OWASP Chennai Talk - Application Security Risk - The Full Circle

1,105 views

Published on

Abhay Bhargav's talk at the OWASP Chennai meeting on Application Security Risk

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,105
On SlideShare
0
From Embeds
0
Number of Embeds
83
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • OWASP Chennai Talk - Application Security Risk - The Full Circle

    1. 1. Application Security Risk -The Full CircleAbhay BhargavChief Technology Officerwe45 Solutions India Pvt. Ltd.
    2. 2. An Introduction of Yours Truly AppSec and PCI Compliance Lead at SISA Performed over 50 security assessments across 18 countries. Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com
    3. 3. How I am feeling right now!!
    4. 4. The current state of AppSecAwareness is on the riseMyriad Materials and Tools to aid in securityContinually changing threat landscapeWeb 2.0: Security Disaster Waiting to happen???CONCLUSION: A science/art still in its infancy
    5. 5. AppSec Incidents - Evolution Individual Application and Database Attacks Easy Availability of tools for launching attacks Rise of Polymorphic, “Multi-tasking” Malware Increasing trends of hackers exploiting for Monetary benefit.
    6. 6. Where is the Disconnect?Caught up with MarketingHypeTraining and OrientationBad RAP
    7. 7. Caught up with the MarketingHype Fastest growing security products segment - Application Security tools and products Limitations grossly mis- understood Vendors banking on the Compliance Craze
    8. 8. Training and Orientation Developers have little or no idea about Web Application Security. Code review and Testing does not hone in on Security issues. The Time:Quality Dilemma - Organizational “Mis- prioritization” “Customer is King” approach may not work here
    9. 9. Bad RAP - Risk AssessmentPracticesCurrent Situation: Threat Modeling = Risk AssessmentNo Integration to Organizational Risk ManagementNo Customer and Management Interaction“The essential urge to complicate” - Overemphasis onControls and undermining Risk.
    10. 10. The Full Circle identify securityidentify critical assets requirementsRisk Treatment Plan create threat profiles identify impact & perform vulnerability probability assessments
    11. 11. Getting the RAP right! Critical Information Assets is the Watch-word Customer/Management Interaction - Assessing their Areas of Concern and providing Broad Security Requirements Threat Profiles - Basic to Technical progression Detailed Security Requirements and Trust Boundaries Impact Analysis- a sound business case measure for management.
    12. 12. The BenefitsRAP feeds the SDLCManagement/Customer involvement - Awareness andBudgetary benefits.“Abuse” Cases - Byproduct of vulnerability assessmentImpact Analysis - True measure of Cost vs BenefitProvides clear requirements to Architects andDevelopers
    13. 13. Thank you!!!Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay.bhargav@sisa.co.in, abhaybhargav@gmail.com

    ×