From Startup to IPO: Managing Security Risk in a Rapidly Growing Enterprise

OWASP AppSec Seattle
Oct 2006

Brian Chess Founder / Chief Scientist Fortify Software brian@fortifysoftware.com

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP http://www.owasp.org/ Foundation

Motivation “It’s time for software developers and security people to work together.” (Famous Security Person)

OWASP AppSec Seattle 2006

2

SDL

OWASP AppSec Seattle 2006

3

Motivation “It’s time for software developers and security people to work together.” (Famous Security Person)

OWASP AppSec Seattle 2006

4

This Talk Background
Business Architecture

Risk Authentication Access Control Attacks and Other Security Challenges Security Today Silver Bullets
OWASP AppSec Seattle 2006
5

The business Started in 1998: 4 founders Today: 500+ employees First $1M month in 2004 $42M revenue in 2005

OWASP AppSec Seattle 2006

6

The Application Online business services
Accounting Payroll CRM (Salesforce Automation/Customer Support) Web Store Employee Self-service (expense reports) Vendor/Partner Self-service

OWASP AppSec Seattle 2006

7

Architecture: Basic

Internet

Apache

Java

Database

OWASP AppSec Seattle 2006

8

Architecture: Scaling

Internet

Apache Apache Apache

Java Java Java

Database Database Database

OWASP AppSec Seattle 2006

9

Architecture: Scaling

Internet

Apache Apache Apache

Java Java Java

Database Database Database

Directory

OWASP AppSec Seattle 2006

10

Architecture: Hot fix

Internet

Apache Apache Apache

Java Java Java

Database Database Database

Java Java Java

Directory

OWASP AppSec Seattle 2006

11

Architecture: Multiple versions
Java Java Java Database Database Database

Internet

Apache Apache Apache

Directory Database Database Database

Java Java Java

OWASP AppSec Seattle 2006

12

Architecture: Billing/Provisioning
Java Java Java Database Database Database

Internet

Apache Apache Apache

Directory

Corp

Java Java Java

Database Database Database

OWASP AppSec Seattle 2006

13

Architecture: Monitoring
Java Java Java Database Database Database

Internet

Apache Apache Apache

Directory

Corp

Performance

Logging

Java Java Java

Database Database Database

OWASP AppSec Seattle 2006

14

Risk “Security is all about Risk Management.” (‘Enlightened’ Security Person)

OWASP AppSec Seattle 2006

15

Architecture: Risk

My data

Your data

OWASP AppSec Seattle 2006

16

Architecture: Risk

My data

Your data

#1 fear: data bleed  Solution: virtual private tables  Problem: too expensive  Solution: build in-house  Problem: is it done right?

OWASP AppSec Seattle 2006

17

Risk in a startup
Market Risk

Risk
Security Risk

Time
OWASP AppSec Seattle 2006
18

Infrastructure Application began as a demo Very early use of server-side Java
Maintained custom application server at one point 90% JSP at first, 5% JSP now

OWASP AppSec Seattle 2006

19

Authentication Access to admin pages Customers curse a lot
10% based on default 8% curse words 40% (total) easy to guess

Password != hashed password

OWASP AppSec Seattle 2006

20

Access Control

Application:
Complex, user-defined roles

Administration
progression of security measures: IP address, login, authenticate against CORP, auditing problem w. log security--need to give access to outsourced support

OWASP AppSec Seattle 2006

21

Noteworthy Security Challenges bug #1

OWASP AppSec Seattle 2006

22

bug #1 (of 125,000)
Abstract: Apostrophes aren't correctly handled by data entry fields. 3/18/1999 3:28 pm XXX, XXXXXXXX Inputting an apostrophe ' into one of the registers or text fields causes the form to generate an error message. *** XXXXX 18-MAR-99 03:28 PM *** Fixed in all Activities and anything else that uses base Input class (e.g. Lists) Severity S5 - Minor Priority 9
OWASP AppSec Seattle 2006
23

Noteworthy Security Challenges bug #1 SSH with blackberry Installing X Windows Playing nicely with partners

problem w. logging: must not log passwords, cc#s

OWASP AppSec Seattle 2006

24

Attacks and Incidents Security conscious new customers attack the permission system Day of the DOS attack (bad code) “Security consultant” in need of iPod

OWASP AppSec Seattle 2006

25

Security Today Evolution from success through heroism to success through process Growing organization creates new issues
Access to errors Access to test data

AJAX Web Services

OWASP AppSec Seattle 2006

26

Security Today: SDL OWASP Guide has been a big help Easiest way to get developers to fix bugs: compliance

OWASP AppSec Seattle 2006

27

Tools Black box testing Source code analysis (External review also quite helpful.)

OWASP AppSec Seattle 2006

28

No Silver Bullet No Silver Bullet: Essence and Accidents of Software Engineering by Fredrick Brooks (author of The Mythical Man Month) Are Security mistakes
An accidental artifact of programming languages and systems? An unavoidable (essential) problem?

OWASP AppSec Seattle 2006

29

Sign up to vote on this title
UsefulNot useful