[Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

David Lowry david.james.lowry at gmail.com
Wed Apr 4 14:13:03 UTC 2012


In my experience 10 to 15 years ago writing secure code wasn't on the
agenda (for me at least). Writing "good code" was. At times it was a
struggle to get time to document code, write unit tests, regression tests
even basic things like requirements and design weren't always high on the
agenda.


Nialls example of two developers attending the same weekly development
meeting reminds me of similar situations from that time. One developer
saying he can complete the task in two days basically hacking some code
together and complete the other "admin" tasks such as documentation late.
The other developer saying two weeks as he wants to do a design and create
unit tests and so on.

In the beginning people sided with the first developer but over time
everyone came to understand the importance of following a development
process, commenting code, testing code and so on. The reason for this was
the long term cost of writing good code was less than that of writing bad
code.


Now these things are standard, developing involves writing unit tests,
commenting your code and so on. I think the same is starting to happen with
secure development, it will take time but while it may still be seen as an
add-on overtime it will become part of what developers do.


Dave

On 24 March 2012 23:42, nialljordan <niall.jordan at gmail.com> wrote:

> Chiming in so....
> In my opinion many developers don't write secure code because they are not
> paid to write secure code. They are paid to write code that provides
> functionality to the end-users. Imagine these two different developers
> attending the same weekly progress meeting with the development manager:
> Insecure developer turns up and says that he has completed all the
> functionality on the form he was assigned to build but that he just needs
> to tack on some security now to complete.
> Secure developer turns up and says that he has a 30% of the functionality
> complete but that that 30% is the most secure code in the world.
> In a 'normal' company which of these two developers would have a job at
> the end of the month?
> Code is going to get more secure when the cost to the business as a whole
> of writing secure code is less than or equal to the cost of writing
> insecure code. In some cases this cost is tangible and in others intangible.
> I don't believe it is 'hard' to write secure code. I think it's hard to
> tack it on at the end, but not so to build in from the start.
>
> I agree though, it would be a nice idea for a presentation. I might look
> into it.
>
> Niall
>
> On 23 Mar 2012, at 12:22, Eoin wrote:
>
> Great minds....fools.....
>
> Sounds great!!
> Mr Jordan, feel free to chime in.
>
> On 23 March 2012 12:20, David Rook <david.rook at realexpayments.com> wrote:
>
>> Already submitted something Eoin!
>>
>> On the developers point I was recently speaking with Lorna Alamri about
>> app sec conferences in general and I suggested something similar.
>> Specifically my one liner on that was:
>>
>> "Get developers to come and speak, get them to tell the security people
>> in the audience why they find it hard to write secure code"
>>
>> Someone like Niall Jordan (I'm sure he is reading these emails!) would be
>> ideal for that in my opinion with the background he has - both sides of the
>> table in recent times. I can send a message to our developers here to see
>> if anyone fancies doing something like that as well.
>>
>>
>> On 23/03/2012 12:14, Eoin wrote:
>>
>> Correct,
>> The latest WhiteHat report has XSS as second, Information leakage as #1
>>
>> Hope you are going to submit (CFP) something for OWASP Ireland 2012
>> (September)?
>> Other people on the list please get involved also......
>>
>> I'd love for some developers to talk at the event discussing problems
>> they have with security and how can it be easier to do!!??
>>
>> We have Keynotes:
>> Jeremiah Grossman, Michael Coates + 1 more
>> And a good panel to be chaired by Bryce Bolland (UBS Security CTO)
>>
>>
>>
>>
>>
>>
>>
>>
>> On 23 March 2012 12:07, David Rook <david.rook at realexpayments.com> wrote:
>>
>>> Hi Eoin,
>>>
>>> I think your final point hits the nail on the head, after all it's not a
>>> report detailing the most commonly found vulns but the vectors used to
>>> steal data and whilst XSS could have been involved it wasn't the way the
>>> data was stolen if that makes sense.
>>>
>>> I'm sure if you looked at the latest White Hat Security report for
>>> example it would show XSS as being a common vuln and I don't think any
>>> would argue against that :)
>>>
>>> Dave
>>>
>>>
>>> On 23/03/2012 12:01, Eoin wrote:
>>>
>>> Hi David,
>>>
>>> I'll admit i did not read the report:)
>>>
>>> So the Verizon report pretty much says XSS is not used very much to
>>> cause havok!!
>>> It would be good to read other reports to see if they say similar??
>>>
>>> So are we as security peeps barking up the wrong tree.... I think the
>>> OWASP Top 10 is based on discovered issues as opposed to breaches if that
>>> makes sense - The most common vulns found.
>>>
>>> -ek
>>>
>>>
>>>
>>>
>>> On 23 March 2012 08:58, David Rook <david.rook at realexpayments.com>wrote:
>>>
>>>> Hi Eoin,
>>>>
>>>> Yep it can do but how malware was installed was included in the report
>>>> as well and XSS is going to account for very few of those infections I
>>>> think. According to the report 95% of all malware used in those data
>>>> breaches was installed after the attacker got access to the system, at best
>>>> I think only around 3% of the malware used in data breaches came from web
>>>> app vulns being exploited (2% "injected by attacker" and 1% "drive by web
>>>> attacks").
>>>>
>>>> It could be that the malware installed via an XSS exploit is part of
>>>> the 95% but if it was a significant chunk of that I'd have expected it to
>>>> be called out in the report.
>>>>
>>>> I could be reading that part of the report wrong though :)
>>>>
>>>> Dave
>>>>
>>>>
>>>> On 22/03/2012 17:13, Eoin wrote:
>>>>
>>>> But xss leads to malware upload? It's a payload delivery system.
>>>> Agree??
>>>>
>>>> Eoin Keary
>>>> BCC Risk Advisory
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>>
>>>>
>>>> On 22 Mar 2012, at 16:48, David Rook <david.rook at realexpayments.com>
>>>> wrote:
>>>>
>>>>  Hi Alexis,
>>>>
>>>> I'd say your final question is correct. I'm not doubting they are big
>>>> issues (in that they can be exploited and are in many web apps) but they
>>>> aren't in the same league as the vectors mentioned in the report. I can't
>>>> remember a big CSRF news story for example yet alone one that lead to a lot
>>>> of data being stolen.
>>>>
>>>> Dave
>>>>
>>>> On 22/03/2012 16:40, Alexis FitzGerald wrote:
>>>>
>>>>
>>>> I could not find any mention of XSS (or CSRF). At least they were
>>>> mentioned in last year's edition. Does this mean that the OWASP Top 10 puts
>>>> too much of an emphasis on these issues? While they might be prevalent in
>>>> online applications, they are not actually exploited much in actual data
>>>> breaches?
>>>>
>>>> Opinions welcome.
>>>>
>>>> Alexis
>>>>
>>>> On 22/03/2012 16:47, David Rook wrote:
>>>>
>>>> Hi Fabio,
>>>>
>>>> What I found interesting is that of the vectors included in the hacking
>>>> category 90% of the breaches were because of non app sec issues! I was a
>>>> bit surprised by that and it is very different when the report focuses on
>>>> "large" organisations (54%) but it does provide a strong argument for app
>>>> sec v non app sec spend *not *being equal.
>>>>
>>>> Sure app sec spend needs to increase but using the evidence presented
>>>> in this report (and I acknowledge it's not the complete picture of course)
>>>> it's a tough sell to convince people that app sec spend should be equal to
>>>> or more than non app sec spend.
>>>>
>>>> Veracode published a blog which pulled out the app sec "highlights":
>>>>
>>>>
>>>> http://www.veracode.com/blog/2012/03/verizon-data-breach-investigative-report-2012-application-security-specific-highlights/
>>>>
>>>> Dave
>>>>
>>>> On 22/03/2012 15:02, Fabio Cerullo wrote:
>>>>
>>>> Hi there,
>>>>
>>>> Interesting read... not surprisingly SQL injection is on top of the
>>>> list along with credentials misuse and malware.
>>>> http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
>>>>
>>>> Fabio
>>>> _______________________________________________
>>>> Owasp-ireland mailing listOwasp-ireland at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>>
>>>>
>>>> --
>>>> David Rook
>>>> Application Security Lead
>>>> Product Management
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>>
>>>> Connect with us:http://www.twitter.com/securityninjahttp://www.twitter.com/realexpaymentshttp://www.facebook.com/realexpaymentshttp://www.linkedin.com/company/realex-paymentshttp://www.youtube.com/realexpayments
>>>>
>>>> Realex Payments Dublin:
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>>>>
>>>>
>>>>
>>>> Realex Payments London:
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk
>>>>
>>>>
>>>>
>>>>
>>>> Realex Payments Paris:
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr
>>>>
>>>> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-ireland mailing listOwasp-ireland at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-ireland mailing listOwasp-ireland at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>>
>>>>
>>>> --
>>>> David Rook
>>>> Application Security Lead
>>>> Product Management
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>>
>>>> Connect with us:http://www.twitter.com/securityninjahttp://www.twitter.com/realexpaymentshttp://www.facebook.com/realexpaymentshttp://www.linkedin.com/company/realex-paymentshttp://www.youtube.com/realexpayments
>>>>
>>>> Realex Payments Dublin:
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>>>>
>>>> Realex Payments London:
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk
>>>>
>>>> Realex Payments Paris:
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr
>>>>
>>>> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).
>>>>
>>>>  _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>>
>>>>
>>>> --
>>>> David Rook
>>>> Application Security Lead
>>>> Product Management
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>>
>>>> Connect with us:http://www.twitter.com/securityninjahttp://www.twitter.com/realexpaymentshttp://www.facebook.com/realexpaymentshttp://www.linkedin.com/company/realex-paymentshttp://www.youtube.com/realexpayments
>>>>
>>>> Realex Payments Dublin:
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>>>>
>>>> Realex Payments London:
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk
>>>>
>>>> Realex Payments Paris:
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr
>>>>
>>>> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).
>>>>
>>>>
>>>
>>>
>>> --
>>> Eoin Keary
>>> OWASP Global Board Member (Vice Chair)
>>>
>>> https://twitter.com/EoinKeary
>>>
>>>
>>>
>>> --
>>> David Rook
>>> Application Security Lead
>>> Product Management
>>> Realex Payments
>>> Enabling thousands of businesses to sell online.
>>>
>>> Connect with us:http://www.twitter.com/securityninjahttp://www.twitter.com/realexpaymentshttp://www.facebook.com/realexpaymentshttp://www.linkedin.com/company/realex-paymentshttp://www.youtube.com/realexpayments
>>>
>>> Realex Payments Dublin:
>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>>>
>>> Realex Payments London:
>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk
>>>
>>> Realex Payments Paris:
>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr
>>>
>>> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
>>> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member (Vice Chair)
>>
>> https://twitter.com/EoinKeary
>>
>>
>>
>> --
>> David Rook
>> Application Security Lead
>> Product Management
>> Realex Payments
>> Enabling thousands of businesses to sell online.
>>
>> Connect with us:http://www.twitter.com/securityninjahttp://www.twitter.com/realexpaymentshttp://www.facebook.com/realexpaymentshttp://www.linkedin.com/company/realex-paymentshttp://www.youtube.com/realexpayments
>>
>> Realex Payments Dublin:
>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>>
>> Realex Payments London:
>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk
>>
>> Realex Payments Paris:
>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr
>>
>> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
>> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member (Vice Chair)
>
> https://twitter.com/EoinKeary
>
>
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>


-- 
http://www.theinternetisclosedforwinter.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120404/a462a645/attachment-0001.html>


More information about the Owasp-ireland mailing list