What You Can LearnFrom Small Companies   About AppSec        SANS AppSec Las Vegas 2012 Nick Galbreath @ngalbreath nickg@e...
Who is Etsy? nickg?• Etsy is the “marketplace for small creative  businesses”• Alexa rank of #51 in USA• > $500MM/year in ...
FACTBeing at patch level for yourOS and applications eliminatesthe vast majority of desktopattacks  The Exploit Intelligen...
FACT You have security problems  on your website right now(although perhaps not currently not exploited)  Your development...
Being able to deploy        quickly is my #1        security feature       This implies a standardized, automated       sy...
Being able to doesn’t mean no process              FAIL
Security Feature #2:Being able to graph/log      everything Make security visible to your organization!
How low can  you go?Fault in elevator at Floor 39          last night        MTTDMean Time To DetectHow fast can you detec...
But doesn’t rapid change (lean, devops,agile) make things less        secure?             Well compared to....
We’ll rush that security fix.It will go out in next releasein about 6 weeks.                           former vendor at Etsy
Nick Galbreath nickg@etsy.com @ngalbreath        SANS AppSec Las Vegas 2012
Upcoming SlideShare
Loading in...5
×

SmallBiz and Appsec, from SANS AppSec Las Vegas 2012

1,977

Published on

SANS Security at Scale Summit in Las Vegas.
From the panel discussion "What you can learn from small business about appsec"

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,977
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • SmallBiz and Appsec, from SANS AppSec Las Vegas 2012

    1. 1. What You Can LearnFrom Small Companies About AppSec SANS AppSec Las Vegas 2012 Nick Galbreath @ngalbreath nickg@etsy.com
    2. 2. Who is Etsy? nickg?• Etsy is the “marketplace for small creative businesses”• Alexa rank of #51 in USA• > $500MM/year in transaction volume• Nick Galbreath is a Director of Engineering focusing on Security, Fraud, Internal Analytics, Internal Tools
    3. 3. FACTBeing at patch level for yourOS and applications eliminatesthe vast majority of desktopattacks The Exploit Intelligence Project, Dan Guido 7/25/2011 http://bit.ly/KiWhmw
    4. 4. FACT You have security problems on your website right now(although perhaps not currently not exploited) Your development environment is different than production No amount of QA can guarantee “security”
    5. 5. Being able to deploy quickly is my #1 security feature This implies a standardized, automated system and configuration management. Can be as simple as shell scripts. No fancy tools required.Your Servers, OS, Desktop, Applications, Routers, etc
    6. 6. Being able to doesn’t mean no process FAIL
    7. 7. Security Feature #2:Being able to graph/log everything Make security visible to your organization!
    8. 8. How low can you go?Fault in elevator at Floor 39 last night MTTDMean Time To DetectHow fast can you detect a problem? MTTRMean Time To RepairHow fast can you repair or resolve a problem?
    9. 9. But doesn’t rapid change (lean, devops,agile) make things less secure? Well compared to....
    10. 10. We’ll rush that security fix.It will go out in next releasein about 6 weeks. former vendor at Etsy
    11. 11. Nick Galbreath nickg@etsy.com @ngalbreath SANS AppSec Las Vegas 2012
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×