Building a Corporate Application Security Assessment Program

Similar documents
Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Risk Management Guide for Information Technology Systems. NIST SP Overview

Building Security into the Software Life Cycle

Mobile Application Threat Analysis

Information Technology

Effective Software Security Management

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Computer Security: Principles and Practice

Metrics that Matter Security Risk Analytics

External Supplier Control Requirements

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Information Systems Security

Learning objectives for today s session

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

Vulnerability Management

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Web Application security testing: who tests the test?

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Cloud Security Who do you trust?

Adobe Systems Incorporated

Enterprise Application Security Program

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Professional Services Overview

Board Portal Security: How to keep one step ahead in an ever-evolving game

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

PCI Requirements Coverage Summary Table

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

The case for continuous penetration testing

2011 Forrester Research, Inc. Reproduction Prohibited

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

ABB s approach concerning IS Security for Automation Systems

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Juniper Networks Secure

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science

How To Perform An External Security Vulnerability Assessment Of An External Computer System

SAST, DAST and Vulnerability Assessments, = 4

Penetration Testing //Vulnerability Assessment //Remedy

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

ESKISP Manage security testing

How To Manage Security On A Networked Computer System

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Vulnerability Management in an Application Security World. AppSec DC November 12 th, The OWASP Foundation

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Integrated Threat & Security Management.

Part Banker. Part Geek. All Security & Compliance.

Is your business prepared for Cyber Risks in 2016

Vulnerability Assessment of SAP Web Services By Crosscheck Networks

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

PCI Compliance for Cloud Applications

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Total Protection for Compliance: Unified IT Policy Auditing

Vulnerability Management in an Application Security World. January 29 th, 2009

A Network Administrator s Guide to Web App Security

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Secure Code Development

AberdeenGroup. The Importance of Database Vulnerability Assessments. Business Value Research Series. September 2005

USING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

Pentests more than just using the proper tools

Simply Sophisticated. Information Security and Compliance

Pentests more than just using the proper tools

Obtaining Enterprise Cybersituational

PENETRATION TESTING GUIDE. 1

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

PCI Solution for Retail: Addressing Compliance and Security Best Practices

The Business Case for Security Information Management

A HELPING HAND TO PROTECT YOUR REPUTATION

Tutorial 2. May 11, 2015

Improving Cyber Security Risk Management through Collaboration

Improving RoI by Using an SDL

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

PCI Requirements Coverage Summary Table

Preemptive security solutions for healthcare

ISSECO Syllabus Public Version v1.0

Network Security and Vulnerability Assessment Solutions

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Introduction to QualysGuard IT Risk SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Extreme Networks Security Analytics G2 Vulnerability Manager

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

elearning for Secure Application Development

IBM Security QRadar Vulnerability Manager

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Cloud Security Fails & How the SDLC could (not?) have prevented them

Leveraging Network and Vulnerability metrics Using RedSeal

Goals. Understanding security testing

Software Security Testing

PCI DSS READINESS AND RESPONSE

APPLICATION THREAT MODELING

Transcription:

Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Steps to Building a Corporate Application Security Assessment Program Identify goals and objectives of the program Define process and methodology Record and track quantitative results. Use results to drive process and technology improvements. 2

Comparing Risk Across Applications 3

Identify Goals of Assessment Program Scale: Provide high value assessment services across the entire company in a timely manner. Consistency: Unified approach to remove variability among different apps and business units. Results: Record and track quantitative results. Monitor trends over time. Improvements: Use results to drive technology and process improvements. Note: Maps to Six Sigma methods (DMAIC and DMADV) 4

Examples of other goals and objectives Continuously improve the security posture of applications. Provide qualitative and quantitative risk analysis for applications. Help justify strategic investments to improve security Keep applications in line with evolving industry best practices and regulatory landscape. Embed security into the SDLC. 5

Define Process and Methodology Assessment Process requirements: Consistent process among all applications. Adaptable to uniqueness of each application (small, large, etc..) Not dependent on any particular tool or technology. 6

Assessment Process Two tracks Detailed Assessment 3-4 weeks Determine Assessment Track for Application White-box Testing 80% manual 20% automated Accelerated Assessment 1 week Black-box Testing 80% automated 20% manual 7

Assessment Process - Results Risk Metrics How much risk is carried by the application? What is the business impact? Vulnerability List Vulnerabilities found and/or exploited during penetration testing Benchmarking relative to other corporate apps Threat List Threat control deficiencies found from Architecture Interviews and Threat Analysis. Recommendations Actionable recommendations for any all threats & vulnerabilities 8

Risk Metrics- Categories 9 Risk Categories Authentication Access Control Database Security Data Validation Communication Denial of Service Deployment Audit & Logging Cryptography All threats & vulnerabilities are put into the above categories. Risk scores are distributed among these categories 9

Allocation of Risk 10

Application Assessment Heat Map 11

Risk Metrics- Calculations Threat Risk is architectural risk. Total Risk Score = Risk (Threats) + Risk (Vulnerabilities) Vulnerability Risk comes from vulnerabilities found during penetration testing. Lower is better. Safe Guard Index = (Actual Control Rating / Perfect Control Rating) * 100% Higher is better. 12

Threat analysis Application looks like a soccer ball. Each patch on the ball is a threat surface. Each patch is examined for threat potential. How well does an application control the threat? Each patch is tested for security weaknesses. Currently 28 threat categories are examined. 13

Threat Analysis - DREAD Damage potential: How great is the damage if the vulnerability is exploited? Reproducibility: How easy is it to reproduce the attack? Exploitability: How easy is it to successfully exploit this condition? Affected users: As a rough percentage, how many users are affected? Discoverability: How easy is it to find the vulnerability? 14

DREAD Rating Criteria - Examples Rating Scale 8-10 (High) 4-7 (Medium) 1-3 (Low) Damage Potential Reproducibility Exploitability Affected Users Discoverability Subvert security system, run as Admin, upload content No timing window required. Easily exploitable by novice. Impacts large user base. Found in most common features and very noticeable Leakage of sensitive information. Only within timing window. Takes repeated steps by skilled attacker. Impacts only a small group of users. Likely noticed by only a few users. Leaking trivial information Difficult to reproduce. Requires extremely skilled attacker w/ indepth knowledge. Impacts very small group of users. Obscure bug. Very unlikely to be discovered. 15

Threat Analysis Control Rating 0 1-2 3-4 5 No security control implementation in place to mitigate the threat. No security control implementation in place to mitigate the threat. Security control implementation in place is in compliance with the information security policies. Scoring of 3 and 4 provides the degree to which it is policy compliant. High degree of security control implementation in place to mitigate the threat. Complies with the industry standard best practices. 16

Threat Analysis- Residual Risk Residual Risk = Remaining risk after accounting for control rating 17

Using Results to Drive Improvements Compare overall risk between BU s. Compare risk among Applications in a single BU. Identify areas for application security improvements. Monitor performance over time. 18

Using Results to Drive Improvements (cont.) Use assessment results to target strategic investments in security: Shared Security Components Security Testing tools Identity Management Infrastructure, etc 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information