[Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

Eoin eoin.keary at owasp.org
Fri Mar 23 13:28:40 UTC 2012


Thanks Fabio,
I'll try to make the conference :)


Eoin Keary
BCC Risk Advisory
Owasp Global Board
+353 87 977 2988


On 23 Mar 2012, at 12:43, Fabio Cerullo <fcerullo at owasp.org> wrote:

> I completely agree guys... we need to break that "invisible" barrier
> that separates security from development.
> 
> That's why there is a strong focus in pushing secure development
> activities in our chapter.
> 
> Examples of this are the talks being planned for next 30th March and
> 20th April (details to be finalised).
> 
> Regarding the conference, we have received several submissions so far
> and the agenda is shaping up very nicely.
> 
> Looking forward to see you at an OWASP event near you.
> 
> All the best,
> 
> Fabio
> 
> On Fri, Mar 23, 2012 at 12:20 PM, David Rook
> <david.rook at realexpayments.com> wrote:
>> Already submitted something Eoin!
>> 
>> On the developers point I was recently speaking with Lorna Alamri about app
>> sec conferences in general and I suggested something similar. Specifically
>> my one liner on that was:
>> 
>> "Get developers to come and speak, get them to tell the security people in
>> the audience why they find it hard to write secure code"
>> 
>> Someone like Niall Jordan (I'm sure he is reading these emails!) would be
>> ideal for that in my opinion with the background he has - both sides of the
>> table in recent times. I can send a message to our developers here to see if
>> anyone fancies doing something like that as well.
>> 
>> 
>> On 23/03/2012 12:14, Eoin wrote:
>> 
>> Correct,
>> The latest WhiteHat report has XSS as second, Information leakage as #1
>> 
>> Hope you are going to submit (CFP) something for OWASP Ireland 2012
>> (September)?
>> Other people on the list please get involved also......
>> 
>> I'd love for some developers to talk at the event discussing problems they
>> have with security and how can it be easier to do!!??
>> 
>> We have Keynotes:
>> Jeremiah Grossman, Michael Coates + 1 more
>> And a good panel to be chaired by Bryce Bolland (UBS Security CTO)
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On 23 March 2012 12:07, David Rook <david.rook at realexpayments.com> wrote:
>>> 
>>> Hi Eoin,
>>> 
>>> I think your final point hits the nail on the head, after all it's not a
>>> report detailing the most commonly found vulns but the vectors used to steal
>>> data and whilst XSS could have been involved it wasn't the way the data was
>>> stolen if that makes sense.
>>> 
>>> I'm sure if you looked at the latest White Hat Security report for example
>>> it would show XSS as being a common vuln and I don't think any would argue
>>> against that :)
>>> 
>>> Dave
>>> 
>>> 
>>> On 23/03/2012 12:01, Eoin wrote:
>>> 
>>> Hi David,
>>> 
>>> I'll admit i did not read the report:)
>>> 
>>> So the Verizon report pretty much says XSS is not used very much to cause
>>> havok!!
>>> It would be good to read other reports to see if they say similar??
>>> 
>>> So are we as security peeps barking up the wrong tree.... I think the
>>> OWASP Top 10 is based on discovered issues as opposed to breaches if that
>>> makes sense - The most common vulns found.
>>> 
>>> -ek
>>> 
>>> 
>>> 
>>> 
>>> On 23 March 2012 08:58, David Rook <david.rook at realexpayments.com> wrote:
>>>> 
>>>> Hi Eoin,
>>>> 
>>>> Yep it can do but how malware was installed was included in the report as
>>>> well and XSS is going to account for very few of those infections I think.
>>>> According to the report 95% of all malware used in those data breaches
>>>> was installed after the attacker got access to the system, at best I think
>>>> only around 3% of the malware used in data breaches came from web app vulns
>>>> being exploited (2% "injected by attacker" and 1% "drive by web attacks").
>>>> 
>>>> It could be that the malware installed via an XSS exploit is part of the
>>>> 95% but if it was a significant chunk of that I'd have expected it to be
>>>> called out in the report.
>>>> 
>>>> I could be reading that part of the report wrong though :)
>>>> 
>>>> Dave
>>>> 
>>>> 
>>>> On 22/03/2012 17:13, Eoin wrote:
>>>> 
>>>> But xss leads to malware upload? It's a payload delivery system.
>>>> Agree??
>>>> 
>>>> Eoin Keary
>>>> BCC Risk Advisory
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>> 
>>>> 
>>>> On 22 Mar 2012, at 16:48, David Rook <david.rook at realexpayments.com>
>>>> wrote:
>>>> 
>>>> Hi Alexis,
>>>> 
>>>> I'd say your final question is correct. I'm not doubting they are big
>>>> issues (in that they can be exploited and are in many web apps) but they
>>>> aren't in the same league as the vectors mentioned in the report. I can't
>>>> remember a big CSRF news story for example yet alone one that lead to a lot
>>>> of data being stolen.
>>>> 
>>>> Dave
>>>> 
>>>> On 22/03/2012 16:40, Alexis FitzGerald wrote:
>>>> 
>>>> 
>>>> I could not find any mention of XSS (or CSRF). At least they were
>>>> mentioned in last year's edition. Does this mean that the OWASP Top 10 puts
>>>> too much of an emphasis on these issues? While they might be prevalent in
>>>> online applications, they are not actually exploited much in actual data
>>>> breaches?
>>>> 
>>>> Opinions welcome.
>>>> 
>>>> Alexis
>>>> 
>>>> On 22/03/2012 16:47, David Rook wrote:
>>>> 
>>>> Hi Fabio,
>>>> 
>>>> What I found interesting is that of the vectors included in the hacking
>>>> category 90% of the breaches were because of non app sec issues! I was a bit
>>>> surprised by that and it is very different when the report focuses on
>>>> "large" organisations (54%) but it does provide a strong argument for app
>>>> sec v non app sec spend not being equal.
>>>> 
>>>> Sure app sec spend needs to increase but using the evidence presented in
>>>> this report (and I acknowledge it's not the complete picture of course) it's
>>>> a tough sell to convince people that app sec spend should be equal to or
>>>> more than non app sec spend.
>>>> 
>>>> Veracode published a blog which pulled out the app sec "highlights":
>>>> 
>>>> 
>>>> http://www.veracode.com/blog/2012/03/verizon-data-breach-investigative-report-2012-application-security-specific-highlights/
>>>> 
>>>> Dave
>>>> 
>>>> On 22/03/2012 15:02, Fabio Cerullo wrote:
>>>> 
>>>> Hi there,
>>>> 
>>>> Interesting read... not surprisingly SQL injection is on top of the
>>>> list along with credentials misuse and malware.
>>>> 
>>>> 
>>>> http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
>>>> 
>>>> Fabio
>>>> _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>> 
>>>> 
>>>> --
>>>> David Rook
>>>> Application Security Lead
>>>> Product Management
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>> 
>>>> Connect with us:
>>>> http://www.twitter.com/securityninja
>>>> http://www.twitter.com/realexpayments
>>>> http://www.facebook.com/realexpayments
>>>> http://www.linkedin.com/company/realex-payments
>>>> http://www.youtube.com/realexpayments
>>>> 
>>>> Realex Payments Dublin:
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  |
>>>> http://www.realexpayments.com
>>>> 
>>>> Realex Payments London:
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>>> http://www.realexpayments.co.uk
>>>> 
>>>> Realex Payments Paris:
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 |
>>>> http://www.realexpayments.fr
>>>> 
>>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>>>> registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and
>>>> are intended for use by the addressee(s) only unless otherwise indicated. If
>>>> you are not an intended recipient of this email, you must not use, disclose,
>>>> copy, distribute or retain this message or any part of it. If you have
>>>> received this email in error, please notify us immediately and delete all
>>>> copies of this email from your computer system(s).
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>> 
>>>> 
>>>> --
>>>> David Rook
>>>> Application Security Lead
>>>> Product Management
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>> 
>>>> Connect with us:
>>>> http://www.twitter.com/securityninja
>>>> http://www.twitter.com/realexpayments
>>>> http://www.facebook.com/realexpayments
>>>> http://www.linkedin.com/company/realex-payments
>>>> http://www.youtube.com/realexpayments
>>>> 
>>>> Realex Payments Dublin:
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  |
>>>> http://www.realexpayments.com
>>>> 
>>>> Realex Payments London:
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>>> http://www.realexpayments.co.uk
>>>> 
>>>> Realex Payments Paris:
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 |
>>>> http://www.realexpayments.fr
>>>> 
>>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>>>> registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and
>>>> are intended for use by the addressee(s) only unless otherwise indicated. If
>>>> you are not an intended recipient of this email, you must not use, disclose,
>>>> copy, distribute or retain this message or any part of it. If you have
>>>> received this email in error, please notify us immediately and delete all
>>>> copies of this email from your computer system(s).
>>>> 
>>>> _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>> 
>>>> 
>>>> --
>>>> David Rook
>>>> Application Security Lead
>>>> Product Management
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>> 
>>>> Connect with us:
>>>> http://www.twitter.com/securityninja
>>>> http://www.twitter.com/realexpayments
>>>> http://www.facebook.com/realexpayments
>>>> http://www.linkedin.com/company/realex-payments
>>>> http://www.youtube.com/realexpayments
>>>> 
>>>> Realex Payments Dublin:
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  |
>>>> http://www.realexpayments.com
>>>> 
>>>> Realex Payments London:
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>>> http://www.realexpayments.co.uk
>>>> 
>>>> Realex Payments Paris:
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 |
>>>> http://www.realexpayments.fr
>>>> 
>>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>>>> registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and
>>>> are intended for use by the addressee(s) only unless otherwise indicated. If
>>>> you are not an intended recipient of this email, you must not use, disclose,
>>>> copy, distribute or retain this message or any part of it. If you have
>>>> received this email in error, please notify us immediately and delete all
>>>> copies of this email from your computer system(s).
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Eoin Keary
>>> OWASP Global Board Member (Vice Chair)
>>> 
>>> https://twitter.com/EoinKeary
>>> 
>>> 
>>> 
>>> --
>>> David Rook
>>> Application Security Lead
>>> Product Management
>>> Realex Payments
>>> Enabling thousands of businesses to sell online.
>>> 
>>> Connect with us:
>>> http://www.twitter.com/securityninja
>>> http://www.twitter.com/realexpayments
>>> http://www.facebook.com/realexpayments
>>> http://www.linkedin.com/company/realex-payments
>>> http://www.youtube.com/realexpayments
>>> 
>>> Realex Payments Dublin:
>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  |
>>> http://www.realexpayments.com
>>> 
>>> Realex Payments London:
>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>> http://www.realexpayments.co.uk
>>> 
>>> Realex Payments Paris:
>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 |
>>> http://www.realexpayments.fr
>>> 
>>> Pay and Shop Limited, trading as Realex Payments has its registered office
>>> at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>>> registered in Ireland, company number 324929.
>>> This mail and any documents attached are classified as confidential and
>>> are intended for use by the addressee(s) only unless otherwise indicated. If
>>> you are not an intended recipient of this email, you must not use, disclose,
>>> copy, distribute or retain this message or any part of it. If you have
>>> received this email in error, please notify us immediately and delete all
>>> copies of this email from your computer system(s).
>> 
>> 
>> 
>> 
>> --
>> Eoin Keary
>> OWASP Global Board Member (Vice Chair)
>> 
>> https://twitter.com/EoinKeary
>> 
>> 
>> 
>> --
>> David Rook
>> Application Security Lead
>> Product Management
>> Realex Payments
>> Enabling thousands of businesses to sell online.
>> 
>> Connect with us:
>> http://www.twitter.com/securityninja
>> http://www.twitter.com/realexpayments
>> http://www.facebook.com/realexpayments
>> http://www.linkedin.com/company/realex-payments
>> http://www.youtube.com/realexpayments
>> 
>> Realex Payments Dublin:
>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>> 
>> Realex Payments London:
>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>> http://www.realexpayments.co.uk
>> 
>> Realex Payments Paris:
>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 |
>> http://www.realexpayments.fr
>> 
>> Pay and Shop Limited, trading as Realex Payments has its registered office
>> at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>> registered in Ireland, company number 324929.
>> This mail and any documents attached are classified as confidential and are
>> intended for use by the addressee(s) only unless otherwise indicated. If you
>> are not an intended recipient of this email, you must not use, disclose,
>> copy, distribute or retain this message or any part of it. If you have
>> received this email in error, please notify us immediately and delete all
>> copies of this email from your computer system(s).
>> 
>> 
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>> 


More information about the Owasp-ireland mailing list