Akshay on the business of security : Application Security

Shrinking Budgets: Application Security Tools vs Process Tradeoff

Akshay Aggarwal — Thu, 30 Apr 2009 08:25:54 GMT

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version...(read more)

The InfoSec X Prize: Fundamental Change Through Competition

Akshay Aggarwal — Fri, 23 Jan 2009 01:06:34 GMT

Today I had a thought provoking conversation with Dr. Peter Diamandis , Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental...(read more)

Application Security Development Lifecycle 5A: Is Threat Modeling Right For You?

Akshay Aggarwal — Wed, 11 Jun 2008 18:06:24 GMT

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive...(read more)

OWASP Conference Update

Akshay Aggarwal — Mon, 09 Jun 2008 04:42:40 GMT

I will be presenting at the OWASP conference in Denver, CO this Tuesday, June 10th. The presentation will focus on the value that organizations especially ISVs can derive from threat modeling of line of business applications. For some time now, I've been...(read more)

Application Security development Lifecycle 4: Finding the right security talent

Akshay Aggarwal — Sun, 01 Jun 2008 22:45:00 GMT

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)... I thought about it a while and...(read more)

How Microsoft IT does Secure Application Development: Webcast

Akshay Aggarwal — Tue, 27 May 2008 19:20:00 GMT

Technorati Tags: Conference , SDLC , SDL , IT , ISV I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th....(read more)

Increase the TCO, kill the project: An ad-hoc analogy

Akshay Aggarwal — Wed, 14 May 2008 19:07:00 GMT

The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't. The IT security org needs...(read more)

Application Security Development Lifecycle 3: Funding Models

Akshay Aggarwal — Thu, 08 May 2008 21:48:09 GMT

Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications. In my experience helping...(read more)

Front Range web application security summit in Denver

Akshay Aggarwal — Thu, 01 May 2008 20:11:54 GMT

I will be speaking at the Front Range OWASP Conference (FROCo8) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security. I'll be...(read more)

Application Security Development Lifecycle 2: Mandatory or Not?

Akshay Aggarwal — Tue, 22 Apr 2008 10:36:21 GMT

Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications. Applications...(read more)

Application Security Development Lifecycle 1: Understanding your portfolio

Akshay Aggarwal — Mon, 07 Apr 2008 19:45:00 GMT

"How many applications do you have and what do they do?" It seems simple enough yet this questions seems to perplex many a smart mind. Having posed it to over a hundred and fifty CSO/CIOs over the last year, I have rarely received a clear answer that...(read more)

Application Security Development Lifecycle Series

Akshay Aggarwal — Thu, 03 Apr 2008 09:54:00 GMT

After several requests from customers about information on how enterprise class application security programs are set up, I am writing a series of blogs about my experience helping some large enterprises set up application security teams similar to the...(read more)

Encounters making an Application Security Case Study Video

Akshay Aggarwal — Tue, 12 Jun 2007 19:23:40 GMT

Microsoft IT has been developing an engineering based application security lifecycle for about 5 years now. The ACE team is responsible for helping develop and maintain this lifecycle called the Security Development Lifecycle for IT (SDL for IT) which is currently used to secure line of business applications developed by Microsoft IT. This lifecycle has been adapted to work with other business units within Microsoft. Microsoft IT has taken this experience building an adaptable and scalable application security development lifecycle and exposed it to our customers.

A large part of my job profile is to help large enterprise customers adapt the SDL for IT to work with their business. This is particularly challenging as the core-competency, organizational structure and technical depth of each company and each industry vertical is very different.

Customer: The First American Corporation (NYSE: FAF) is a large financial services organization based in Santa Ana, CA. The case study video features FAF executives Jeff Klopfer and Scott Campbell talking about First American's experience with the SDL for IT process.

Making the video: In response to customer requests to hear success stories around SDL for IT, I started a quest to find a customer based within my region with whom we could conduct a case study. There were several challenges while making this video and I want to discuss my experience leading the creation of this case study.

The unique challenge here was to get funding and well, finding a producer who could do it in time (3 weeks from first contact to deliverable). Microsoft unlike a lot of companies has its own studios and several vendors who are well versed with making case study videos.

Things to do while making a video case study:

Clarify objectives: You will find that a case study has a lot of moving parts and stakeholders. A set of written objectives and metrics on how to evaluate the achievement of those objectives is very critical. All the stakeholders need to approve this. Remember the customer will only endorse a study that they have analyzed to be accurately reflecting their views.
Target Audience: The target audience should be identified and the messaging needs to address areas of interest to the target audience. Audiences one could consider while building an IT case study are technical: architects, developers, testers; sales and marketing; operational managers; or business decision makers
Find Producer: Identifying a producer early during the project can have several advantages including an easier scheduling process and innovative story boards. Story boarding is very vital to highlight the points you want to leave the audience with. Remember that you have around 2-3 minutes to tell a story.
Shooting: While at the customers location keep scouting for a cool location to shoot the video. Personally, I prefer locations that do not have too much going on in the background. Don't wear clothing which will blur in low quality videos. This includes stripped or checked clothes. Check with the video team and communicate this to the individuals involved ahead of time.
Identify Executives: The case study needs to communicate some tangible message. My experience is that the message is best received from an organizational counterpart of your target audience. A CIO to a CIO or Architect to Architect.
Editing: Editing a video requires a huge time commitment from the person commissioning the study. They have to work with the producer and editor to ensure that the messaging is accurate and more importantly they provide the domain expertise that the video team does not possess.
Format: The case study should be available in both high and low quality. Also get the raw footage from the producer for subsequent alterations or expansions.

In any case, watch the case study and let me know what you think. In the meantime, I will begin lobbying for an Oscar category for case study videos.

CSO Summit: Securing the retail application

Akshay Aggarwal — Thu, 07 Jun 2007 03:14:55 GMT

Technorati Tags: Conferences

Last month I presented a talk about the security risks faced by the retail industry at the Microsoft Chief Security Officer Summit in Redmond. This was a gathering of several hundred CSOs from major Microsoft customers to share their experience around security in their organizations and to help them understand our strategy around security.

My talk was based upon interactions and research my team has done with several large organizations in the retail vertical. I've come up with a couple of very plausible real world scenarios that can allow a technical risk to transcend the enterprise IT boundary and impact the core business processes.

Scenario 1:Stealing credit card info from Point of Sales systems in-store

Ease of exploitability: medium.

Impact is critical.

Attacker steals credit card data from Point of Sales (POS) system that talks to retail application client and web service across the web. This system does financial applications over the Internet.

In most cases enterprises expect the attack surface to be communication going over the "Internet", however my experience has been that it is trivial to attack POS systems in stores or retail outlets and obtain that data before it is transmitted across the web. The attack surface is not limited to the web.

Scenario 2: Compromise Supply Chain Management System

Ease of exploitability: hard

Impact is critical.

In several SCM systems unauthenticated web service are used to generate control data like shipping addresses. An attacker can use compromised web service to inject malicious data into shipping system. As a result 100,000 wool sweaters could be sent to Miami in July. Threat modeling and security code reviews can be used to minimize the possibility of this attack succeeding.

Our investigations led us to determine that from a business perspective the highest application risk to retail organizations comes in the following threats:

Insufficient authentication mechanisms

Poor authorization model

Lacking input validation controls

Susceptible to Denial of Service issues

Non-standard deployment of point of sales systems

SCM systems susceptible to insider attacks

The Business of Application Security & Performance

Akshay Aggarwal — Tue, 08 May 2007 10:12:00 GMT

As I fly from San Jose to Seattle passing over Crater Lake pondering over what this blog will be about, two things come to mind. The first is that the business of developing secure, high performance line of business applications is an area I have had an opportunity to work with several CSOs/CIOs on and would like to capture this interactive knowledge. The second is purely about leadership. I encouraged the 10 people who report to me to blog and can’t really do so without taking the time out to do so myself.

Over the past few years I have evolved from a Senior Security Technologist striving towards securing Microsoft’s critical applications and software to an Engagement Manager on the Application Consulting & Engineering (ACE) Services team at Microsoft. The ACE team as you can gather from this blog is the team at Microsoft IT responsible for application security, privacy and performance.

I was hired around 2 years ago with the aim of helping the ACE team start a consulting practice around security by leveraging internal MSIT learning and taking it out to major clients and partners. This is has since expanded to the area of security and performance consulting. My role is to manage the business lines in the East and West Regions of the United States, Asia Pacific, Middle East and Latin America. Apart from that my current responsibilities include developing strategies for scaling Microsoft’s application security practice, incubating new service lines and establishing offshore capabilities.

This blog will focus on the business aspects of application security and performance as well as experiences relating to leadership development.