* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download From Startup to IPO: Managing Security Risk in a Rapidly Growing
Survey
Document related concepts
Transcript
From Startup to IPO: Managing Security Risk in a Rapidly Growing Enterprise OWASP AppSec Seattle Oct 2006 Brian Chess Founder / Chief Scientist Fortify Software [email protected] Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/ Motivation “It’s time for software developers and security people to work together.” (Famous Security Person) OWASP AppSec Seattle 2006 2 SDL OWASP AppSec Seattle 2006 3 Motivation “It’s time for software developers and security people to work together.” (Famous Security Person) OWASP AppSec Seattle 2006 4 This Talk Background Business Architecture Risk Authentication Access Control Attacks and Other Security Challenges Security Today Silver Bullets OWASP AppSec Seattle 2006 5 The business Started in 1998: 4 founders Today: 500+ employees First $1M month in 2004 $42M revenue in 2005 OWASP AppSec Seattle 2006 6 The Application Online business services Accounting Payroll CRM (Salesforce Automation/Customer Support) Web Store Employee Self-service (expense reports) Vendor/Partner Self-service OWASP AppSec Seattle 2006 7 Architecture: Basic Internet Apache Java Database OWASP AppSec Seattle 2006 8 Architecture: Scaling Internet Apache Apache Apache Java Java Java Database Database Database OWASP AppSec Seattle 2006 9 Architecture: Scaling Internet Apache Apache Apache Java Java Java Database Database Database Directory OWASP AppSec Seattle 2006 10 Architecture: Hot fix Internet Apache Apache Apache Java Java Java Database Database Database Java Java Java Directory OWASP AppSec Seattle 2006 11 Architecture: Multiple versions Java Java Java Internet Apache Apache Apache Database Database Database Directory Java Java Java Database Database Database OWASP AppSec Seattle 2006 12 Architecture: Billing/Provisioning Java Java Java Internet Apache Apache Apache Directory Java Java Java Database Database Database Corp Database Database Database OWASP AppSec Seattle 2006 13 Architecture: Monitoring Java Java Java Internet Performance Apache Apache Apache Logging Directory Java Java Java Database Database Database Corp Database Database Database OWASP AppSec Seattle 2006 14 Risk “Security is all about Risk Management.” (‘Enlightened’ Security Person) OWASP AppSec Seattle 2006 15 Architecture: Risk My data Your data OWASP AppSec Seattle 2006 16 Architecture: Risk My data Your data #1 fear: data bleed Solution: virtual private tables Problem: too expensive Solution: build in-house Problem: is it done right? OWASP AppSec Seattle 2006 17 Risk in a startup Risk Market Risk Security Risk Time OWASP AppSec Seattle 2006 18 Infrastructure Application began as a demo Very early use of server-side Java Maintained custom application server at one point 90% JSP at first, 5% JSP now OWASP AppSec Seattle 2006 19 Authentication Access to admin pages Customers curse a lot 10% based on default 8% curse words 40% (total) easy to guess Password != hashed password OWASP AppSec Seattle 2006 20 Access Control Application: Complex, user-defined roles Administration progression of security measures: IP address, login, authenticate against CORP, auditing problem w. log security--need to give access to outsourced support OWASP AppSec Seattle 2006 21 Noteworthy Security Challenges bug #1 OWASP AppSec Seattle 2006 22 bug #1 (of 125,000) Abstract: Apostrophes aren't correctly handled by data entry fields. 3/18/1999 3:28 pm XXX, XXXXXXXX Inputting an apostrophe ' into one of the registers or text fields causes the form to generate an error message. *** XXXXX 18-MAR-99 03:28 PM *** Fixed in all Activities and anything else that uses base Input class (e.g. Lists) Severity S5 - Minor Priority 9 OWASP AppSec Seattle 2006 23 Noteworthy Security Challenges bug #1 SSH with blackberry Installing X Windows Playing nicely with partners problem w. logging: must not log passwords, cc#s OWASP AppSec Seattle 2006 24 Attacks and Incidents Security conscious new customers attack the permission system Day of the DOS attack (bad code) “Security consultant” in need of iPod OWASP AppSec Seattle 2006 25 Security Today Evolution from success through heroism to success through process Growing organization creates new issues Access to errors Access to test data AJAX Web Services OWASP AppSec Seattle 2006 26 Security Today: SDL OWASP Guide has been a big help Easiest way to get developers to fix bugs: compliance OWASP AppSec Seattle 2006 27 Tools Black box testing Source code analysis (External review also quite helpful.) OWASP AppSec Seattle 2006 28 No Silver Bullet No Silver Bullet: Essence and Accidents of Software Engineering by Fredrick Brooks (author of The Mythical Man Month) Are Security mistakes An accidental artifact of programming languages and systems? An unavoidable (essential) problem? OWASP AppSec Seattle 2006 29