• Save
OWASP Chennai Talk - Application Security Risk - The Full Circle
Upcoming SlideShare
Loading in...5

OWASP Chennai Talk - Application Security Risk - The Full Circle



Abhay Bhargav's talk at the OWASP Chennai meeting on Application Security Risk

Abhay Bhargav's talk at the OWASP Chennai meeting on Application Security Risk



Total Views
Views on SlideShare
Embed Views



8 Embeds 78

http://citadelnotes.blogspot.com 22
http://secure-java.com 21
http://www.secure-java.com 16
http://citadelnotes.blogspot.in 12
http://www.abhaybhargav.com 4
http://www.slideshare.net 1
http://feeds2.feedburner.com 1
http://www.we45.com 1


Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

OWASP Chennai Talk - Application Security Risk - The Full Circle OWASP Chennai Talk - Application Security Risk - The Full Circle Presentation Transcript

  • Application Security Risk -The Full CircleAbhay BhargavChief Technology Officerwe45 Solutions India Pvt. Ltd.
  • An Introduction of Yours Truly AppSec and PCI Compliance Lead at SISA Performed over 50 security assessments across 18 countries. Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com
  • How I am feeling right now!!
  • The current state of AppSecAwareness is on the riseMyriad Materials and Tools to aid in securityContinually changing threat landscapeWeb 2.0: Security Disaster Waiting to happen???CONCLUSION: A science/art still in its infancy
  • AppSec Incidents - Evolution Individual Application and Database Attacks Easy Availability of tools for launching attacks Rise of Polymorphic, “Multi-tasking” Malware Increasing trends of hackers exploiting for Monetary benefit.
  • Where is the Disconnect?Caught up with MarketingHypeTraining and OrientationBad RAP
  • Caught up with the MarketingHype Fastest growing security products segment - Application Security tools and products Limitations grossly mis- understood Vendors banking on the Compliance Craze
  • Training and Orientation Developers have little or no idea about Web Application Security. Code review and Testing does not hone in on Security issues. The Time:Quality Dilemma - Organizational “Mis- prioritization” “Customer is King” approach may not work here
  • Bad RAP - Risk AssessmentPracticesCurrent Situation: Threat Modeling = Risk AssessmentNo Integration to Organizational Risk ManagementNo Customer and Management Interaction“The essential urge to complicate” - Overemphasis onControls and undermining Risk.
  • The Full Circle identify securityidentify critical assets requirementsRisk Treatment Plan create threat profiles identify impact & perform vulnerability probability assessments
  • Getting the RAP right! Critical Information Assets is the Watch-word Customer/Management Interaction - Assessing their Areas of Concern and providing Broad Security Requirements Threat Profiles - Basic to Technical progression Detailed Security Requirements and Trust Boundaries Impact Analysis- a sound business case measure for management.
  • The BenefitsRAP feeds the SDLCManagement/Customer involvement - Awareness andBudgetary benefits.“Abuse” Cases - Byproduct of vulnerability assessmentImpact Analysis - True measure of Cost vs BenefitProvides clear requirements to Architects andDevelopers
  • Thank you!!!Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: abhay.bhargav@sisa.co.in, abhaybhargav@gmail.com