introduction sebyde bv | security testing | security awareness | secure development

17
Secure By Design SEBYDE Short introduction

Upload: derk-yntema

Post on 14-Jan-2015

374 views

Category:

Technology


2 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

Secure By Design

SEBYDE

Short introduction

Page 2: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Who are we?> SEBYDE (se-bee-de)– Secure by Design

> IBM Certified Business Partner

> Specialised in:– Security Assessments

• Application security scans• Network + Systems

– Security Awareness• Change of behaviour and motivation• Security Awareness program

Page 3: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Focus of hackers changed

From Infrastructure

To Applications

Page 4: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Reality …> 60-80% of Web applications / Websites have at least one weak security point

(vulnerability).

> 75% of all hacks are targeted at Web applications / Websites

> IBM’s X-Force Report March 2013: 43% of all security issues are caused by Web applications.

>81% of the Web applications do not comply to the PCI DSS regulation (Payment Card Industry).

> IDC Research: 25% of all companies are “exploited” via a weak spot in the Web Application security.

> Unaware users are infected by websites with “Malware”.

> Google : >2 Million search requests per month “How to hack”, “Download hacking tools” and related information.

Page 5: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Damage> Theft– Information

– Privacy sensitive information

– money

> System failure– Application not available

– Loss of business

– DDOS

> Repair costs– Software

– Information

> Reputation– Customer trust

– News / media

– Costs: ????

– Indirect (ISP)

> Fines– EU Privacy act

– CBP

Page 6: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

But still …

Network ServerInfrastructure

WebApplications

% of attacks % of Budget

75%

10%

25%

90%

Security Spendings

75%

10%

Page 7: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

The solution: Secure by Design

> Prevent weaknesses in the IT security by taking the security aspects into account at the building /programming phase of applications.

> Designers and programmers should assume that applications will be attacked immediately after they have been taken into use.

> Software Security is an integral part of the development process.

Page 8: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

DesignSecure by Design

DevelopmentStatic testing

Test phaseAcceptance testing

Deployment phaseDynamic testing

Test EarlyEarly testing safes money. 80% of the development costs are spent at problem solving of applications.

Solving vulnerability issues in an application that has already been taken into use costs 100 times more than solving the issues in the development phase.

1x

6,5 x

15x

100x

Production phaseAt an incident

Loss of customer trustLaw suitsReputation damageRepair costsFines

Page 9: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

Secure By Design

Sebyde Services

Page 10: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Sebyde Services

Security Scan

Secure Developmen

t

(Reseller)

Security Awareness

Security Assessments

Page 11: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

1. Security Scan> Scan your web application(s) for 1400+ exploits

> We use a specialised tool, IBM Security Appscan®

> We deliver clear reports of the weak security points (vulnerabilities) in the application and an advise how to repair them

> Support during the repair of the source code

> Fast result

> 3 days (Full scan)

> 1 day (Vital Few scan)

> One-time, subscription

Page 12: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

2. Secure developmentEnterprise

IBM Security Appscan® Enterprise

Development Integration

IBM Security Appscan® Source

In-House Audits

IBM Security Appscan® Standard

Outsourced Audits

Sebyde Security Scan

SAAS version of IBM Security Appscan® Meant for organisations that are not able or do not want to build up their own testing expertise. The audit is performed by external experts. Either in-house by Sebyde or in the cloud by IBM expert teams.

Dynamic Analysis Software Testing (DAST) or black-box testing of your web application. Can run from a desktop. Used by organisation that want to scan the web applications themselves.

For web and non web applications. Static Analysis Software testing (SAST) or white-box testing to find vulnerabilities in the source code. For example to extend your QA testing procedures.

A multi-user environment where multiple scans take place at the same time. It offers a dashboard and consolidated reporting environment. Enables organisations to centrally manage the secure coding performance.

IBM Security Appscan® OnDemand

Page 13: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

3. Security Awareness Training

> 2-3 half-day sessions

> Increase security awareness

> Make people aware of the risks and dangers of working with information systems and (confidential) company data.

> Explanation of many security-related facts that can disturb the business processes

> Recognise possible risks

> What to do when an incident occurs

> Stimulates secure behaviour

> Take security aspects into account during the daily activities

Page 14: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Specialised Security trainingCode Titel DuurCEH EC-Council Certified Ethical Hacker 5 days

CHFI EC-Council Computer Hacking Forensic Investigator 5 days

ECSA-LPT EC Council Security Analyst & Licensed Penetration Tester 5 days

ECSP EC-Council Certified Secure Programmer 5 days

EDRP EC-Council Disaster Recovery Professional 5 days

ENSA EC-Council Network Security Administrator 5 days

GK9840 CISSP Certification Preparation 5 days

ISO27002F ISO 27002 Foundation (incl. exam ISFS) 2 days

ISO27002A ISO 27002 Advanced (incl. exam ISMAS) 3 days

These trainings by Global Knowledge

Page 15: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

4. Security Assessments> Quick Assessment– Company-wide general assessment of the ICT Security

> Privacy Impact Assessment– Assessment of security measures at projects and systems that

process personal data (privacy sensitive data)

> Network Assessment– Penetration test

– Open ports, leaks and vulnerable software

> System Assessment– Configuration and settings

– Physical infrastructure, Services, Software, BIOS, Operating System, etc.

Page 16: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

© 2013 Sebyde BV© Sebyde BV

Overview Sebyde services

Security Awareness• Management• Employee• Developers

Security

assessmentSecure

Development

SebydeSecure by

Design

Software testing

Software services

People

ProcesTechnique

Page 17: Introduction Sebyde BV | Security Testing | Security Awareness | Secure Development

Rob Koch ([email protected])Derk Yntema ([email protected])

Thanks!

If you have any questions, please do not hesitate to contact us!