IT Risk Management: Guide to Software Risk Assessments and Audits
|
|
- Dorcas O’Connor’
- 8 years ago
- Views:
Transcription
1 IT Risk Management: Guide to Software Risk Assessments and Audits
2 Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5 Software Risk Management... 6 Step 1 Software Risk Assessment: Inventory and Assurance Levels 6 Step 2 Software Risk Assessment: Independent Application Security Testing 7 Step 3 Software Risk Mitigation: Set Acceptance Thresholds 7 Step 4 Evaluation and Assessment 8 How Veracode Can Help... 8 About Veracode Veracode, Inc. 2
3 Overview Risk is a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. 1 In IT systems, risk can be introduced from the internet, servers, networks, malicious insiders and even lapses in physical security. However, the current rate of newly discovered vulnerabilities in software has risen to the top of the agenda for security professionals striving to control their company s overall risk profile. According to Gartner and the Computer Emergency Response Team (CERT), 75% of new attacks target the application layer and software vulnerabilities have reached an all time high with more than 7,000 new vulnerabilities disclosed over the last year. 2 Executive Summary The software industry is one of the largest manufacturing industries in the world, with $350 billion in off-the-shelf software sold each year and over $100 billion in customized code on top of that. Despite the size, there is no standardized notion of software security quality even though the repercussions include product patches, data breaches leading to massive theft and fluctuations in corporate stock prices. This pushes both costs and liabilities onto the enterprise purchasing the software. In most cases organizations do not have any insight into what vulnerabilities exist in these applications, resulting in an unacceptable level of unbounded risk. Until now, enterprises have lacked an efficient manner to analyze the security of software as part of their risk management processes. Security testing has been limited to manual analysis by consultants, using internal teams with source code tools or trusting the software supplier to test their own code. None of these approaches scale to cover an enterprise s entire application portfolio and can add significant time and costs to projects. In an effort to combat this growing trend, new compliance requirements from the Payment Card Industry (PCI), the Comptroller of the Currency Administrator of National Banks (OCC) along with recommendations from industry groups and analysts call for risk management processes to secure software applications. This whitepaper outlines how new application security technologies enable organizations to meet the growing threat posed by software and provides risk management best practices which enterprises can use to secure their application inventory. 1 NIST Risk Management Guide for Information Systems Special Publication Microsoft Security Intelligence Report 2008 Based on data from the DHS NVD & CERT 3
4 Software: Today s Biggest Security Risk Today s application has become the enterprise s new perimeter. With better network-level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points the application. While hackers were once satisfied with defacing Web sites, unleashing denial-of-service attacks and trading illicit files through targeted networks, modern attackers are profit-driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Recent industry statistics confirm this trend. Data from CERT reveals that the number of software vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in the past year an all time high 3. Meanwhile, Gartner and NIST report that 95% of all reported vulnerabilities are in software 4, 78% of threats target business information, and 75% of attacks target the application level 5. Yet, even with these findings, most enterprises allocate less than 10% of their security spending to application security. NIST/Gartner Key Facts CERT Number of Software Vulnerability Disclosures per Year 3 Microsoft Security Intelligence Report 2008 Based on data from the DHS NVD & CERT 4 Mark Curphey, Software Security Testing: Let s Get Back to Basics October, 2004, SoftwareMAG.com 5 Theresa Lanowitz, Now Is the Time for Security at the Application Level 2005, Gartner 4
5 How Software Risk Enters the Enterprise As the myriad of applications deployed within organizations increases, some developed internally, some brought in from outside the effort needed to manage risk becomes greater. Applications are inherently more complex with many being based on a mixed code base from a wide range of sources, teams, and geographic locations. Gone are the days when companies developed their own source code. Now over two-thirds of the world s largest companies are engaged in offshore outsourcing. 6 Additionally enterprises have lacked an efficient matter to analyze the security of off-the-shelf commercial applications that are purchased further decreasing their security posture. Traditional tools cannot rise to this challenge as they typically require source code which usually isn t available in mixed code based applications. Manual penetration testing is time consuming, costly and simply doesn t scale. Figure 1 below shows how software risk enters the enterprise as today s application development and procurement processes have become increasingly distributed and complex. Figure 1 - Modern Software Risk Landscape Today s applications are made up of multiple pre-compiled components, libraries and open source. The US Department of Homeland Security calls this SOUP or software of unknown pedigree. Simply put, the software supply chain is increasingly complex and whether software is purchased from an established vendor or developed in-house, the liability and risk that the application poses rests with the enterprise and organizations must take steps to test applications for security vulnerabilities prior to accepting and deploying software. 6 Mary Hayes Weier, The Second Decade Of Offshore Outsourcing: Where We're Headed, Nov. 2007, InformationWeek 5
6 Software Risk Management Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions. Overall risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment. 7 The following steps detail best practices for implementing a successful software risk management program. Step 1 Software Risk Assessment: Inventory and Assurance Levels While it may seem obvious that as part of a risk assessment organizations need to create an inventory of their applications that are being developed, purchased or maintained by an outsourcing provider, however, in practice it can be a challenging exercise. With the advent of low cost offshore development, open source and low cost commercial software it is common to see application sprawl as individual groups or business units may have contracted work that previously would have required higher capital costs and formal approvals. When conducting an application inventory, involve business units, procurement and vendor management to ensure all software that was or is entering the organization has been identified. Once applications have been identified, organizations need to understand the risk that the application poses to the business. This can be achieved through the assignment of an assurance level for each application based on business risk factors such as: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations. Assurance levels are used to determine the extent of testing methods (e.g. higher assurance levels may be tested using multiple techniques) and the overall acceptance criteria (e.g. a lower assurance level application may be accepted with a lower security scores as they do not pose a significant risk to the business). The following chart from NIST provides guidance on selecting an assurance level based on business risk: 7 NIST Special Publication
7 Step 2 Software Risk Assessment: Independent Application Security Testing In order to quantify the risk posed by software identified in step 1, organizations need to conduct security testing in order to determine if the application contains vulnerabilities. However, until now, true testing of software has been difficult due to the high cost and effort required to conduct manual code reviews and the difficulty in obtaining access to of source code. Because of these issues, few companies conduct software testing or are only able to address a small sub-segment of their highest risk applications. Given the current threat landscape, it is imperative that organizations test all of their outsourced applications, ideally using a third party to obtain Independent Verification and Validation (IV&V). New technologies and testing methodologies, e.g. automated security testing services offered by companies such as Veracode, now enable organizations to independently test all of their applications before they are accepted and deployed by the enterprise. Step 3 Software Risk Mitigation: Set Acceptance Thresholds Enterprises can leverage software security ratings to decide which applications are secure enough to be accepted or deployed and which applications need remediation by the provider before software acceptance. To demonstrate setting acceptance thresholds, we will use Veracode s SecurityReview service as an example. Application testing with various testing techniques, combined with a scoring system based on the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) standards, a Security Quality Score (SQS) is derived for each application. The assurance levels the enterprise selected in Step 1 (above) is then applied to incorporate business risk and the output is normalized to an easy to understand letter grade (A, B, C, etc ). Thus, enterprises can set an acceptable grade A for example and software must achieve that grade for the application to be accepted. Setting thresholds and using standard-based scoring removes the subjectivity and gray-area on what constitutes acceptance and clarifies the process for both the enterprise and provider. Below is a chart that demonstrates how organizations can use assurance levels, quality scores and testing methods to achieve an overall rating: 7
8 Step 4 Evaluation and Assessment Security and risk are not a point-in-time, but a continuous process. As the organization grows, new applications are deployed, existing applications are upgraded and new features or functionality is enabled. Additionally, the threat landscape for software vulnerabilities is constantly changing. An application which is secure today may become vulnerable at a future date as new attack vectors and methods are developed. Thus, it is critical that a successful risk management program performs ongoing evaluations and assessments as to the effectiveness and relevance of the controls which are deployed. For software risk management, this means constantly monitoring the threat landscape through formal vulnerability notification programs such as the Department of Homeland Security s National Vulnerability Database or MITRE s Common Vulnerability and Exposures (CVE) service. Additionally, because attacker s methods evolve over time, software risk management programs should use the following evaluation and assessment methods for deployed applications: Re-test applications after upgrades, patches or significant changes prior to deployment Re-test deployed applications at on a quarterly or semi-annually basis, depending on assurance level, in order to determine if new threat models expose the application to vulnerabilities How Veracode Can Help Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve compliance without requiring any hardware, software or training. As an expert in application security, Veracode is uniquely suited to provide independent verification and validation (IV&V) of software applications without the need for costly on-site consultants. Veracode's Ratings System produces a software security rating based on respected industry standards including MITRE s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability and NIST s application assurance levels. These universally accepted vulnerability scoring methods provide a clear audit trail enabling enterprises to automate the security acceptance testing of outsourced applications and meet both internal and external security and compliance requirements and reduce their exposure to risk. 8
9 About Veracode Veracode is the world s leader for on-demand application security testing solutions. Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training. Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner Cool Vendor 2008, Info Security Product Guide s Tomorrow s Technology Today Award 2008, Information Security Readers Choice Award 2008, AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld Top 10 Security Company to Watch 2007, and Dark Reading s Top 10 Hot Security Startups Based in Burlington, Mass., Veracode is backed by.406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit 9
Five Steps to Secure Outsourced Application Development
Five Steps to Secure Outsourced Application Development Contents Executive Summary... 3 Software: Today s Biggest Security Risk... 4 Offshore Development Trends... 5 Five Key Steps... 6 Step 1 Risk Assessment
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationWhite Paper. Understanding NIST 800 37 FISMA Requirements
White Paper Understanding NIST 800 37 FISMA Requirements Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationSoftware Risk Management and Mitigation Model
Software Risk Management and Mitigation Model 1 Narendra Kumar Rout, 2 Nirjharinee Parida, 3 Sushruta Mishra 1,2&3 Gandhi Engineering College, BBSR ABSTRACT Software risk management is a software engineering
More informationManaging Risk in Software Engineering
COPYRIGHT 2011 IJCIT, ISSN 2078-5828 (PRINT), ISSN 2218-5224 (ONLINE), VOLUME 02, ISSUE 01, MANUSCRIPT CODE: 110740 Software Risk Management: Importance and Practices Abdullah Al Murad Chowdhury and Shamsul
More informationYour world runs on applications. Secure them with Veracode.
Application Risk Management Solutions Your world runs on applications. Secure them with Veracode. Software Security Simplified Application security risk is inherent in every organization that relies on
More informationFive Best Practices of Vendor Application Security Management
Five Best Practices of Vendor Application Security Management Table of Contents Executive Summary...1 Managing Risk in the Software Supply Chain...1 Challenges with Securing Vendor Software...3 Taking
More informationState of Software Security Report
VOLUME 2 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary September 22, 2010 Software Security Simplified Executive Summary The following are some of the
More informationVOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Executive Summary The following are some of the most significant findings in the Veracode State
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationVOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the
More informationApplication Security 101. A primer on Application Security best practices
Application Security 101 A primer on Application Security best practices Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationWeb Application Security
About SensePost SensePost is an independent and objective organisation specialising in information security consulting, training, security assessment services and IT Vulnerability Management. SensePost
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationNYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011
NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011 Executive Summary BACKGROUND The NYS Local Government Vulnerability Scanning Project was funded by a U.S. Department of Homeland Security
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationProactive Vulnerability Management Using Rapid7 NeXpose
WHITE PAPER Proactive Vulnerability Management Using Rapid7 NeXpose RAPID7 Corporate Headquarters 545 Boylston Street Boston, MA 02116 617.247.1717 www.rapid7.com Proactive Vulnerability Management Using
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationSimplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Smartphones and tablets are invading the workplace along with the security risks they bring with them. Every day these devices go unchecked by standard vulnerability management processes, even as malware
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationApplication Security in the Software Development Life Cycle (SDLC) White Paper
Application Security in the Software Development Life Cycle (SDLC) White Paper Table of Contents Executive Summary... 3 The Rush to Get Applications to Web, Cloud and Mobile... 3 Issues in Software Development...
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationPENETRATION TESTING GUIDE. www.tbgsecurity.com 1
PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationWHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION
WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationThe Seven Deadly Myths of Software Security Busting the Myths
The Seven Deadly Myths of Software Security Busting the Myths With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional
More informationHow Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget
How Companies Can Improve Website & Web Application Security Even with a Tight IT Budget Website and web application security is no longer a luxury it s a necessity. We live in the age of cyber warfare
More informationAgile Security Successful Application Security Testing for Agile Development
WHITE PAPER Agile Security Successful Application Security Testing for Agile Development Software Security Simplified Abstract It is an imperative to include security testing in application development.
More informationSecurity Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada
Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada ITSB-96 Last Updated: March 2015 1 Introduction Patching operating systems and applications is one of the
More informationSoftware Vulnerability Assessment
Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled
More informationHow To Monitor Your Entire It Environment
Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationDeveloping Secure Software in the Age of Advanced Persistent Threats
Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper Trend Micro, Incorporated» A detailed account of why Gartner recognizes Trend Micro as a leader in Virtualization and Cloud
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationMoving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010
Moving to the Cloud? Take Your Application Security Solution with You September 2010 A WhiteHat Security Whitepaper 3003 Bunker Hill Lane, Suite 220 Santa Clara, CA 95054-1144 www.whitehatsec.com Introduction
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper» Trend Micro s portfolio of solutions meets and exceeds Gartner s recommendations on how to devise a server protection strategy.
More informationThe Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention
Whitepaper The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention May 2007 Copyright Sentrigo Ltd. 2007, All Rights Reserved The Challenge: Securing the Database Much of the effort
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More information2015 Vulnerability Statistics Report
2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationReview: McAfee Vulnerability Manager
Review: McAfee Vulnerability Manager S3KUR3, Inc. Communicating Complex Concepts in Simple Terms Tony Bradley, CISSP, Microsoft MVP September 2010 Threats and vulnerabilities are a way of life for IT admins.
More informationDATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1
DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1 Continuously Assess, Monitor, & Secure Your Information Supply Chain and Data Center Data Sheet: Security Management Is your organization able
More informationVulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
More informationPenetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015
For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationWhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program
WhiteHat Security White Paper Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program October 2015 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
More informationSession 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness
Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber
More informationSimplifying the Challenges of Mobile Device Security
WHITE PAPER Three Steps to Reduce Mobile Device Security Risks Table of Contents Executive Overview 3 Mobile Device Security: 3 Just as Critical as Security for Desktops, Servers, and Networks 3 Find the
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More information10 Things Every Web Application Firewall Should Provide Share this ebook
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
More informationSoftware & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes
Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder
More informationBreaking down silos of protection: An integrated approach to managing application security
IBM Software Thought Leadership White Paper October 2013 Breaking down silos of protection: An integrated approach to managing application security Protect your enterprise from the growing volume and velocity
More informationSharePoint Governance & Security: Where to Start
WHITE PAPER SharePoint Governance & Security: Where to Start 82% The percentage of organizations using SharePoint for sensitive content. AIIM 2012 By 2016, 20 percent of CIOs in regulated industries will
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationProtecting Applications on Microsoft Azure against an Evolving Threat Landscape
Protecting Applications on Microsoft Azure against an Evolving Threat Landscape So, your organization has chosen to move to Office 365. Good choice. But how do you implement it? Find out in this white
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationSecuring SharePoint 101. Rob Rachwald Imperva
Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal
More informationwhite SECURITY TESTING WHITE PAPER
white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationPCI 3.0 2015 Deadline Are you Complying? Mark Cuneo. CardConnect
PCI 3.0 2015 Deadline Are you Complying? Mark Cuneo CardConnect PCI Compliance is Very Important And Very Exciting Agenda Why Do I Care? Key Changes Guidance Maintaining Inventory Penetration Testing Protect
More informationOn Demand Penetration Testing Applications Networks Compliance. www.ivizsecurity.com
On Demand Penetration Testing Applications Networks Compliance www.ivizsecurity.com About iviz Security Information Security company with industry s first on-demand penetration testing solution using unique
More informationOptimizing Network Vulnerability
SOLUTION BRIEF Adding Real-World Exposure Awareness to Vulnerability and Risk Management Optimizing Network Vulnerability Management Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965
More informationStaying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.
Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding
More informationSecurity for NG9-1-1 SYSTEMS
The Next Generation of Security for NG9-1-1 SYSTEMS The Challenge of Securing Public Safety Agencies A white paper from L.R. Kimball JANUARY 2010 866.375.6812 www.lrkimball.com/cybersecurity L.R. Kimball
More informationINSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.
Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationWhite paper. Web Application Security: The Overlooked Vulnerabilities
White paper Web Application Security: The Overlooked Vulnerabilities Abstract Are you adequately protecting the web applications that your business depends on? Software flaws are rapidly becoming the vulnerabilities
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationMANAGING CYBER RISK IN THE SUPPLY CHAIN
MANAGING CYBER RISK IN THE SUPPLY CHAIN How.trust simplifies the validation of trusted supply partners Author: Gunter Ollmann, CTO INTRODUCTION In today s highly competitive business world the speed at
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationIntroduction to Penetration Testing Graham Weston
Introduction to Penetration Testing Graham Weston March 2014 Agenda Introduction and background Why do penetration testing? Aims and objectives Approaches Types of penetration test What can be penetration
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationHow To Perform An External Security Vulnerability Assessment Of An External Computer System
External Vulnerability Assessment -Executive Summary- Prepared for: ABC ORGANIZATION On March 9, 2008 Prepared by: AOS Security Solutions 1 of 5 Table of Contents Executive Summary... 3 Immediate Focus
More informationSTATE OF SOFTWARE SECURITY
STATE OF SOFTWARE SECURITY Volume 6: Focus on Industry Verticals JUNE 2015 03 VERACODE State of Software Security Report, Volume 6: Focus on Industry Verticals CONTENTS Introduction by Chris Wysopal, Veracode
More informationPrivacy + Security + Integrity
Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationHow to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors
How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in
More informationCYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore
CYBER TRENDS & INDUSTRY PENETRATION TESTING Technology Risk Supervision Division Monetary Authority of Singapore A NEW DAWN New Services / Mobile Application, NFC, FAST Technology / Biometrics, Big Data,
More information