OWASP Chennai Talk - Application Security Risk - The Full Circle
Application Security Risk -The Full CircleAbhay BhargavChief Technology Ofﬁcerwe45 Solutions India Pvt. Ltd.
An Introduction of Yours Truly AppSec and PCI Compliance Lead at SISA Performed over 50 security assessments across 18 countries. Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog: http://citadelnotes.blogspot.com
The current state of AppSecAwareness is on the riseMyriad Materials and Tools to aid in securityContinually changing threat landscapeWeb 2.0: Security Disaster Waiting to happen???CONCLUSION: A science/art still in its infancy
AppSec Incidents - Evolution Individual Application and Database Attacks Easy Availability of tools for launching attacks Rise of Polymorphic, “Multi-tasking” Malware Increasing trends of hackers exploiting for Monetary beneﬁt.
Where is the Disconnect?Caught up with MarketingHypeTraining and OrientationBad RAP
Caught up with the MarketingHype Fastest growing security products segment - Application Security tools and products Limitations grossly mis- understood Vendors banking on the Compliance Craze
Training and Orientation Developers have little or no idea about Web Application Security. Code review and Testing does not hone in on Security issues. The Time:Quality Dilemma - Organizational “Mis- prioritization” “Customer is King” approach may not work here
Bad RAP - Risk AssessmentPracticesCurrent Situation: Threat Modeling = Risk AssessmentNo Integration to Organizational Risk ManagementNo Customer and Management Interaction“The essential urge to complicate” - Overemphasis onControls and undermining Risk.
The Full Circle identify securityidentify critical assets requirementsRisk Treatment Plan create threat proﬁles identify impact & perform vulnerability probability assessments
Getting the RAP right! Critical Information Assets is the Watch-word Customer/Management Interaction - Assessing their Areas of Concern and providing Broad Security Requirements Threat Proﬁles - Basic to Technical progression Detailed Security Requirements and Trust Boundaries Impact Analysis- a sound business case measure for management.
The BeneﬁtsRAP feeds the SDLCManagement/Customer involvement - Awareness andBudgetary beneﬁts.“Abuse” Cases - Byproduct of vulnerability assessmentImpact Analysis - True measure of Cost vs BeneﬁtProvides clear requirements to Architects andDevelopers
Thank you!!!Questions?? My blog: http://citadelnotes.blogspot.com Keep in touch: http://www.linkedin.com/in/ abhaybhargav Email: email@example.com, firstname.lastname@example.org