Security Overview ()

Application Security:
Bake In or Add (Sometime) Later?
Jeff Kalwerisky
Security Evangelist for Alpha Tech
VP, Information Security & Technical Training
CPEinteractive, Inc.
Famous Quote
• “Who am I and Why Am I Here?”
Admiral James Stockdale, Vietnam war hero & Ross
Perot’s V-P candidate in 1992
• A recovering software developer
• Not an Alpha developer
• Sole focus: Information Security
– AKA Keeping “them” away from the crown jewels
• Security Evangelist for Alpha for many years
The Title of This Short Talk
• The $64K question: Should security be baked into
all apps or can it be added on later?
• The answer is Yes!
• In fact, attention to security begins on that very
first design whiteboard
• It then continues into prototyping, development,
testing, live deployment, and maintenance
– Whether Alpha Anywhere©, Xbasic, Java, even COBOL
Thinking About Security Starts Here
 Information Security
“Just the Facts, Ma’am”
Of the top 100 Android & iOS apps
have been successfully hacked
Of popular mobile apps have security baked in
and use tools to defend against hack attacks
Why Should I Care?
Revenue Loss
Unauthorized Access to Sensitive Data
Altered user Experience
Intellectual Property Theft
Brand Damage
What Really Keeps CxOs Up at Night
• With an alphabet soup of regulations
and standards
The Men in Black:
Not to Mention Career-Limiting
• CIO and CEO of Target fired after embarrassing
security breach which compromised 40-million(!)
customer credit and debit cards
Not All (Mobile) Apps Are Equal
High Risk Apps . . .
Low(er) Risk Apps . . .
Collect Personal Info
Alarm Clock
Use remote servers to
handle user data
To-Do List with no connection
Access sensitive databases
Apps that never talk to the
Web or Corporate databases
• Basic security is built into the tool
– Unlike many other development tools
– We’re looking at ya, MS-Access . . .!
• But it’s getting much more complex
– BYOD, BYOA, COPE*, Cloud, Big Data Analytics,
social media, the Internet of Things, . . .
* Corporate-Owned, Personally-Enabled
Announcing . . .
• Alpha Anywhere© Security University
• A series of focused, online sessions
• Touching on many aspects of “real” security
 C-I-A: Confidentiality-Integrity-Availability
 The myriad virtues of Encryption Everywhere
 Threat Modeling – finding those pesky security
vulnerabilities BEFORE they bite you
 From Design, through Development, into Production
The Ponemon Institute’s (Sad) Finding*
*Exposing the Cybersecurity Cracks, July 2014
Another Ponemon Finding, July 2014
This is What We Want. Right?
Contact Me
Jeff Kalwerisky
CPE Interactive, Inc.
[email protected]
Mobile 404-641-0634

similar documents