Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byAshlynn Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation OWASP AppSec Seattle Oct 2006 http://www.owasp.org/ From Startup to IPO: Managing Security Risk in a Rapidly Growing Enterprise Brian Chess Founder / Chief Scientist Fortify Software brian@fortifysoftware.com

2 OWASP AppSec Seattle 2006 2 Motivation “It’s time for software developers and security people to work together.” (Famous Security Person)

3 OWASP AppSec Seattle 2006 3 SDL

4 OWASP AppSec Seattle 2006 4 Motivation “It’s time for software developers and security people to work together.” (Famous Security Person)

5 OWASP AppSec Seattle 2006 5 This Talk  Background  Business  Architecture  Risk  Authentication  Access Control  Attacks and Other Security Challenges  Security Today  Silver Bullets

6 OWASP AppSec Seattle 2006 6 The business  Started in 1998: 4 founders  Today: 500+ employees  First $1M month in 2004  $42M revenue in 2005

7 OWASP AppSec Seattle 2006 7 The Application  Online business services  Accounting  Payroll  CRM (Salesforce Automation/Customer Support)  Web Store  Employee Self-service (expense reports)  Vendor/Partner Self-service

8 OWASP AppSec Seattle 2006 8 Architecture: Basic Apache Internet Database Java

9 OWASP AppSec Seattle 2006 9 Database Java Apache Architecture: Scaling Apache Internet Database Java

10 OWASP AppSec Seattle 2006 10 Database Java Apache Architecture: Scaling Apache Internet Database Java Directory

11 OWASP AppSec Seattle 2006 11 Database Java Apache Architecture: Hot fix Apache Internet Database Java Directory Java

12 OWASP AppSec Seattle 2006 12 Database Java Apache Architecture: Multiple versions Apache Internet Database Java Directory Java Database

13 OWASP AppSec Seattle 2006 13 Database Java Apache Architecture: Billing/Provisioning Apache Internet Database Java Directory Java Database Corp

14 OWASP AppSec Seattle 2006 14 Database Java Apache Architecture: Monitoring Apache Internet Database Java Directory Java Database Corp PerformanceLogging

15 OWASP AppSec Seattle 2006 15 Risk “Security is all about Risk Management.” (‘Enlightened’ Security Person)

16 OWASP AppSec Seattle 2006 16 Architecture: Risk My data Your data

17 OWASP AppSec Seattle 2006 17 My data Your data Architecture: Risk #1 fear: data bleed  Solution: virtual private tables  Problem: too expensive  Solution: build in-house  Problem: is it done right?

18 OWASP AppSec Seattle 2006 18 Risk in a startup Time Risk Market Risk Security Risk

19 OWASP AppSec Seattle 2006 19 Infrastructure  Application began as a demo  Very early use of server-side Java  Maintained custom application server at one point  90% JSP at first, 5% JSP now

20 OWASP AppSec Seattle 2006 20 Authentication  Access to admin pages  Customers curse a lot  10% based on default  8% curse words  40% (total) easy to guess  Password != hashed password

21 OWASP AppSec Seattle 2006 21 Access Control  Application:  Complex, user-defined roles  Administration  progression of security measures: IP address, login, authenticate against CORP, auditing  problem w. log security--need to give access to outsourced support

22 OWASP AppSec Seattle 2006 22 Noteworthy Security Challenges  bug #1

23 OWASP AppSec Seattle 2006 23 bug #1 (of 125,000) Abstract: Apostrophes aren't correctly handled by data entry fields. 3/18/1999 3:28 pm XXX, XXXXXXXX Inputting an apostrophe ' into one of the registers or text fields causes the form to generate an error message. *** XXXXX 18-MAR-99 03:28 PM *** Fixed in all Activities and anything else that uses base Input class (e.g. Lists) Severity S5 - Minor Priority 9

24 OWASP AppSec Seattle 2006 24 Noteworthy Security Challenges  bug #1  SSH with blackberry  Installing X Windows  Playing nicely with partners  problem w. logging: must not log passwords, cc#s

25 OWASP AppSec Seattle 2006 25 Attacks and Incidents  Security conscious new customers attack the permission system  Day of the DOS attack (bad code)  “Security consultant” in need of iPod

26 OWASP AppSec Seattle 2006 26 Security Today  Evolution from success through heroism to success through process  Growing organization creates new issues  Access to errors  Access to test data  AJAX  Web Services

27 OWASP AppSec Seattle 2006 27 Security Today: SDL  OWASP Guide has been a big help  Easiest way to get developers to fix bugs: compliance

28 OWASP AppSec Seattle 2006 28 Tools  Black box testing  Source code analysis  (External review also quite helpful.)

29 OWASP AppSec Seattle 2006 29 No Silver Bullet  No Silver Bullet: Essence and Accidents of Software Engineering by Fredrick Brooks (author of The Mythical Man Month)  Are Security mistakes  An accidental artifact of programming languages and systems?  An unavoidable (essential) problem?

Download ppt "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
McAfee One Time Password

McAfee One Time Password
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.

Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.
1 RUP Workshop By George Merguerian Senior Partner Business Management Consultants

1 RUP Workshop By George Merguerian Senior Partner Business Management Consultants
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
PaperCut NG Chris Dance. Copyright © 2006 - PaperCut Software Pty. Ltd. 2 Overview Overview of PaperCut NG Why we offer a Mac Version The story of our.

PaperCut NG Chris Dance. Copyright © PaperCut Software Pty. Ltd. 2 Overview Overview of PaperCut NG Why we offer a Mac Version The story of our.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google