Enterprise-Class PHP Security

Barry Austin Interactive Strategies doBoard

http://www.whoast.com/blog/whoast%20lemonade%20stand.JPG

http://www.kaushik.net/avinash/wp-content/uploads/2007/05/enterprise_class_warship.png

http://upload.wikimedia.org/wikipedia/commons/7/72/Enterprise_free_flight.jpg

http://graphic-engine.swarthmore.edu/wp-content/uploads/2008/05/enterprise_capture_02.jpg

Enterprise (n): a high‐stakes endeavor

High‐stakes in terms of: Scope Money Purpose Impact

http://blogs.princeton.edu/eqn/images/bigstockphoto_Security_Pad_Locks_40080.jpg

Security is the prevention of harmful events

Enterprise Security is the prevention of harmful events where the stakes are high Real risk involved Severe consequences of failure

If an enterprise app has a security breach… Public safety or military involved – people get hurt, die amazon.com can’t process orders – enormous $$$ losses Facebook spreads malware – millions infected at, say, $100 damage each… Yikes! Banks get robbed electronically – rumored to be happening to the tune of hundreds of millions of $

PHP is growing up The Internet is growing up Bad guys are growing up

PHP is driving into the enterprise software market Zend IBM Microsoft Others…

If my blog goes down… Who cares? Crickets? Did I hear crickets?

Case in point: Wordpress Has been beat upon in low‐stakes environments This is the norm for the PHP ecosystem PHP ecosystem has adapted to the security needs of low‐stakes uses The stakes are changing

Enterprises pay specific attention to security Manage risk Hire and buy Establish standards, controls, process

Managing risk Risk is the probability of an event occuring multiplied by impact Often managed as an aggregate covering all identifiable events Risk can be avoided, mitigated, or transferred

Signs You’re Dealing With Enterprise Security Dedicated security team Scary consequences of security failure Formal security standards and requirements Security audit/review Biased against PHP

Expect a good security team to: Identify security drivers Apply requirements (standards) Find vulnerabilities Orchestrate and plan fixes Calculate overall risk level Recommend “go” or “no go”

Purpose of the application Level of trust in users Sensitivity of data Criticality of functions Integrity of transactions Threat environment Consequences of exploitation Laws, regulations, rules

ISO/IEC 27002 Payment Card Industry Data Security Standard (PCI‐DSS) OWASP Application Security Verification Standard (ASVS) NIST Special Publications series, FIPS Especially NIST SP 800‐53

Common failings of security teams Apply rules where not really needed Don’t operate tools (e.g. scanners) correctly Shift burden of proof entirely to your side Bring only “no”, never “yes” or “try this” Lose sight of the ultimate goal Are overwhelmed by minutiae

How to overcome security team failings Understand what they need to accomplish Be a step ahead – ask leading questions Remind them about the big picture Engage with the goal of finding solutions Escalate – find a voice of reason Encourage focus on most important issues Insist on balanced burden of proof

Master the basics Participate in security community OWASP events, conferences Other local meetups Experiment with secure coding frameworks and techniques Inspekt ESAPI‐PHP Security features built into your framework of choice

Define roles and responsibilities Classify data and functions Identify desired/required security properties Define basic security architecture Select baseline security controls Plan for lifecycle

Do a self‐assessment Check OWASP criteria Run a scanner or hire a specialist Review using industry checklist/standards Treat security requirements as any other requirements or constraints Treat security vulnerabilities as bugs

Best way to get started is… to start!

High‐stakes organizations expect that PHP applications can stand up to the scrutiny of their risk management standards and practices They do this to prevent harmful events that can have severe consequences Enterprise‐class security is in a new league for many PHPers, but with the right knowledge and an effective approach we can handle it.

http://www.owasp.org http://www.owasp.org/index.php/Category:O WASP_AppSec_Conference http://code.google.com/p/inspekt/ http://www.owasp.org/index.php/Category:O WASP_Enterprise_Security_API

Enterprise-Class PHP Security

by ZendCon on Nov 04, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 5

Statistics

Enterprise-Class PHP Security — Presentation Transcript