Enterprise-Class PHP Security

4,397 views

Published on

Talk by Barry Austin at ZendCon 2009

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,397
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
137
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Enterprise-Class PHP Security

  1. 1. Barry Austin Interactive Strategies doBoard
  2. 2. http://www.whoast.com/blog/whoast%20lemonade%20stand.JPG
  3. 3. http://www.kaushik.net/avinash/wp-content/uploads/2007/05/enterprise_class_warship.png
  4. 4. http://upload.wikimedia.org/wikipedia/commons/7/72/Enterprise_free_flight.jpg
  5. 5. http://graphic-engine.swarthmore.edu/wp-content/uploads/2008/05/enterprise_capture_02.jpg
  6. 6. Enterprise (n):  a high‐stakes endeavor
  7. 7. High‐stakes in terms of: Scope Money Purpose Impact
  8. 8. http://blogs.princeton.edu/eqn/images/bigstockphoto_Security_Pad_Locks_40080.jpg
  9. 9. Security is the prevention of harmful events
  10. 10. Enterprise Security is the prevention of  harmful events where the stakes are high Real risk involved Severe consequences of failure
  11. 11. If an enterprise app has a security breach… Public safety or military involved – people get  hurt, die amazon.com can’t process orders – enormous $$$  losses Facebook spreads malware – millions infected at,  say, $100 damage each… Yikes! Banks get robbed electronically – rumored to be  happening to the tune of hundreds of millions of $
  12. 12. PHP is growing up The Internet is growing up Bad guys are growing up
  13. 13. PHP is driving into the enterprise software  market Zend IBM Microsoft Others…
  14. 14. If my blog goes down… Who cares? Crickets? Did I hear crickets?
  15. 15. Case in point: Wordpress Has been beat upon in low‐stakes environments This is the norm for the PHP ecosystem PHP ecosystem has adapted to the security  needs of low‐stakes uses The stakes are changing
  16. 16. Enterprises pay specific attention to security Manage risk Hire and buy Establish standards, controls, process
  17. 17. Managing risk Risk is the probability of an event occuring  multiplied by impact Often managed as an aggregate covering all  identifiable events Risk can be avoided, mitigated, or transferred
  18. 18. Signs You’re Dealing With Enterprise Security Dedicated security team Scary consequences of security failure Formal security standards and requirements Security audit/review Biased against PHP
  19. 19. Expect a good security team to: Identify security drivers Apply requirements (standards) Find vulnerabilities Orchestrate and plan fixes Calculate overall risk level Recommend “go” or “no go”
  20. 20. Purpose of the application Level of trust in users Sensitivity of data Criticality of functions Integrity of transactions Threat environment Consequences of exploitation Laws, regulations, rules
  21. 21. ISO/IEC 27002 Payment Card Industry Data Security  Standard (PCI‐DSS) OWASP Application Security Verification  Standard (ASVS) NIST Special Publications series, FIPS Especially NIST SP 800‐53
  22. 22. Common failings of security teams Apply rules where not really needed Don’t operate tools (e.g. scanners) correctly Shift burden of proof entirely to your side Bring only “no”, never “yes” or “try this” Lose sight of the ultimate goal Are overwhelmed by minutiae
  23. 23. How to overcome security team failings Understand what they need to accomplish Be a step ahead – ask leading questions Remind them about the big picture Engage with the goal of finding solutions Escalate – find a voice of reason Encourage focus on most important issues Insist on balanced burden of proof
  24. 24. Master the basics Participate in security community OWASP events, conferences Other local meetups Experiment with secure coding frameworks  and techniques Inspekt ESAPI‐PHP Security features built into your framework of  choice
  25. 25. Define roles and responsibilities Classify data and functions Identify desired/required security properties Define basic security architecture Select baseline security controls Plan for lifecycle
  26. 26. Do a self‐assessment Check OWASP criteria Run a scanner or hire a specialist Review using industry checklist/standards Treat security requirements as any other  requirements or constraints Treat security vulnerabilities as bugs
  27. 27. Best way to get started is… to start!
  28. 28. High‐stakes organizations expect that PHP  applications can stand up to the scrutiny of  their risk management standards and  practices They do this to prevent harmful events that  can have severe consequences Enterprise‐class security is in a new league for  many PHPers, but with the right knowledge  and an effective approach we can handle it.
  29. 29. http://www.owasp.org http://www.owasp.org/index.php/Category:O WASP_AppSec_Conference http://code.google.com/p/inspekt/ http://www.owasp.org/index.php/Category:O WASP_Enterprise_Security_API

×