Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation OWASP AppSec Seattle Oct From Startup to IPO: Managing Security Risk in a Rapidly Growing Enterprise Brian Chess Founder / Chief Scientist Fortify Software

OWASP AppSec Seattle Motivation “It’s time for software developers and security people to work together.” (Famous Security Person)

OWASP AppSec Seattle SDL

OWASP AppSec Seattle Motivation “It’s time for software developers and security people to work together.” (Famous Security Person)

OWASP AppSec Seattle This Talk  Background  Business  Architecture  Risk  Authentication  Access Control  Attacks and Other Security Challenges  Security Today  Silver Bullets

OWASP AppSec Seattle The business  Started in 1998: 4 founders  Today: 500+ employees  First $1M month in 2004  $42M revenue in 2005

OWASP AppSec Seattle The Application  Online business services  Accounting  Payroll  CRM (Salesforce Automation/Customer Support)  Web Store  Employee Self-service (expense reports)  Vendor/Partner Self-service

OWASP AppSec Seattle Architecture: Basic Apache Internet Database Java

OWASP AppSec Seattle Database Java Apache Architecture: Scaling Apache Internet Database Java

OWASP AppSec Seattle Database Java Apache Architecture: Scaling Apache Internet Database Java Directory

OWASP AppSec Seattle Database Java Apache Architecture: Hot fix Apache Internet Database Java Directory Java

OWASP AppSec Seattle Database Java Apache Architecture: Multiple versions Apache Internet Database Java Directory Java Database

OWASP AppSec Seattle Database Java Apache Architecture: Billing/Provisioning Apache Internet Database Java Directory Java Database Corp

OWASP AppSec Seattle Database Java Apache Architecture: Monitoring Apache Internet Database Java Directory Java Database Corp PerformanceLogging

OWASP AppSec Seattle Risk “Security is all about Risk Management.” (‘Enlightened’ Security Person)

OWASP AppSec Seattle Architecture: Risk My data Your data

OWASP AppSec Seattle My data Your data Architecture: Risk #1 fear: data bleed  Solution: virtual private tables  Problem: too expensive  Solution: build in-house  Problem: is it done right?

OWASP AppSec Seattle Risk in a startup Time Risk Market Risk Security Risk

OWASP AppSec Seattle Infrastructure  Application began as a demo  Very early use of server-side Java  Maintained custom application server at one point  90% JSP at first, 5% JSP now

OWASP AppSec Seattle Authentication  Access to admin pages  Customers curse a lot  10% based on default  8% curse words  40% (total) easy to guess  Password != hashed password

OWASP AppSec Seattle Access Control  Application:  Complex, user-defined roles  Administration  progression of security measures: IP address, login, authenticate against CORP, auditing  problem w. log security--need to give access to outsourced support

OWASP AppSec Seattle Noteworthy Security Challenges  bug #1

OWASP AppSec Seattle bug #1 (of 125,000) Abstract: Apostrophes aren't correctly handled by data entry fields. 3/18/1999 3:28 pm XXX, XXXXXXXX Inputting an apostrophe ' into one of the registers or text fields causes the form to generate an error message. *** XXXXX 18-MAR-99 03:28 PM *** Fixed in all Activities and anything else that uses base Input class (e.g. Lists) Severity S5 - Minor Priority 9

OWASP AppSec Seattle Noteworthy Security Challenges  bug #1  SSH with blackberry  Installing X Windows  Playing nicely with partners  problem w. logging: must not log passwords, cc#s

OWASP AppSec Seattle Attacks and Incidents  Security conscious new customers attack the permission system  Day of the DOS attack (bad code)  “Security consultant” in need of iPod

OWASP AppSec Seattle Security Today  Evolution from success through heroism to success through process  Growing organization creates new issues  Access to errors  Access to test data  AJAX  Web Services

OWASP AppSec Seattle Security Today: SDL  OWASP Guide has been a big help  Easiest way to get developers to fix bugs: compliance

OWASP AppSec Seattle Tools  Black box testing  Source code analysis  (External review also quite helpful.)

OWASP AppSec Seattle No Silver Bullet  No Silver Bullet: Essence and Accidents of Software Engineering by Fredrick Brooks (author of The Mythical Man Month)  Are Security mistakes  An accidental artifact of programming languages and systems?  An unavoidable (essential) problem?