But even though my presentation was on the last day, with a much diminished audience (especially as many of my East Coast colleagues had already taken flights home), I enjoyed the experience and was delighted to get such a positive response from those who stayed on to attend my session. My topic was “Issues and Challenges with Application Security Metrics” with a particular focus on building security data collection into applications… something that I believe hasn’t been given the attention it warrants. I used the example of the well-known ChoicePoint breach, where they kept changing the estimates of the number of accounts compromised, much as in the case of the recently announced breach of 24,000 customer accounts held at the HSBC Private Bank (Suisse) SA. The reports, such as the article “France Got Stolen HSBC Data” by Deborah Ball and David Gauthier-Villars in the Money and Investing section of The Wall Street Journal of March 12, 2010, indicate that HSBC originally thought that only 10 accounts were affected. Only later, when France returned the stolen data, did they learn of the much larger number of impacted clients.
While I do not know the details of the HSBC breach, it is alleged that a former IT employee stole the data in 2006 and 2007. This would suggest a lack of monitoring capability, particularly instrumentation within the application … which was the point I was making in my RSA talk. The presentation came too late to mitigate the HSBC breach, but may be timely for your organization.
Popularity: unranked
