1. Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP-Day Università La Sapienza Rome 10 th September 2007 http://www.owasp.org Web Application Security : Increasing customer’s awareness Laurent PETROQUE System Engineer, F5 Networks l.petroque@f5.com

2. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy  “Webification” of applications  Intelligent browsers and applications  Public awareness of data security  Increasing regulatory requirements  The next attackable frontier  Targeted attacks Application Security: Trends and Drivers

3. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Almost every web application is vulnerable!  70% of websites at immediate risk of being hacked! - Accunetix – Jan 2007 http ://www.acunetix.com/news/security-audit-results.htmhttp ://www.acunetix.com/news/security-audit-results.htm  “8 out of 10 websites vulnerable to attack” - WhiteHat “security report – Nov 2006” https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106 https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106  “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level”  “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research

4. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Spreading Web Application Security  Groups:  Risk assessment group  Security officer  Application guys  Network guys  Segments  PCI compliance  SOX Compliance  Financials  Healthcare  E-Commerce

5. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Why this is important  Unique value to customers  Dramatically improve attach rate  Position bigger platforms  Position new and more services  Introduce to new groups within the organization  Security impacts the entire process

6. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Understand the customer’s Business Problem - not just the technical problem. Customer’s business problem isn’t always a security breach  Compliance  Business enabler  Extension  Acquisition or new partnership  Company security policy  Install WAF  Audit Code  Recurring pen testing  Monitoring layer 7

7. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Understand the customer’s Business Problem - not just the technical problem. Sometimes it is pure security  Failed security audit  Discovered vulnerability  Hacked  Critical/high profile application

8. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Who is responsible for application security? Network Security? Web developers? DBA? Engineering services?

9. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Know who we are talking with  Network guys – keep it simple !!! Talk about how easy/fast it is to deploy. Remember! They are in the network business since they don’t like applications...  Many times they are responsible for entire security and now they are expected to protect an application layer ? How can they do that ?  Application guys – show them policy – the application map

10. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Know who we are talking with  Security guys – They know a lot about network security but less about web application security  They are often isolated in the organization  Attached to General management  Show them how to inflate an application security message  Benefit from this knowledge  In front of developers for instance  New technology validation

11. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Speaking to execs  Protects stakeholders from regulatory violations  Increases and simplifies compliance  PCI  Sarbanes-Oxley  Brand protection  Provides insurance, assurance and accountability  Improves business agility  Provides risk insight and risk mitigation  Continuous improve of confidentiality, availability and accuracy of business information and process

12. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy PCI Awareness campaign in Italy  We ran a phoning campaign  75 companies contacted  Enormous awareness job still to complete  Huge business potential detected  Strong on Web Application Security

13. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Sarbanes-Oxley Compliance  Huge potential with SOX “The requirements for SOX compliance apply to any system that processes or maintains financial data”  Most of applications are moving to Web  Even those maintaining “financial data”  Impact numerous organizations  Execs are more than receptive

14. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy What customers want from Sarbanes-Oxley User Authentication Password Management Access controls Input validation Exception handling Secure data storage and transmission Logging Monitoring and alerting  System hardening Change management  Application development  Periodic security assesments and audits

15. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Polizia Postale Statistics for 2005

16. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy Polizia Postale Statistics for 2006

17. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy ApplicationsUsers International Data Center F5 Networks: Integrated & Modular Application Delivery Networking Architecture Enterprise Manager TMOS iControl BIG-IP Global Traffic Manager WANJet FirePass BIG-IP Local Traffic Manager TrafficShield Web Accelerator BIG-IP Link Controller Operational Efficiency through Intelligent Design

18. OWASP-Day – La Sapienza, 10 th Sep 07 OWASP Italy