TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
SmallBiz and Appsec, from SANS AppSec Las Vegas 2012
1. What You Can Learn
From Small Companies
About AppSec
SANS AppSec Las Vegas 2012
Nick Galbreath @ngalbreath nickg@etsy.com
2. Who is Etsy? nickg?
• Etsy is the “marketplace for small creative
businesses”
• Alexa rank of #51 in USA
• > $500MM/year in transaction volume
• Nick Galbreath is a Director of Engineering
focusing on Security, Fraud, Internal
Analytics, Internal Tools
3. FACT
Being at patch level for your
OS and applications eliminates
the vast majority of desktop
attacks
The Exploit Intelligence Project, Dan Guido
7/25/2011 http://bit.ly/KiWhmw
4. FACT
You have security problems
on your website right now
(although perhaps not currently not exploited)
Your development environment is
different than production
No amount of QA can guarantee
“security”
5. Being able to deploy
quickly is my #1
security feature
This implies a standardized, automated
system and configuration management.
Can be as simple as shell scripts.
No fancy tools required.
Your Servers, OS, Desktop, Applications, Routers, etc
8. How low can
you go?
Fault in elevator at Floor 39
last night
MTTD
Mean Time To Detect
How fast can you detect a
problem?
MTTR
Mean Time To Repair
How fast can you repair or
resolve a problem?
9. But doesn’t rapid
change (lean, devops,
agile) make things less
secure?
Well compared to....
10. We’ll rush that security fix.
It will go out in next release
in about 6 weeks.
former vendor at Etsy