentation to get a sense of of lethal use of employment of password reuse to p0wn)
      • "First citation of SQL Injection attack: Christmas 1998. It's a 13 year old threat"
    4. "What makes new breaches unique is the relentless of the attacker; I would argue that Sony was not materially worse than average".
  • Q: (Someone asked about the recent BofA outage, suspected to be a security breach) A: Here's a news article on the BofA operational/deployment probs
  • "Avg annual amt of serious vulns in yr 2007-2011: 1111, 795, 480, 230, 148" ('serious': potential breach/data loss)
    • "We're seeing a downward trend: introducing 10-11 vulns/month; Majority in retail, financial svc, telecomm"
    • "Financial services companies do significantly worse than banking." (Whoa! ASPs do worse than banks!)
    • "Worst industry is Retail, which is most affected by PCI. Don't see security effect of PCI DSS"
    • Note: Very interesting: Retail sector also has very low deploy rates, compared to FiServ/Banking. That doesn't match my own experience...
  • WhiteHat Security Top 10: Info leakage 64%, cross-site scripting 64%, content spoofing 43%; cross-site forgery 24%
    • (Dude, I would love to help u do data visualization like Dr. Hans Rosling, to show temporal axis :) Like this
    • 50% of banking will fix in 30 days. Challenge is remediation; (Obvious, right?)
    • "We see steady improvement in resolved vulnerability: incr at 5% year over year"
  • "Here is the big question: Why do vulns go unfixed?
    1. No one responsible/owns code
    2. Dev group doesn't understand/respect the vuln;
    3. Lack of budget
    4. Code owned by vendor;
    5. Decommissioning soon
    6. Risk of exploitation acceptable
    7. Vuln conflicts w/biz use case
    8. Compliance doesn't require fix
    9. Feature enhancement are prioritized ahead of security fixes" (<--- surprised this isn't #1 or #2)
  • "Testing speed & frequency matters; how quickly you can vuln data to developers; within 1 wk -> less than 1h to fix"
    • "Dev learns in 1month: 1-3 h to fix; 1 year: more than 10h" (b/c of retasking, relearning, etc. Continuous testing key)
  • "Why do breaches happen? Policy. Showing IT Budget game: ask CFO to divvy budget to Apps, Host, Network"
    • Theory: Allocation of CFO vs. CISO budget are 180 deg out of phase: http://t.co/5TOkaqay
    • Making case that CSOs prioritize network, host, then app: mismatch to actual risk.
  • Ideas on remedying this results in difficult choices
    1. reallocate resources away from firwalls, IDS, AV towards app security"
    2. Justify brand-new app security spending (difficult in this econ)
    3. Let breaches continue to happen"

References (20)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: hack facebook
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Google Sniper
  • Response
  • Response
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: my favorite
    Mój blog o kosmetykach naturalnych
  • Response
    Response: outdoor gear
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: best seo
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: seo
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
  • Response
  • Response
    Response: Study in germany
    Get Free study in Germany at studyfeeds.com
  • Response
    Response: cctv perth
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: florists
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: florists
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: dumpsters
    Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...

Reader Comments (2)

Seeing those large security companies hacked is scary. No one is safe.

May 9, 2013 | Unregistered CommenterAnti DDoS

I have the exact same problem! I have no idea how to get rid of them.

May 25, 2014 | Unregistered CommenterEkologiczny
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.