Akshay on the business of security : Business

The InfoSec X Prize: Fundamental Change Through Competition

Akshay Aggarwal — Fri, 23 Jan 2009 01:06:34 GMT

Today I had a thought provoking conversation with Dr. Peter Diamandis , Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental...(read more)

Business During Downturn: The Chain Of Trust

Akshay Aggarwal — Thu, 22 Jan 2009 06:48:43 GMT

Business during economic downturns brings to the surface the tiny fractures that were unnoticeable during the good times. It is a fertile ground to relearn some of the lessons of the past & form wisdom for the future. I am going to try and capture...(read more)

Meter This: Practical Application Of Power drain Attack

Akshay Aggarwal — Sat, 26 Jul 2008 00:47:53 GMT

Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone . In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new...(read more)

My BlueHat Talk

Akshay Aggarwal — Tue, 15 Jul 2008 23:08:27 GMT

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft's BlueHat Security Conference on October 16-17th. Sometimes when you go blue... you really go blue. Over the course of the next few months my buddy...(read more)

Application Security Development Lifecycle 5A: Is Threat Modeling Right For You?

Akshay Aggarwal — Wed, 11 Jun 2008 18:06:24 GMT

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive...(read more)

Connecting a Global team: the power of 30 seconds

Akshay Aggarwal — Wed, 30 Apr 2008 01:46:05 GMT

Technorati Tags: Leadership , Business One of the challenges I constantly grapple with is leading a large yet mostly remote team. Managing across 5 time zones posting I wrote about it earlier generated a lot of discussion and loads of ideas. Recently...(read more)

Fear and Loathing in Las Vegas: The Hackers Turn Pro

Akshay Aggarwal — Mon, 01 Oct 2007 12:14:57 GMT

A great analysis by the Yankee group on the security posture of products from security vendors. A very interesting read.

Two key factors contribute to the growth of the underground vulnerability economy: historical and chronic weaknesses in the monopoly desktop operating system, Microsoft Windows; and the adolescent enthusiasm of vulnerability researchers continually trying to one-up each other.
Three years into its largely customer-imposed security push, Microsoft flaws continue to flow—but at a significantly decreased rate. Yankee Group analysis of a well-known public vulnerability data source, ICAT, suggests that flaw finders have shifted their focus toward security products.
From 2004 to May 2005 in particular, 77 disclosed vulnerabilities affected a wide array of security products. The incidents increased far faster than the rate for Microsoft (see Exhibit 1). When considering the number of affected products rather than just the number of distinct vulnerabilities, the rate of increase was as fast as that of the industry as a whole. Yankee Group believes this is because of three factors:
· Diminishing returns in operating systems: Security researchers focusing on Windows may have largely depleted the supply of the most easily exploited Microsoft flaws, especially in the wake of the watershed release of Windows XP, Service Pack 2.
· Low-hanging fruit in security products: Nearly all enterprises have deployed certain classes of security products, notably antivirus and (to a lesser extent) host intrusion prevention. Third-party and press scrutiny has not yet forced security companies to acknowledge and fix potential problems with their code, as it has with operating system vendors. Therefore, flaws targeting security software stand a better chance of being successful.
· Economic self-interest of testing specialists: Although not illegal, some security assessment vendors (notably eEye) specialize in finding vulnerabilities in other vendors’ security products. These vendors then turn around and sell their own security analysis products, which conveniently include detection signatures for the other vendors’ vulnerabilities. As shown in Exhibit 2, these firms discovered one-quarter (20 of 77) of the security product vulnerabilities reported in 2004 and 2005, about the same number discovered by independent researchers. In contrast, fratricidal discoveries by competing security vendors accounted for a minority (5 of 77). One firm—ISS—accounted for four of these.

This entry is a repost of an excerpt by request from an analysis document. Since I have been asked to forward provide this multiple times it may be best to point people to the blog entry instead. Also, who can resist a Hunter Thompson reference?

Encounters making an Application Security Case Study Video

Akshay Aggarwal — Tue, 12 Jun 2007 19:23:40 GMT

Microsoft IT has been developing an engineering based application security lifecycle for about 5 years now. The ACE team is responsible for helping develop and maintain this lifecycle called the Security Development Lifecycle for IT (SDL for IT) which is currently used to secure line of business applications developed by Microsoft IT. This lifecycle has been adapted to work with other business units within Microsoft. Microsoft IT has taken this experience building an adaptable and scalable application security development lifecycle and exposed it to our customers.

A large part of my job profile is to help large enterprise customers adapt the SDL for IT to work with their business. This is particularly challenging as the core-competency, organizational structure and technical depth of each company and each industry vertical is very different.

Customer: The First American Corporation (NYSE: FAF) is a large financial services organization based in Santa Ana, CA. The case study video features FAF executives Jeff Klopfer and Scott Campbell talking about First American's experience with the SDL for IT process.

Making the video: In response to customer requests to hear success stories around SDL for IT, I started a quest to find a customer based within my region with whom we could conduct a case study. There were several challenges while making this video and I want to discuss my experience leading the creation of this case study.

The unique challenge here was to get funding and well, finding a producer who could do it in time (3 weeks from first contact to deliverable). Microsoft unlike a lot of companies has its own studios and several vendors who are well versed with making case study videos.

Things to do while making a video case study:

Clarify objectives: You will find that a case study has a lot of moving parts and stakeholders. A set of written objectives and metrics on how to evaluate the achievement of those objectives is very critical. All the stakeholders need to approve this. Remember the customer will only endorse a study that they have analyzed to be accurately reflecting their views.
Target Audience: The target audience should be identified and the messaging needs to address areas of interest to the target audience. Audiences one could consider while building an IT case study are technical: architects, developers, testers; sales and marketing; operational managers; or business decision makers
Find Producer: Identifying a producer early during the project can have several advantages including an easier scheduling process and innovative story boards. Story boarding is very vital to highlight the points you want to leave the audience with. Remember that you have around 2-3 minutes to tell a story.
Shooting: While at the customers location keep scouting for a cool location to shoot the video. Personally, I prefer locations that do not have too much going on in the background. Don't wear clothing which will blur in low quality videos. This includes stripped or checked clothes. Check with the video team and communicate this to the individuals involved ahead of time.
Identify Executives: The case study needs to communicate some tangible message. My experience is that the message is best received from an organizational counterpart of your target audience. A CIO to a CIO or Architect to Architect.
Editing: Editing a video requires a huge time commitment from the person commissioning the study. They have to work with the producer and editor to ensure that the messaging is accurate and more importantly they provide the domain expertise that the video team does not possess.
Format: The case study should be available in both high and low quality. Also get the raw footage from the producer for subsequent alterations or expansions.

In any case, watch the case study and let me know what you think. In the meantime, I will begin lobbying for an Oscar category for case study videos.

CSO Summit: Securing the retail application

Akshay Aggarwal — Thu, 07 Jun 2007 03:14:55 GMT

Technorati Tags: Conferences

Last month I presented a talk about the security risks faced by the retail industry at the Microsoft Chief Security Officer Summit in Redmond. This was a gathering of several hundred CSOs from major Microsoft customers to share their experience around security in their organizations and to help them understand our strategy around security.

My talk was based upon interactions and research my team has done with several large organizations in the retail vertical. I've come up with a couple of very plausible real world scenarios that can allow a technical risk to transcend the enterprise IT boundary and impact the core business processes.

Scenario 1:Stealing credit card info from Point of Sales systems in-store

Ease of exploitability: medium.

Impact is critical.

Attacker steals credit card data from Point of Sales (POS) system that talks to retail application client and web service across the web. This system does financial applications over the Internet.

In most cases enterprises expect the attack surface to be communication going over the "Internet", however my experience has been that it is trivial to attack POS systems in stores or retail outlets and obtain that data before it is transmitted across the web. The attack surface is not limited to the web.

Scenario 2: Compromise Supply Chain Management System

Ease of exploitability: hard

Impact is critical.

In several SCM systems unauthenticated web service are used to generate control data like shipping addresses. An attacker can use compromised web service to inject malicious data into shipping system. As a result 100,000 wool sweaters could be sent to Miami in July. Threat modeling and security code reviews can be used to minimize the possibility of this attack succeeding.

Our investigations led us to determine that from a business perspective the highest application risk to retail organizations comes in the following threats:

Insufficient authentication mechanisms

Poor authorization model

Lacking input validation controls

Susceptible to Denial of Service issues

Non-standard deployment of point of sales systems

SCM systems susceptible to insider attacks

The Business of Application Security & Performance

Akshay Aggarwal — Tue, 08 May 2007 10:12:00 GMT

As I fly from San Jose to Seattle passing over Crater Lake pondering over what this blog will be about, two things come to mind. The first is that the business of developing secure, high performance line of business applications is an area I have had an opportunity to work with several CSOs/CIOs on and would like to capture this interactive knowledge. The second is purely about leadership. I encouraged the 10 people who report to me to blog and can’t really do so without taking the time out to do so myself.

Over the past few years I have evolved from a Senior Security Technologist striving towards securing Microsoft’s critical applications and software to an Engagement Manager on the Application Consulting & Engineering (ACE) Services team at Microsoft. The ACE team as you can gather from this blog is the team at Microsoft IT responsible for application security, privacy and performance.

I was hired around 2 years ago with the aim of helping the ACE team start a consulting practice around security by leveraging internal MSIT learning and taking it out to major clients and partners. This is has since expanded to the area of security and performance consulting. My role is to manage the business lines in the East and West Regions of the United States, Asia Pacific, Middle East and Latin America. Apart from that my current responsibilities include developing strategies for scaling Microsoft’s application security practice, incubating new service lines and establishing offshore capabilities.

This blog will focus on the business aspects of application security and performance as well as experiences relating to leadership development.