Scribd Logo
Upload

Welcome to Scribd!

  • From Startup To IPO: Managing Security Risk in A Rapidly Growing Enterprise

    Uploaded by

    api-27294532
    17 views29 pages

    Original Title

    OWASPAppSec2006Seattle_FromStartuptoIPO-Managing_Security_Risk

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views29 pages

    From Startup To IPO: Managing Security Risk in A Rapidly Growing Enterprise

    Uploaded by

    api-27294532

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    From Startup to IPO:

    Managing Security Risk in a


    Rapidly Growing Enterprise

    Brian Chess
    Founder / Chief Scientist
    Fortify Software
    brian@fortifysoftware.com
    OWASP
    AppSec
    Seattle Copyright © 2006 - The OWASP Foundation
    Oct 2006 Permission is granted to copy, distribute and/or modify this document under the
    terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
    license, visit http://creativecommons.org/licenses/by-sa/2.5/

    The OWASP Foundation


    http://www.owasp.org/
    Motivation

    “It’s time for software developers and security


    people to work together.”
    (Famous Security Person)

    OWASP AppSec Seattle 2006 2


    SDL

    OWASP AppSec Seattle 2006 3


    Motivation

    “It’s time for software developers and security


    people to work together.”
    (Famous Security Person)

    OWASP AppSec Seattle 2006 4


    This Talk

    Background
    Business
    Architecture
    Risk
    Authentication
    Access Control
    Attacks and Other Security Challenges
    Security Today
    Silver Bullets

    OWASP AppSec Seattle 2006 5


    The business

    Started in 1998: 4 founders


    Today: 500+ employees
    First $1M month in 2004
    $42M revenue in 2005

    OWASP AppSec Seattle 2006 6


    The Application

    Online business services


    Accounting
    Payroll
    CRM (Salesforce Automation/Customer Support)
    Web Store
    Employee Self-service (expense reports)
    Vendor/Partner Self-service

    OWASP AppSec Seattle 2006 7


    Architecture: Basic

    Internet Apache Java Database

    OWASP AppSec Seattle 2006 8


    Architecture: Scaling

    Internet Apache Java Database


    Apache Java Database
    Apache Java Database

    OWASP AppSec Seattle 2006 9


    Architecture: Scaling

    Internet Apache Java Database


    Apache Java Database
    Apache Java Database

    Directory

    OWASP AppSec Seattle 2006 10


    Architecture: Hot fix

    Internet Apache Java Database


    Apache Java Database
    Apache Java Database

    Java
    Java Directory
    Java

    OWASP AppSec Seattle 2006 11


    Architecture: Multiple versions

    Java
    Java Database
    Java Database
    Database

    Internet Apache
    Apache Directory
    Apache

    Database
    Database
    Database
    Java
    Java
    Java

    OWASP AppSec Seattle 2006 12


    Architecture: Billing/Provisioning

    Java
    Java Database
    Java Database
    Database

    Internet Apache Corp


    Apache Directory
    Apache

    Database
    Java Database
    Java Database
    Java

    OWASP AppSec Seattle 2006 13


    Architecture: Monitoring

    Java
    Java Database
    Java Database
    Database

    Internet Apache Corp


    Apache Directory
    Apache

    Database
    Java Database
    Java Database
    Performance Logging Java

    OWASP AppSec Seattle 2006 14


    Risk

    “Security is all about Risk Management.”


    (‘Enlightened’ Security Person)

    OWASP AppSec Seattle 2006 15


    Architecture: Risk

    My data

    Your data

    OWASP AppSec Seattle 2006 16


    Architecture: Risk

    #1 fear: data bleed


    My data
     Solution: virtual private tables
    Your data  Problem: too expensive
     Solution: build in-house
     Problem: is it done right?

    OWASP AppSec Seattle 2006 17


    Risk in a startup

    Market Risk
    Risk

    Security Risk

    Time

    OWASP AppSec Seattle 2006 18


    Infrastructure

    Application began as a demo


    Very early use of server-side Java
    Maintained custom application server at one point
    90% JSP at first, 5% JSP now

    OWASP AppSec Seattle 2006 19


    Authentication

    Access to admin pages


    Customers curse a lot
    10% based on default
    8% curse words
    40% (total) easy to guess
    Password != hashed password

    OWASP AppSec Seattle 2006 20


    Access Control

    Application:
    Complex, user-defined roles
    Administration
    progression of security measures: IP address,
    login, authenticate against CORP, auditing
    problem w. log security--need to give access
    to outsourced support

    OWASP AppSec Seattle 2006 21


    Noteworthy Security Challenges

    bug #1

    OWASP AppSec Seattle 2006 22


    bug #1 (of 125,000)

    Abstract: Apostrophes aren't correctly handled by


    data entry fields.

    3/18/1999 3:28 pm XXX, XXXXXXXX


    Inputting an apostrophe ' into one of the
    registers or text fields causes the form to
    generate an error message.
    *** XXXXX 18-MAR-99 03:28 PM ***
    Fixed in all Activities and anything else
    that uses base Input class (e.g. Lists)

    Severity S5 - Minor
    Priority 9
    OWASP AppSec Seattle 2006 23
    Noteworthy Security Challenges

    bug #1
    SSH with blackberry
    Installing X Windows
    Playing nicely with partners
    problem w. logging: must not log
    passwords, cc#s

    OWASP AppSec Seattle 2006 24


    Attacks and Incidents

    Security conscious new customers attack the


    permission system
    Day of the DOS attack (bad code)
    “Security consultant” in need of iPod

    OWASP AppSec Seattle 2006 25


    Security Today

    Evolution from success through heroism to


    success through process
    Growing organization creates new issues
    Access to errors
    Access to test data
    AJAX
    Web Services

    OWASP AppSec Seattle 2006 26


    Security Today: SDL

    OWASP Guide has been a big help


    Easiest way to get developers to fix bugs:
    compliance

    OWASP AppSec Seattle 2006 27


    Tools

    Black box testing


    Source code analysis
    (External review also
    quite helpful.)

    OWASP AppSec Seattle 2006 28


    No Silver Bullet
    No Silver Bullet: Essence and Accidents of
    Software Engineering by Fredrick Brooks
    (author of The Mythical Man Month)
    Are Security mistakes
    An accidental artifact of programming
    languages and systems?
    An unavoidable (essential) problem?

    OWASP AppSec Seattle 2006 29

    You might also like