• Save
Application Security Risk - the Full Circle
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Application Security Risk - the Full Circle



This presentation highlights the importance of Application Risk. It also aims to educate security professionals on how to perform effective and comprehensive application risk assessments to aid in a ...

This presentation highlights the importance of Application Risk. It also aims to educate security professionals on how to perform effective and comprehensive application risk assessments to aid in a more well rounded protection strategy and the development of a secure SDLC for web applications.



Total Views
Views on SlideShare
Embed Views



4 Embeds 33

http://citadelnotes.blogspot.com 26
http://www.slideshare.net 5
http://feeds2.feedburner.com 1
http://www.we45.com 1



Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />

Application Security Risk - the Full Circle Presentation Transcript

  • 1. Application Security Risk - The Full Circle Abhay Bhargav - CISSP, CISA, PCI-QSA, CPA, OCTAVE Implementer Lead - Application Security and PCI Compliance SISA Information Security Pvt.Ltd.
  • 2. An Introduction of Yours Truly AppSec and PCI Compliance Lead at SISA Performed over 50 security assessments across 18 countries. Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com
  • 3. How I am feeling right now!!
  • 4. The current state of AppSec Awareness is on the rise Myriad Materials and Tools to aid in security Continually changing threat landscape Web 2.0: Security Disaster Waiting to happen??? CONCLUSION: A science/art still in its infancy
  • 5. AppSec Incidents - Evolution Individual Application and Database Attacks Easy Availability of tools for launching attacks Rise of Polymorphic, “Multi-tasking” Malware Increasing trends of hackers exploiting for Monetary benefit.
  • 6. Where is the Disconnect? Caught up with Marketing Hype Training and Orientation Bad RAP
  • 7. Caught up with the Marketing Hype Fastest growing security products segment - Application Security tools and products Limitations grossly mis- understood Vendors banking on the Compliance Craze
  • 8. Training and Orientation Developers have little or no idea about Web Application Security. Code review and Testing does not hone in on Security issues. The Time:Quality Dilemma - Organizational “Mis- prioritization” “Customer is King” approach may not work here
  • 9. Bad RAP - Risk Assessment Practices Current Situation: Threat Modeling = Risk Assessment No Integration to Organizational Risk Management No Customer and Management Interaction “The essential urge to complicate” - Overemphasis on Controls and undermining Risk.
  • 10. The Full Circle identify security identify critical assets requirements Risk Treatment Plan create threat profiles identify impact & perform vulnerability probability assessments
  • 11. Getting the RAP right! Critical Information Assets is the Watch-word Customer/Management Interaction - Assessing their Areas of Concern and providing Broad Security Requirements Threat Profiles - Basic to Technical progression Detailed Security Requirements and Trust Boundaries Impact Analysis- a sound business case measure for management.
  • 12. The Benefits RAP feeds the SDLC Management/Customer involvement - Awareness and Budgetary benefits. “Abuse” Cases - Byproduct of vulnerability assessment Impact Analysis - True measure of Cost vs Benefit Provides clear requirements to Architects and Developers
  • 13. Thank you!!! Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay.bhargav@sisa.co.in, abhaybhargav@gmail.com