Secure By Design
SEBYDE
Short introduction
© 2013 Sebyde BV© Sebyde BV
Who are we?> SEBYDE (se-bee-de)– Secure by Design
> IBM Certified Business Partner
> Specialised in:– Security Assessments
• Application security scans• Network + Systems
– Security Awareness• Change of behaviour and motivation• Security Awareness program
© 2013 Sebyde BV© Sebyde BV
Focus of hackers changed
From Infrastructure
To Applications
© 2013 Sebyde BV© Sebyde BV
Reality …> 60-80% of Web applications / Websites have at least one weak security point
(vulnerability).
> 75% of all hacks are targeted at Web applications / Websites
> IBM’s X-Force Report March 2013: 43% of all security issues are caused by Web applications.
>81% of the Web applications do not comply to the PCI DSS regulation (Payment Card Industry).
> IDC Research: 25% of all companies are “exploited” via a weak spot in the Web Application security.
> Unaware users are infected by websites with “Malware”.
> Google : >2 Million search requests per month “How to hack”, “Download hacking tools” and related information.
© 2013 Sebyde BV© Sebyde BV
Damage> Theft– Information
– Privacy sensitive information
– money
> System failure– Application not available
– Loss of business
– DDOS
> Repair costs– Software
– Information
> Reputation– Customer trust
– News / media
– Costs: ????
– Indirect (ISP)
> Fines– EU Privacy act
– CBP
© 2013 Sebyde BV© Sebyde BV
But still …
Network ServerInfrastructure
WebApplications
% of attacks % of Budget
75%
10%
25%
90%
Security Spendings
75%
10%
© 2013 Sebyde BV© Sebyde BV
The solution: Secure by Design
> Prevent weaknesses in the IT security by taking the security aspects into account at the building /programming phase of applications.
> Designers and programmers should assume that applications will be attacked immediately after they have been taken into use.
> Software Security is an integral part of the development process.
© 2013 Sebyde BV© Sebyde BV
DesignSecure by Design
DevelopmentStatic testing
Test phaseAcceptance testing
Deployment phaseDynamic testing
Test EarlyEarly testing safes money. 80% of the development costs are spent at problem solving of applications.
Solving vulnerability issues in an application that has already been taken into use costs 100 times more than solving the issues in the development phase.
1x
6,5 x
15x
100x
Production phaseAt an incident
Loss of customer trustLaw suitsReputation damageRepair costsFines
Secure By Design
Sebyde Services
© 2013 Sebyde BV© Sebyde BV
Sebyde Services
Security Scan
Secure Developmen
t
(Reseller)
Security Awareness
Security Assessments
© 2013 Sebyde BV© Sebyde BV
1. Security Scan> Scan your web application(s) for 1400+ exploits
> We use a specialised tool, IBM Security Appscan®
> We deliver clear reports of the weak security points (vulnerabilities) in the application and an advise how to repair them
> Support during the repair of the source code
> Fast result
> 3 days (Full scan)
> 1 day (Vital Few scan)
> One-time, subscription
© 2013 Sebyde BV© Sebyde BV
2. Secure developmentEnterprise
IBM Security Appscan® Enterprise
Development Integration
IBM Security Appscan® Source
In-House Audits
IBM Security Appscan® Standard
Outsourced Audits
Sebyde Security Scan
SAAS version of IBM Security Appscan® Meant for organisations that are not able or do not want to build up their own testing expertise. The audit is performed by external experts. Either in-house by Sebyde or in the cloud by IBM expert teams.
Dynamic Analysis Software Testing (DAST) or black-box testing of your web application. Can run from a desktop. Used by organisation that want to scan the web applications themselves.
For web and non web applications. Static Analysis Software testing (SAST) or white-box testing to find vulnerabilities in the source code. For example to extend your QA testing procedures.
A multi-user environment where multiple scans take place at the same time. It offers a dashboard and consolidated reporting environment. Enables organisations to centrally manage the secure coding performance.
IBM Security Appscan® OnDemand
© 2013 Sebyde BV© Sebyde BV
3. Security Awareness Training
> 2-3 half-day sessions
> Increase security awareness
> Make people aware of the risks and dangers of working with information systems and (confidential) company data.
> Explanation of many security-related facts that can disturb the business processes
> Recognise possible risks
> What to do when an incident occurs
> Stimulates secure behaviour
> Take security aspects into account during the daily activities
© 2013 Sebyde BV© Sebyde BV
Specialised Security trainingCode Titel DuurCEH EC-Council Certified Ethical Hacker 5 days
CHFI EC-Council Computer Hacking Forensic Investigator 5 days
ECSA-LPT EC Council Security Analyst & Licensed Penetration Tester 5 days
ECSP EC-Council Certified Secure Programmer 5 days
EDRP EC-Council Disaster Recovery Professional 5 days
ENSA EC-Council Network Security Administrator 5 days
GK9840 CISSP Certification Preparation 5 days
ISO27002F ISO 27002 Foundation (incl. exam ISFS) 2 days
ISO27002A ISO 27002 Advanced (incl. exam ISMAS) 3 days
These trainings by Global Knowledge
© 2013 Sebyde BV© Sebyde BV
4. Security Assessments> Quick Assessment– Company-wide general assessment of the ICT Security
> Privacy Impact Assessment– Assessment of security measures at projects and systems that
process personal data (privacy sensitive data)
> Network Assessment– Penetration test
– Open ports, leaks and vulnerable software
> System Assessment– Configuration and settings
– Physical infrastructure, Services, Software, BIOS, Operating System, etc.
© 2013 Sebyde BV© Sebyde BV
Overview Sebyde services
Security Awareness• Management• Employee• Developers
Security
assessmentSecure
Development
SebydeSecure by
Design
Software testing
Software services
People
ProcesTechnique
Rob Koch ([email protected])Derk Yntema ([email protected])
Thanks!
If you have any questions, please do not hesitate to contact us!