Title of the presentation Craig Walker, Chief Technology Officer, Xero Ltd Case Study: Ensuring Full-Proof Security At Xer...
Agenda <ul><li>What is Xero? </li></ul><ul><li>Where does security fit in? </li></ul><ul><li>How did Aura get involved? </...
Who is Xero? <ul><li>The company </li></ul><ul><ul><li>Started in 2006 by Rod Drury and Hamish Edwards </li></ul></ul><ul>...
What is Xero? <ul><li>The product </li></ul><ul><ul><li>Software-as-a-Service small business platform starting as an onlin...
How does SaaS change security? <ul><li>Software-as-a-Service (SaaS) is software that is deployed as a hosted service, acce...
We can’t just say we’re “secure as a bank”. We must actually BE secure as a bank.
Why is security important to Xero? <ul><li>Because the impact of security breaches could destroy our business </li></ul><u...
Virtual Security Officers <ul><li>Identified early on that we need to get outside expertise not because we couldn’t do it ...
Aura Software Security <ul><li>Microsoft development shop turned security experts </li></ul><ul><li>Understand both secure...
The Aura Experience
What are your top 5 security risks? <ul><li>Staff </li></ul><ul><li>Customers </li></ul><ul><li>Contractors </li></ul><ul>...
Integrated approach to security <ul><li>Defence in Depth (a holistic view) </li></ul><ul><ul><li>Security policies </li></...
Security policies <ul><li>BORING! </li></ul><ul><li>Implemented as “house rules” – how Xero deals with security </li></ul>...
Threat Modelling <ul><li>Risk assessment for software </li></ul><ul><li>A Microsoft approach but in no way attached to the...
Attack trees <ul><li>To truly defend yourself you need to know how you can be attacked </li></ul><ul><li>Attack and defenc...
Imagine you had a castle … Kidnap the Princess 10 Gold Coins Bribe guard Sneak through sewer Launch full military strike 1...
Test it! <ul><li>Perform penetration testing to make sure that the time spent during development and implementation actual...
Monitor it! <ul><li>Your environment should be gathering lots of information about security attacks as they occur </li></u...
Things to think about … <ul><li>Take a holistic approach to security involving the whole organisation </li></ul><ul><li>Ge...
www.xero.com www.AuraSoftwareSecurity.co.nz Questions?
Upcoming SlideShare
Loading in …5
×

Ensuring Full Proof Security At Xero

2,599 views

Published on

This presentation shows how Aura Software Security helped Xero focus it's security strategy and integrate security throughout the organisation.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Ensuring Full Proof Security At Xero

  1. 1. Title of the presentation Craig Walker, Chief Technology Officer, Xero Ltd Case Study: Ensuring Full-Proof Security At Xero 22 July 2008
  2. 2. Agenda <ul><li>What is Xero? </li></ul><ul><li>Where does security fit in? </li></ul><ul><li>How did Aura get involved? </li></ul><ul><li>What kinds of things did we do? </li></ul><ul><li>Did you learn something? </li></ul>
  3. 3. Who is Xero? <ul><li>The company </li></ul><ul><ul><li>Started in 2006 by Rod Drury and Hamish Edwards </li></ul></ul><ul><ul><li>IPO in June 2007 to establish ourselves as a credible & secure software provider </li></ul></ul><ul><ul><li>60 staff in 6 locations (HQ in Wellington) and over 1500 customers </li></ul></ul><ul><ul><li>A New Zealand business with global aspirations </li></ul></ul>
  4. 4. What is Xero? <ul><li>The product </li></ul><ul><ul><li>Software-as-a-Service small business platform starting as an online accounting system </li></ul></ul><ul><ul><li>Revolutionising the way small businesses are managed </li></ul></ul><ul><ul><li>Staff and advisors all connected and unconstrained by legacy process or technology </li></ul></ul><ul><ul><li>Built on a Microsoft platform and hosted in the US </li></ul></ul>
  5. 5. How does SaaS change security? <ul><li>Software-as-a-Service (SaaS) is software that is deployed as a hosted service, accessed over the internet and paid for on a subscription basis </li></ul><ul><li>SaaS is about reducing the cost of providing software services to go after the “long tail” of small businesses </li></ul><ul><li>Shifts the “ownership” of the software and reallocates responsibility for technology infrastructure from our customers to Xero </li></ul>
  6. 6. We can’t just say we’re “secure as a bank”. We must actually BE secure as a bank.
  7. 7. Why is security important to Xero? <ul><li>Because the impact of security breaches could destroy our business </li></ul><ul><li>Potential effects: </li></ul><ul><ul><li>Loss of data </li></ul></ul><ul><ul><li>Loss of credibility </li></ul></ul><ul><ul><li>Loss of revenue </li></ul></ul><ul><ul><li>Damage to customer confidence </li></ul></ul><ul><ul><li>Damage to investor confidence </li></ul></ul><ul><ul><li>Legal consequences </li></ul></ul><ul><ul><li>All on the front page of the Herald </li></ul></ul>
  8. 8. Virtual Security Officers <ul><li>Identified early on that we need to get outside expertise not because we couldn’t do it but because we wanted to do it right </li></ul><ul><li>Security expertise not common in New Zealand especially related to SaaS </li></ul><ul><li>Concept of Virtual Security Officers – a partnership that would help us to deliver secure software over the long term </li></ul>
  9. 9. Aura Software Security <ul><li>Microsoft development shop turned security experts </li></ul><ul><li>Understand both secure development and also the secure enterprise </li></ul><ul><li>Not just another security audit </li></ul><ul><li>Promised a refreshing view of security and what it means to be secure </li></ul><ul><li>Promised to make security suck less </li></ul>
  10. 10. The Aura Experience
  11. 11. What are your top 5 security risks? <ul><li>Staff </li></ul><ul><li>Customers </li></ul><ul><li>Contractors </li></ul><ul><li>Hackers </li></ul><ul><li>Hosting Providers </li></ul>
  12. 12. Integrated approach to security <ul><li>Defence in Depth (a holistic view) </li></ul><ul><ul><li>Security policies </li></ul></ul><ul><ul><li>Security operations integrated with regular processes </li></ul></ul><ul><ul><li>Security infrastructure </li></ul></ul><ul><ul><li>Security-aware users – all staff aware of security not just developers </li></ul></ul><ul><ul><li>Application security design and review </li></ul></ul><ul><ul><li>Penetration testing </li></ul></ul><ul><ul><li>Ongoing monitoring and proactive analysis </li></ul></ul>
  13. 13. Security policies <ul><li>BORING! </li></ul><ul><li>Implemented as “house rules” – how Xero deals with security </li></ul><ul><li>Team effort – everyone (not just IT staff) gets the chance to contribute and policies are circulated company wide for feedback </li></ul><ul><li>Be pragmatic – not totalitarian </li></ul><ul><li>Use software to help enforce policies where appropriate </li></ul>
  14. 14. Threat Modelling <ul><li>Risk assessment for software </li></ul><ul><li>A Microsoft approach but in no way attached to the Microsoft platform and can be used for modelling any and all enterprise and application threats </li></ul><ul><li>Great documentation, presentation and communication tool for both your team (and your board) </li></ul>
  15. 15. Attack trees <ul><li>To truly defend yourself you need to know how you can be attacked </li></ul><ul><li>Attack and defence are always interlinked </li></ul><ul><li>Look at threats from the attackers point-of-view </li></ul><ul><li>In soccer, the best penalty-taker is often the goalkeeper because he knows the best way through the net </li></ul><ul><li>As a CIO you are the goal keeper! What would you do to attack your own organisation? </li></ul>
  16. 16. Imagine you had a castle … Kidnap the Princess 10 Gold Coins Bribe guard Sneak through sewer Launch full military strike 1,000,000 Gold Coins Walk in the main gate Forge letter of introduction Discover/steal King’s Seal Discover sewer location Break any protection 5 Gold Coins
  17. 17. Test it! <ul><li>Perform penetration testing to make sure that the time spent during development and implementation actually created a more secure environment </li></ul><ul><li>Highlights anything that was missed </li></ul><ul><li>Allows us to test both our software and our hosting provider as part of the complete solution to identify areas where our hosting environment (and potentially hosting provider) is weak </li></ul>
  18. 18. Monitor it! <ul><li>Your environment should be gathering lots of information about security attacks as they occur </li></ul><ul><li>Tell the attacker nothing – tell the administrator as much as possible </li></ul><ul><li>Aura’s Red-Eye </li></ul><ul><ul><li>Custom solution integrates directly into your environment </li></ul></ul><ul><ul><li>Managed and administered by Aura </li></ul></ul><ul><ul><li>Attackers are persistent and will try many variations of an attack and Aura can provide steps to mitigate against these </li></ul></ul><ul><ul><li>First installation picked up a major security hole within 3 days </li></ul></ul>
  19. 19. Things to think about … <ul><li>Take a holistic approach to security involving the whole organisation </li></ul><ul><li>Get independent expertise to guide you through the process </li></ul><ul><li>Think about attacks you could face and how your organisation would respond to them </li></ul><ul><li>Security is an ongoing process, not a singular event – continuously improve as attackers are also improving </li></ul><ul><li>The cost of implementing security is not trivial, however it is a fraction of the cost of mitigating security compromises </li></ul>
  20. 20. www.xero.com www.AuraSoftwareSecurity.co.nz Questions?

×