The point is that “enterprise” activities involve high stakes.
High‐stakes in terms of:ScopeMoneyPurposeImpact
Presenter
Presentation Notes
It may be huge. It may involve very large amounts of money. It may have a purpose that’s important to influential people or groups. It may have a notable impact on the world in some way. Examples can include a Fortune 500 corporation, a national government, a major nonprofit organization, a presidential election campaign, a major religious organization. Now hold that thought.
Many people associate the word “security” with things that help to provide it. Locks, security software, coding techniques. These all have validity, but there’s also a bigger picture to consider. I’m going to suggest a definition of “security” that has to do with *why* we use locks, security software, and secure coding techniques.
Security is keeping bad things from happening, even when people may actively be trying to make bad things happen. In terms of software, if development is about making an app do what it’s supposed to do, then application security is about making sure an app doesn’t do what it’s not supposed to do, even when people are seriously trying to abuse it.
Enterprise Security is the prevention of harmful events where the stakes are highReal risk involvedSevere consequences of failure
Presenter
Presentation Notes
Now to combine “enterprise” with “security”… The point is that enterprise security is in an entirely different league than many of us have been accustomed to.
If an enterprise app has a security breach…Public safety or military involved – people get hurt, dieamazon.com can’t process orders – enormous $$$ lossesFacebook spreads malware – millions infected at, say, $100 damage each… Yikes!Banks get robbed electronically – rumored to be happening to the tune of hundreds of millions of $
Presenter
Presentation Notes
If a security failure costs human lives or money in far greater amounts than we’re likely to ever earn… These are big-time consequences that we do *not* want to be personally responsible for.
PHP is growing up
The Internet is growing up
Bad guys are growing up
Presenter
Presentation Notes
So what does this have to do with PHP? PHP has been evolving in terms of language, tools, frameworks, support for modern process and techniques The Internet is increasingly forming the fabric of business and people’s everyday lives. So it affects more people, involves more money, touches more important things. The bad guys have formed a “black hat” community with many of the same powers as any community of smart motivated people, such as developing sophisticated tools. And bad guys have increasingly formed organized crime syndicates – and established syndicates have increasingly gotten into the business of cybercrime. Their actions have increased the consequences of security failures.
PHP is driving into the enterprise software marketZendIBMMicrosoftOthers…
Presenter
Presentation Notes
So at the same time that the Internet has been growing in reach and impact, and while the bad guys have been growing in power, PHP has been encroaching on turf traditionally occupied by Java and such. Prominent companies have been supporting PHP’s entry into enterprise organizations. PHP is increasingly taking on high-stakes applications.
If my blog goes down…Who cares?Crickets? Did I hear crickets?
Presenter
Presentation Notes
But as we know, the history of PHP is more humble. Take my blog for example, which is PHP-based. If my blog gets hacked, if it blows up… Does anybody here actually care?! [raise hand] Anybody? I’d care for maybe an hour, until I can rebuild and recover.
Case in point: WordpressHas been beat upon in low‐stakes environments
This is the norm for the PHP ecosystemPHP ecosystem has adapted to the security needs of low‐stakes usesThe stakes are changing
Presenter
Presentation Notes
Wordpress is great! It’s what I use for my blog. It’s so popular that it’s been a target of malicious hackers for years. And on many occasions the bad guys have figured out how to abuse it. And it’s been fixed. Wordpress has adapted to security threats where the stakes are low. If you were to ask a typical security professional what they think of Wordpress, they’d probably ask if you’re kidding or they’d just laugh. This is because security professionals normally operate within enterprises. Where the stakes are high.
Enterprises pay specific attention to securityManage riskHire and buyEstablish standards, controls, process
Presenter
Presentation Notes
Because the stakes are high, because the consequences of harmful events are severe, enterprises pay specific attention to preventing bad things from happening. In other words, security. The overall approach is to manage risk. They hire computer security professionals, they buy security tools. They establish the rules and build the infrastructure whereby they can identify security concerns and minimize the damage they can cause. Pretty often this goes overboard and devolves into a bureaucratic mess. I’ll get into how to deal with that later. But there are legitimate goals at the core.
Managing riskRisk is the probability of an event occuring multiplied by impactOften managed as an aggregate covering all identifiable eventsRisk can be avoided, mitigated, or transferred
Signs You’re Dealing With Enterprise SecurityDedicated security teamScary consequences of security failureFormal security standards and requirementsSecurity audit/reviewBiased against PHP
Presenter
Presentation Notes
Sometimes a surprise If you see these things, you’re probably dealing with enterprise security, and that means the organization perceives that high stakes are involved. Security teams are expensive so their existence implies that there’s a reason for that Consequences of security breaches may or may not be immediately apparent, but they often are Formal security standards, requirements, audits and reviews imply that the organization is taking specific measures to control risk Security teams may be just as surprised to see PHP as we are to come across a security team. Expect bias but work through it.
Expect a good security team to:Identify security driversApply requirements (standards)Find vulnerabilitiesOrchestrate and plan fixesCalculate overall risk levelRecommend “go” or “no go”
Purpose of the applicationLevel of trust in usersSensitivity of dataCriticality of functionsIntegrity of transactionsThreat environmentConsequences of exploitationLaws, regulations, rules
Presenter
Presentation Notes
Here are some things that a good security team might consider and ask questions about.
ISO/IEC 27002Payment Card Industry Data Security Standard (PCI‐DSS)OWASP Application Security Verification Standard (ASVS)NIST Special Publications series, FIPSEspecially NIST SP 800‐53
Common failings of security teamsApply rules where not really neededDon’t operate tools (e.g. scanners) correctlyShift burden of proof entirely to your sideBring only “no”, never “yes” or “try this”Lose sight of the ultimate goalAre overwhelmed by minutiae
How to overcome security team failingsUnderstand what they need to accomplishBe a step ahead – ask leading questionsRemind them about the big pictureEngage with the goal of finding solutionsEscalate – find a voice of reasonEncourage focus on most important issuesInsist on balanced burden of proof
Master the basicsParticipate in security communityOWASP events, conferencesOther local meetups
Experiment with secure coding frameworks and techniquesInspektESAPI‐PHPSecurity features built into your framework of choice
Presenter
Presentation Notes
To prepare yourself to operate at the enterprise level of security OWASP lists and meetings. OWASP AppSec conferences e.g. AppSec DC 2009. CapSec DC Inspekt – Ed Finkler’s API for securely handling user input ESAPI-PHP – port of a project originally implemented in Java to provide a comprehensive API for application security
Define roles and responsibilitiesClassify data and functionsIdentify desired/required security propertiesDefine basic security architectureSelect baseline security controlsPlan for lifecycle
Do a self‐assessmentCheck OWASP criteriaRun a scanner or hire a specialistReview using industry checklist/standards
Treat security requirements as any other requirements or constraintsTreat security vulnerabilities as bugs
Best way to get started is… to start!
High‐stakes organizations expect that PHP applications can stand up to the scrutiny of their risk management standards and practicesThey do this to prevent harmful events that can have severe consequencesEnterprise‐class security is in a new league for many PHPers, but with the right knowledge and an effective approach we can handle it.
Presenter
Presentation Notes
I suggested a definition of enterprise that’s mainly about its high-stakes nature. Enterprise organizations naturally try to manage risk, and some of that risk comes with web applications that we build with PHP. Enterprises expect that web applications will meet security standards and pass security tests – this is how they can assure themselves that they’ll avoid harmful events with severe consequences that will cause serious damage to their business or to their interests. If we’re familiar with how application security works at the enterprise level, then enterprises can trust the PHP community to participate.
