From Startup to IPO: Managing Security Risk in a Rapidly Growing

Download Report

Transcript From Startup to IPO: Managing Security Risk in a Rapidly Growing 

From Startup to IPO:
Managing Security Risk in a
Rapidly Growing Enterprise
OWASP
AppSec
Seattle
Oct 2006
Brian Chess
Founder / Chief Scientist
Fortify Software
[email protected]
Copyright © 2006 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
http://www.owasp.org/
Motivation
“It’s time for software developers and security
people to work together.”
(Famous Security Person)
OWASP AppSec Seattle 2006
2
SDL
OWASP AppSec Seattle 2006
3
Motivation
“It’s time for software developers and security
people to work together.”
(Famous Security Person)
OWASP AppSec Seattle 2006
4
This Talk
Background
Business
Architecture
Risk
Authentication
Access Control
Attacks and Other Security Challenges
Security Today
Silver Bullets
OWASP AppSec Seattle 2006
5
The business
Started in 1998: 4 founders
Today: 500+ employees
First $1M month in 2004
$42M revenue in 2005
OWASP AppSec Seattle 2006
6
The Application
Online business services
Accounting
Payroll
CRM (Salesforce Automation/Customer Support)
Web Store
Employee Self-service (expense reports)
Vendor/Partner Self-service
OWASP AppSec Seattle 2006
7
Architecture: Basic
Internet
Apache
Java
Database
OWASP AppSec Seattle 2006
8
Architecture: Scaling
Internet
Apache
Apache
Apache
Java
Java
Java
Database
Database
Database
OWASP AppSec Seattle 2006
9
Architecture: Scaling
Internet
Apache
Apache
Apache
Java
Java
Java
Database
Database
Database
Directory
OWASP AppSec Seattle 2006
10
Architecture: Hot fix
Internet
Apache
Apache
Apache
Java
Java
Java
Database
Database
Database
Java
Java
Java
Directory
OWASP AppSec Seattle 2006
11
Architecture: Multiple versions
Java
Java
Java
Internet
Apache
Apache
Apache
Database
Database
Database
Directory
Java
Java
Java
Database
Database
Database
OWASP AppSec Seattle 2006
12
Architecture: Billing/Provisioning
Java
Java
Java
Internet
Apache
Apache
Apache
Directory
Java
Java
Java
Database
Database
Database
Corp
Database
Database
Database
OWASP AppSec Seattle 2006
13
Architecture: Monitoring
Java
Java
Java
Internet
Performance
Apache
Apache
Apache
Logging
Directory
Java
Java
Java
Database
Database
Database
Corp
Database
Database
Database
OWASP AppSec Seattle 2006
14
Risk
“Security is all about Risk Management.”
(‘Enlightened’ Security Person)
OWASP AppSec Seattle 2006
15
Architecture: Risk
My data
Your data
OWASP AppSec Seattle 2006
16
Architecture: Risk
My data
Your data
#1 fear: data bleed
 Solution: virtual private tables
 Problem: too expensive
 Solution: build in-house
 Problem: is it done right?
OWASP AppSec Seattle 2006
17
Risk in a startup
Risk
Market Risk
Security Risk
Time
OWASP AppSec Seattle 2006
18
Infrastructure
Application began as a demo
Very early use of server-side Java
Maintained custom application server at one point
90% JSP at first, 5% JSP now
OWASP AppSec Seattle 2006
19
Authentication
Access to admin pages
Customers curse a lot
10% based on default
8% curse words
40% (total) easy to guess
Password != hashed password
OWASP AppSec Seattle 2006
20
Access Control
Application:
Complex, user-defined roles
Administration
progression of security measures: IP address,
login, authenticate against CORP, auditing
problem w. log security--need to give access
to outsourced support
OWASP AppSec Seattle 2006
21
Noteworthy Security Challenges
bug #1
OWASP AppSec Seattle 2006
22
bug #1 (of 125,000)
Abstract: Apostrophes aren't correctly handled
by data entry fields.
3/18/1999 3:28 pm XXX, XXXXXXXX
Inputting an apostrophe ' into one of the
registers or text fields causes the form
to generate an error message.
*** XXXXX 18-MAR-99 03:28 PM ***
Fixed in all Activities and anything else
that uses base Input class (e.g. Lists)
Severity S5 - Minor
Priority 9
OWASP AppSec Seattle 2006
23
Noteworthy Security Challenges
bug #1
SSH with blackberry
Installing X Windows
Playing nicely with partners
problem w. logging: must not log
passwords, cc#s
OWASP AppSec Seattle 2006
24
Attacks and Incidents
Security conscious new customers attack the
permission system
Day of the DOS attack (bad code)
“Security consultant” in need of iPod
OWASP AppSec Seattle 2006
25
Security Today
Evolution from success through heroism to
success through process
Growing organization creates new issues
Access to errors
Access to test data
AJAX
Web Services
OWASP AppSec Seattle 2006
26
Security Today: SDL
OWASP Guide has been a big help
Easiest way to get developers to fix bugs:
compliance
OWASP AppSec Seattle 2006
27
Tools
Black box testing
Source code analysis
(External review also
quite helpful.)
OWASP AppSec Seattle 2006
28
No Silver Bullet
No Silver Bullet: Essence and Accidents of
Software Engineering by Fredrick Brooks
(author of The Mythical Man Month)
Are Security mistakes
An accidental artifact of programming
languages and systems?
An unavoidable (essential) problem?
OWASP AppSec Seattle 2006
29