This document discusses enterprise security as it relates to PHP applications. It begins by defining an enterprise as a high-stakes endeavor with significant scope, money, purpose, or impact. Enterprise security specifically aims to prevent harmful security events for applications where the stakes are high, with real risks and severe consequences of failure. The document then outlines some of the key differences between enterprise security and traditional low-stakes PHP application security, including dedicated security teams, formal standards, and a focus on risk management. It provides guidance for PHP developers on understanding enterprise security requirements and effectively partnering with security teams.

1. Barry Austin
Interactive Strategies
doBoard

2. http://www.whoast.com/blog/whoast%20lemonade%20stand.JPG

3. http://www.kaushik.net/avinash/wp-content/uploads/2007/05/enterprise_class_warship.png

4. http://upload.wikimedia.org/wikipedia/commons/7/72/Enterprise_free_flight.jpg

5. http://graphic-engine.swarthmore.edu/wp-content/uploads/2008/05/enterprise_capture_02.jpg

6. Enterprise (n): a high‐stakes endeavor

7. High‐stakes in terms of:
Scope
Money
Purpose
Impact

8. http://blogs.princeton.edu/eqn/images/bigstockphoto_Security_Pad_Locks_40080.jpg

9. Security is the prevention of harmful events

10. Enterprise Security is the prevention of
harmful events where the stakes are high
Real risk involved
Severe consequences of failure

11. If an enterprise app has a security breach…
Public safety or military involved – people get
hurt, die
amazon.com can’t process orders – enormous $$$
losses
Facebook spreads malware – millions infected at,
say, $100 damage each… Yikes!
Banks get robbed electronically – rumored to be
happening to the tune of hundreds of millions of $

12. PHP is growing up
The Internet is growing up
Bad guys are growing up

13. PHP is driving into the enterprise software
market
Zend
IBM
Microsoft
Others…

14. If my blog goes down…
Who cares?
Crickets? Did I hear crickets?

15. Case in point: Wordpress
Has been beat upon in low‐stakes environments
This is the norm for the PHP ecosystem
PHP ecosystem has adapted to the security
needs of low‐stakes uses
The stakes are changing

16. Enterprises pay specific attention to security
Manage risk
Hire and buy
Establish standards, controls, process

17. Managing risk
Risk is the probability of an event occuring
multiplied by impact
Often managed as an aggregate covering all
identifiable events
Risk can be avoided, mitigated, or transferred

18. Signs You’re Dealing With Enterprise Security
Dedicated security team
Scary consequences of security failure
Formal security standards and requirements
Security audit/review
Biased against PHP

19. Expect a good security team to:
Identify security drivers
Apply requirements (standards)
Find vulnerabilities
Orchestrate and plan fixes
Calculate overall risk level
Recommend “go” or “no go”

20. Purpose of the application
Level of trust in users
Sensitivity of data
Criticality of functions
Integrity of transactions
Threat environment
Consequences of exploitation
Laws, regulations, rules

21. ISO/IEC 27002
Payment Card Industry Data Security
Standard (PCI‐DSS)
OWASP Application Security Verification
Standard (ASVS)
NIST Special Publications series, FIPS
Especially NIST SP 800‐53

22. Common failings of security teams
Apply rules where not really needed
Don’t operate tools (e.g. scanners) correctly
Shift burden of proof entirely to your side
Bring only “no”, never “yes” or “try this”
Lose sight of the ultimate goal
Are overwhelmed by minutiae

23. How to overcome security team failings
Understand what they need to accomplish
Be a step ahead – ask leading questions
Remind them about the big picture
Engage with the goal of finding solutions
Escalate – find a voice of reason
Encourage focus on most important issues
Insist on balanced burden of proof

24. Master the basics
Participate in security community
OWASP events, conferences
Other local meetups
Experiment with secure coding frameworks
and techniques
Inspekt
ESAPI‐PHP
Security features built into your framework of
choice

25. Define roles and responsibilities
Classify data and functions
Identify desired/required security properties
Define basic security architecture
Select baseline security controls
Plan for lifecycle

26. Do a self‐assessment
Check OWASP criteria
Run a scanner or hire a specialist
Review using industry checklist/standards
Treat security requirements as any other
requirements or constraints
Treat security vulnerabilities as bugs

27. Best way to get started is… to start!

28. High‐stakes organizations expect that PHP
applications can stand up to the scrutiny of
their risk management standards and
practices
They do this to prevent harmful events that
can have severe consequences
Enterprise‐class security is in a new league for
many PHPers, but with the right knowledge
and an effective approach we can handle it.

29. http://www.owasp.org
http://www.owasp.org/index.php/Category:O
WASP_AppSec_Conference
http://code.google.com/p/inspekt/
http://www.owasp.org/index.php/Category:O
WASP_Enterprise_Security_API