Application Security Risk - the Full Circle


Published on

This presentation highlights the importance of Application Risk. It also aims to educate security professionals on how to perform effective and comprehensive application risk assessments to aid in a more well rounded protection strategy and the development of a secure SDLC for web applications.

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

  • Application Security Risk - the Full Circle

    1. 1. Application Security Risk - The Full Circle Abhay Bhargav - CISSP, CISA, PCI-QSA, CPA, OCTAVE Implementer Lead - Application Security and PCI Compliance SISA Information Security Pvt.Ltd.
    2. 2. An Introduction of Yours Truly AppSec and PCI Compliance Lead at SISA Performed over 50 security assessments across 18 countries. Spoken at several events including the OWASP AppSec NYC 2008 Trainer and Workshop Lead for Security Training Workshops My blog:
    3. 3. How I am feeling right now!!
    4. 4. The current state of AppSec Awareness is on the rise Myriad Materials and Tools to aid in security Continually changing threat landscape Web 2.0: Security Disaster Waiting to happen??? CONCLUSION: A science/art still in its infancy
    5. 5. AppSec Incidents - Evolution Individual Application and Database Attacks Easy Availability of tools for launching attacks Rise of Polymorphic, “Multi-tasking” Malware Increasing trends of hackers exploiting for Monetary benefit.
    6. 6. Where is the Disconnect? Caught up with Marketing Hype Training and Orientation Bad RAP
    7. 7. Caught up with the Marketing Hype Fastest growing security products segment - Application Security tools and products Limitations grossly mis- understood Vendors banking on the Compliance Craze
    8. 8. Training and Orientation Developers have little or no idea about Web Application Security. Code review and Testing does not hone in on Security issues. The Time:Quality Dilemma - Organizational “Mis- prioritization” “Customer is King” approach may not work here
    9. 9. Bad RAP - Risk Assessment Practices Current Situation: Threat Modeling = Risk Assessment No Integration to Organizational Risk Management No Customer and Management Interaction “The essential urge to complicate” - Overemphasis on Controls and undermining Risk.
    10. 10. The Full Circle identify security identify critical assets requirements Risk Treatment Plan create threat profiles identify impact & perform vulnerability probability assessments
    11. 11. Getting the RAP right! Critical Information Assets is the Watch-word Customer/Management Interaction - Assessing their Areas of Concern and providing Broad Security Requirements Threat Profiles - Basic to Technical progression Detailed Security Requirements and Trust Boundaries Impact Analysis- a sound business case measure for management.
    12. 12. The Benefits RAP feeds the SDLC Management/Customer involvement - Awareness and Budgetary benefits. “Abuse” Cases - Byproduct of vulnerability assessment Impact Analysis - True measure of Cost vs Benefit Provides clear requirements to Architects and Developers
    13. 13. Thank you!!! Questions?? My blog: Keep in touch: abhaybhargav Email:,