Chimera: Securing a Cloud App Ecosystem with ZAP at Scale

Presented at AppSec USA 2015, Sept. 24, 2015, 1 p.m. (55 minutes).

One of the biggest challenges in maintaining a cloud application ecosystem with software developed by Independent Software Vendors (ISV's) and Developers is ensuring that data within that ecosystem stays secure. It's impossible for a centralized security team to be responsible for every ISV's product security, code maintenance, etc - yet in the eyes of the public responsibility for the ecosystem lies with that centralized team. With Chimera, we're trying to make that responsibility a little easier to share.

The Salesforce AppExchange has over 2,650 apps available and the majority of them connect to an external web service. Although these external systems are not under our control and are, to us, black boxes, we consider trust in the ecosystem of paramount importance and spend significant time and resources on ensuring the security of these apps. Even with rigorous security auditing and penetration testing by a large security team, that is a huge ecosystem to keep secure.

One of our main goals and missions is to be ambassadors and educators for good security practice to our ISV community as they develop on our platform. Many of these development teams are small groups if not individual developers. While none of them are trying to be insecure, relatively few of them have a security team or security experience.

The goal of Chimera is to make security scanning easier and more accessible for small developers and ISV's who don't have their own security engineers. Learn how we are using the Heroku platform to make ZAP and many other industry-standard tools available through the cloud at scale and at the consumer level with no security expertise required! We'll also discuss some of the tools we are building to make use of data collected by ZAP in the cloud to help predict where future vulnerabilities or exploits may occur within the scanned ecosystem.


Presenters:

  • Tim Bach - Senior Product Security Engineer - Salesforce
    Tim Bach is a Senior Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and the research/development of security tools and automation. A firm believer that product security is a shared burden for all developers, engineers, and executives much of his work revolves around making security tools and instrumentation available to and consumable by those who do not specialize in security. Outside of work hours, Tim tries to get as far away from computer security as possible and enjoys travel, backpacking, skiing, and exploring the vast number of Bay Area restaurants and bars.

Links:

Similar Presentations: