Barry Austin
Interactive Strategies
doBoard

http://www.whoast.com/blog/whoast%20lemonade%20stand.JPG

http://www.kaushik.net/avinash/wp-content/uploads/2007/05/enterprise_class_warship.png

http://upload.wikimedia.org/wikipedia/commons/7/72/Enterprise_free_flight.jpg

http://graphic-engine.swarthmore.edu/wp-content/uploads/2008/05/enterprise_capture_02.jpg

Enterprise (n): a high‐stakes endeavor

High‐stakes in terms of:
Scope
Money
Purpose
Impact

http://blogs.princeton.edu/eqn/images/bigstockphoto_Security_Pad_Locks_40080.jpg

Security is the prevention of harmful events

Enterprise Security is the prevention of
harmful events where the stakes are high
Real risk involved
Severe consequences of failure

If an enterprise app has a security breach…
Public safety or military involved – people get
hurt, die
amazon.com can’t process orders – enormous $$$
losses
Facebook spreads malware – millions infected at,
say, $100 damage each… Yikes!
Banks get robbed electronically – rumored to be
happening to the tune of hundreds of millions of $

PHP is growing up
The Internet is growing up
Bad guys are growing up

PHP is driving into the enterprise software
market
Zend
IBM
Microsoft
Others…

If my blog goes down…
Who cares?
Crickets? Did I hear crickets?

Case in point: Wordpress
Has been beat upon in low‐stakes environments
This is the norm for the PHP ecosystem
PHP ecosystem has adapted to the security
needs of low‐stakes uses
The stakes are changing

Enterprises pay specific attention to security
Manage risk
Hire and buy
Establish standards, controls, process

Managing risk
Risk is the probability of an event occuring
multiplied by impact
Often managed as an aggregate covering all
identifiable events
Risk can be avoided, mitigated, or transferred

Signs You’re Dealing With Enterprise Security
Dedicated security team
Scary consequences of security failure
Formal security standards and requirements
Security audit/review
Biased against PHP

Expect a good security team to:
Identify security drivers
Apply requirements (standards)
Find vulnerabilities
Orchestrate and plan fixes
Calculate overall risk level
Recommend “go” or “no go”

Purpose of the application
Level of trust in users
Sensitivity of data
Criticality of functions
Integrity of transactions
Threat environment
Consequences of exploitation
Laws, regulations, rules

ISO/IEC 27002
Payment Card Industry Data Security
Standard (PCI‐DSS)
OWASP Application Security Verification
Standard (ASVS)
NIST Special Publications series, FIPS
Especially NIST SP 800‐53

Common failings of security teams
Apply rules where not really needed
Don’t operate tools (e.g. scanners) correctly
Shift burden of proof entirely to your side
Bring only “no”, never “yes” or “try this”
Lose sight of the ultimate goal
Are overwhelmed by minutiae

How to overcome security team failings
Understand what they need to accomplish
Be a step ahead – ask leading questions
Remind them about the big picture
Engage with the goal of finding solutions
Escalate – find a voice of reason
Encourage focus on most important issues
Insist on balanced burden of proof

Master the basics
Participate in security community
OWASP events, conferences
Other local meetups
Experiment with secure coding frameworks
and techniques
Inspekt
ESAPI‐PHP
Security features built into your framework of
choice

Define roles and responsibilities
Classify data and functions
Identify desired/required security properties
Define basic security architecture
Select baseline security controls
Plan for lifecycle

Do a self‐assessment
Check OWASP criteria
Run a scanner or hire a specialist
Review using industry checklist/standards
Treat security requirements as any other
requirements or constraints
Treat security vulnerabilities as bugs

Best way to get started is… to start!

High‐stakes organizations expect that PHP
applications can stand up to the scrutiny of
their risk management standards and
practices
They do this to prevent harmful events that
can have severe consequences
Enterprise‐class security is in a new league for
many PHPers, but with the right knowledge
and an effective approach we can handle it.

http://www.owasp.org
http://www.owasp.org/index.php/Category:O
WASP_AppSec_Conference
http://code.google.com/p/inspekt/
http://www.owasp.org/index.php/Category:O
WASP_Enterprise_Security_API