Enterprise-Class PHP Security
Upcoming SlideShare
Loading in...5
×
 

Enterprise-Class PHP Security

on

  • 5,059 views

Talk by Barry Austin at ZendCon 2009

Talk by Barry Austin at ZendCon 2009

Statistics

Views

Total Views
5,059
Views on SlideShare
5,054
Embed Views
5

Actions

Likes
3
Downloads
127
Comments
0

1 Embed 5

http://www.slideshare.net 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Enterprise-Class PHP Security Enterprise-Class PHP Security Presentation Transcript

    • Barry Austin Interactive Strategies doBoard
    • http://www.whoast.com/blog/whoast%20lemonade%20stand.JPG
    • http://www.kaushik.net/avinash/wp-content/uploads/2007/05/enterprise_class_warship.png
    • http://upload.wikimedia.org/wikipedia/commons/7/72/Enterprise_free_flight.jpg
    • http://graphic-engine.swarthmore.edu/wp-content/uploads/2008/05/enterprise_capture_02.jpg
    • Enterprise (n):  a high‐stakes endeavor
    • High‐stakes in terms of: Scope Money Purpose Impact
    • http://blogs.princeton.edu/eqn/images/bigstockphoto_Security_Pad_Locks_40080.jpg
    • Security is the prevention of harmful events
    • Enterprise Security is the prevention of  harmful events where the stakes are high Real risk involved Severe consequences of failure
    • If an enterprise app has a security breach… Public safety or military involved – people get  hurt, die amazon.com can’t process orders – enormous $$$  losses Facebook spreads malware – millions infected at,  say, $100 damage each… Yikes! Banks get robbed electronically – rumored to be  happening to the tune of hundreds of millions of $
    • PHP is growing up The Internet is growing up Bad guys are growing up
    • PHP is driving into the enterprise software  market Zend IBM Microsoft Others…
    • If my blog goes down… Who cares? Crickets? Did I hear crickets?
    • Case in point: Wordpress Has been beat upon in low‐stakes environments This is the norm for the PHP ecosystem PHP ecosystem has adapted to the security  needs of low‐stakes uses The stakes are changing
    • Enterprises pay specific attention to security Manage risk Hire and buy Establish standards, controls, process
    • Managing risk Risk is the probability of an event occuring  multiplied by impact Often managed as an aggregate covering all  identifiable events Risk can be avoided, mitigated, or transferred
    • Signs You’re Dealing With Enterprise Security Dedicated security team Scary consequences of security failure Formal security standards and requirements Security audit/review Biased against PHP
    • Expect a good security team to: Identify security drivers Apply requirements (standards) Find vulnerabilities Orchestrate and plan fixes Calculate overall risk level Recommend “go” or “no go”
    • Purpose of the application Level of trust in users Sensitivity of data Criticality of functions Integrity of transactions Threat environment Consequences of exploitation Laws, regulations, rules
    • ISO/IEC 27002 Payment Card Industry Data Security  Standard (PCI‐DSS) OWASP Application Security Verification  Standard (ASVS) NIST Special Publications series, FIPS Especially NIST SP 800‐53
    • Common failings of security teams Apply rules where not really needed Don’t operate tools (e.g. scanners) correctly Shift burden of proof entirely to your side Bring only “no”, never “yes” or “try this” Lose sight of the ultimate goal Are overwhelmed by minutiae
    • How to overcome security team failings Understand what they need to accomplish Be a step ahead – ask leading questions Remind them about the big picture Engage with the goal of finding solutions Escalate – find a voice of reason Encourage focus on most important issues Insist on balanced burden of proof
    • Master the basics Participate in security community OWASP events, conferences Other local meetups Experiment with secure coding frameworks  and techniques Inspekt ESAPI‐PHP Security features built into your framework of  choice
    • Define roles and responsibilities Classify data and functions Identify desired/required security properties Define basic security architecture Select baseline security controls Plan for lifecycle
    • Do a self‐assessment Check OWASP criteria Run a scanner or hire a specialist Review using industry checklist/standards Treat security requirements as any other  requirements or constraints Treat security vulnerabilities as bugs
    • Best way to get started is… to start!
    • High‐stakes organizations expect that PHP  applications can stand up to the scrutiny of  their risk management standards and  practices They do this to prevent harmful events that  can have severe consequences Enterprise‐class security is in a new league for  many PHPers, but with the right knowledge  and an effective approach we can handle it.
    • http://www.owasp.org http://www.owasp.org/index.php/Category:O WASP_AppSec_Conference http://code.google.com/p/inspekt/ http://www.owasp.org/index.php/Category:O WASP_Enterprise_Security_API