SlideShare a Scribd company logo

Application Security Risk Rating

Download as PPTX, PDF
Vaibhav Gupta
Vaibhav Gupta

The document discusses two problems related to application security risk rating: 1) limited resources to test a large number of applications, and 2) assigning risk levels to vulnerabilities found during manual assessments. For the first problem, the document proposes prioritizing applications by categorizing them into high, medium, and low risk based on a risk assessment analyzing business criticality and risk posture. For the second problem, the document outlines the OWASP risk rating methodology in six steps: identifying risks, estimating likelihood, estimating impact, determining severity, deciding what to fix, and customizing the risk rating model.

TechnologyBusiness
1 of 23
Application Security Risk Rating Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
$ whoami 2  Current  Security Researcher - Adobe  Previous  Sr. Information Security Engg. – Fortune 500 company  Before that..  InfoSec consultant at various companies
Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. Assigning risk levels to vulnerabilities found in manual assessments 3 in.linkedin.com/in/vaibhav0
Lets first deal with “1” 4 1. Limited resources to security test large threat landscape of web applications within enterprise  Increasing threat landscape  Slow pace of organizations to adopt secure coding practices  Does not make sense to address all issues simultaneously in.linkedin.com/in/vaibhav0
Solution ? 5  Prioritization  Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibhav0
Approach – Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Application Categorize Applications based on Risk Security Assessment Project Planning in.linkedin.com/in/vaibhav0
Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card data? 3 Is this application dealing with SSN or any other PII data? 4 Does application host any classified or patented data? 5 If the application goes down, can it create threat to human life? 6 Will this application be subject to any compliance audits? 7 Is this application designed to aid Top Management or Board Members in decision making? 8 Does application implement any kind of authentication? If yes, please give additional details 9 Does application implement any kind of authorization? If yes, provide additional details 10 Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with Analyze Risk Posture of Application 8
Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High in.linkedin.com/in/vaibhav0
Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0  Payroll application
Lets deal with next problem statement: “2” 11 2. Assigning risk levels to vulnerabilities found in manual assessments ???? Why are we even considering this problem statement in.linkedin.com/in/vaibhav0
OWASP: Risk Rating Methodology 12  There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.  Standard risk model : Risk = Likelihood * Impact in.linkedin.com/in/vaibhav0
OWASP: Risk Rating Methodology - Steps 13 Step 1 • Identifying a Risk Step 2 • Estimating Likelihood Step 3 • Estimating Impact Step 4 • Determining Severity of the Risk Step 5 • Deciding What to Fix Step 6 • Customizing Your Risk Rating Model in.linkedin.com/in/vaibhav0
Step 1: Identifying a Risk 14  What needs to be rated?  XSS ?  SQLi ?  Threat agents ?  Impact ? in.linkedin.com/in/vaibhav0
Step 2: Estimating Likelihood 15  Threat Agent Factors  Skill level  Motive  Opportunity  Size  Vulnerability Factors  Ease of discovery  Ease of exploit  Awareness  Intrusion detection in.linkedin.com/in/vaibhav0
Step 3: Estimating Impact 16  Technical Impact Factors  Loss of confidentiality  Loss of integrity  Loss of availability  Loss of accountability  Business Impact Factors  Financial damage  Reputation damage  Non-compliance  Privacy violation in.linkedin.com/in/vaibhav0
Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedin.com/in/vaibhav0 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙 = 𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠 𝑇𝑜𝑡𝑎𝑙 𝑛𝑜 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
Step 4: Determining Severity of the Risk (Cont..) 18
Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general rule, you should fix the most severe risks first
Step 6: Customizing Your Risk Rating Model 21 “A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP  Adding factors  Customizing options  Weighting factors in.linkedin.com/in/vaibhav0
?? Questions ?? Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
References: 23  http://owasp.org/index.php/OWASP_Risk_Rating_ Methodology  http://owasp.org

Recommended

Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...QA or the Highway
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing servicesAlisha Henderson
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
Web-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsWeb-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsTandhy Simanjuntak
 
How ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key StakeholdersHow ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key Stakeholdersreeftim
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 

Recommended

Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...QA or the Highway
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing servicesAlisha Henderson
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
Web-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsWeb-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsTandhy Simanjuntak
 
How ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key StakeholdersHow ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key Stakeholdersreeftim
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsVaibhav Gupta
 
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Elizabeth Steiner
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsITPSB Pty Ltd
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Simulazione di un Penetration Test
Simulazione di un Penetration TestSimulazione di un Penetration Test
Simulazione di un Penetration TestSalvatore Lentini
 
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club South Florida
 
Beyondfreud
BeyondfreudBeyondfreud
BeyondfreudTajana Klaric
 
Spark - Volume 3
Spark - Volume 3Spark - Volume 3
Spark - Volume 3S.P. Jain center of Management
 
tema 3 tema 1
tema 3 tema 1tema 3 tema 1
tema 3 tema 1failyn yousei chan
 
GPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsGPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsScott Wells
 
47035 0 mma
47035 0 mma47035 0 mma
47035 0 mmaOperator Warnet Vast Raha
 
Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Russel Harland
 
Pre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelPre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelVaibhav Gupta
 
Master version draft final
Master version draft finalMaster version draft final
Master version draft finalirbgcpartners
 
Foreign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaForeign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaVaibhav Gupta
 
Career Profile - Anshuman Jain
Career Profile - Anshuman JainCareer Profile - Anshuman Jain
Career Profile - Anshuman JainAnshuman Jain
 
13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-finalCleantechOpen
 
Publication listing
Publication listingPublication listing
Publication listingKevin D. Brown, Ph.D.
 
Spartacus and the slave war
Spartacus and the slave warSpartacus and the slave war
Spartacus and the slave wartastamal
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 

More Related Content

Viewers also liked

OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsVaibhav Gupta
 
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Elizabeth Steiner
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsITPSB Pty Ltd
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Simulazione di un Penetration Test
Simulazione di un Penetration TestSimulazione di un Penetration Test
Simulazione di un Penetration TestSalvatore Lentini
 
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club South Florida
 
GPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsGPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsScott Wells
 
Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Russel Harland
 
Pre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelPre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelVaibhav Gupta
 
Master version draft final
Master version draft finalMaster version draft final
Master version draft finalirbgcpartners
 
Foreign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaForeign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaVaibhav Gupta
 
Career Profile - Anshuman Jain
Career Profile - Anshuman JainCareer Profile - Anshuman Jain
Career Profile - Anshuman JainAnshuman Jain
 
13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-finalCleantechOpen
 
Spartacus and the slave war
Spartacus and the slave warSpartacus and the slave war
Spartacus and the slave wartastamal
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 

Viewers also liked (20)

OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security Considerations
 
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT Projects
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
 
Simulazione di un Penetration Test
Simulazione di un Penetration TestSimulazione di un Penetration Test
Simulazione di un Penetration Test
 
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
 
Beyondfreud
BeyondfreudBeyondfreud
Beyondfreud
 
Spark - Volume 3
Spark - Volume 3Spark - Volume 3
Spark - Volume 3
 
tema 3 tema 1
tema 3 tema 1tema 3 tema 1
tema 3 tema 1
 
GPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsGPP Final Draft for Scott Wells
GPP Final Draft for Scott Wells
 
47035 0 mma
47035 0 mma47035 0 mma
47035 0 mma
 
Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016
 
Pre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelPre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta Samtel
 
Master version draft final
Master version draft finalMaster version draft final
Master version draft final
 
Foreign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaForeign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav Gupta
 
Career Profile - Anshuman Jain
Career Profile - Anshuman JainCareer Profile - Anshuman Jain
Career Profile - Anshuman Jain
 
13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final
 
Publication listing
Publication listingPublication listing
Publication listing
 
Spartacus and the slave war
Spartacus and the slave warSpartacus and the slave war
Spartacus and the slave war
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 

Similar to Application Security Risk Rating

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaiFour Consultancy
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.pptavisha23
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.pptAyidAlmgati
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptDorraLamouchi1
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
ASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk managementASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk managementarmelleguillermet
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group
 

Similar to Application Security Risk Rating (20)

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...
 
Ownux global July 2023.pdf
Ownux global July 2023.pdfOwnux global July 2023.pdf
Ownux global July 2023.pdf
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t Ignore
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.ppt
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Ijetcas14 370
Ijetcas14 370Ijetcas14 370
Ijetcas14 370
 
ASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk managementASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk management
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Application Security Risk Rating

  • 1. Application Security Risk Rating Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
  • 2. $ whoami 2  Current  Security Researcher - Adobe  Previous  Sr. Information Security Engg. – Fortune 500 company  Before that..  InfoSec consultant at various companies
  • 3. Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. Assigning risk levels to vulnerabilities found in manual assessments 3 in.linkedin.com/in/vaibhav0
  • 4. Lets first deal with “1” 4 1. Limited resources to security test large threat landscape of web applications within enterprise  Increasing threat landscape  Slow pace of organizations to adopt secure coding practices  Does not make sense to address all issues simultaneously in.linkedin.com/in/vaibhav0
  • 5. Solution ? 5  Prioritization  Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibhav0
  • 6. Approach – Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Application Categorize Applications based on Risk Security Assessment Project Planning in.linkedin.com/in/vaibhav0
  • 7. Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
  • 8. Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card data? 3 Is this application dealing with SSN or any other PII data? 4 Does application host any classified or patented data? 5 If the application goes down, can it create threat to human life? 6 Will this application be subject to any compliance audits? 7 Is this application designed to aid Top Management or Board Members in decision making? 8 Does application implement any kind of authentication? If yes, please give additional details 9 Does application implement any kind of authorization? If yes, provide additional details 10 Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with Analyze Risk Posture of Application 8
  • 9. Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High in.linkedin.com/in/vaibhav0
  • 10. Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0  Payroll application
  • 11. Lets deal with next problem statement: “2” 11 2. Assigning risk levels to vulnerabilities found in manual assessments ???? Why are we even considering this problem statement in.linkedin.com/in/vaibhav0
  • 12. OWASP: Risk Rating Methodology 12  There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.  Standard risk model : Risk = Likelihood * Impact in.linkedin.com/in/vaibhav0
  • 13. OWASP: Risk Rating Methodology - Steps 13 Step 1 • Identifying a Risk Step 2 • Estimating Likelihood Step 3 • Estimating Impact Step 4 • Determining Severity of the Risk Step 5 • Deciding What to Fix Step 6 • Customizing Your Risk Rating Model in.linkedin.com/in/vaibhav0
  • 14. Step 1: Identifying a Risk 14  What needs to be rated?  XSS ?  SQLi ?  Threat agents ?  Impact ? in.linkedin.com/in/vaibhav0
  • 15. Step 2: Estimating Likelihood 15  Threat Agent Factors  Skill level  Motive  Opportunity  Size  Vulnerability Factors  Ease of discovery  Ease of exploit  Awareness  Intrusion detection in.linkedin.com/in/vaibhav0
  • 16. Step 3: Estimating Impact 16  Technical Impact Factors  Loss of confidentiality  Loss of integrity  Loss of availability  Loss of accountability  Business Impact Factors  Financial damage  Reputation damage  Non-compliance  Privacy violation in.linkedin.com/in/vaibhav0
  • 17. Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedin.com/in/vaibhav0 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙 = 𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠 𝑇𝑜𝑡𝑎𝑙 𝑛𝑜 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
  • 18. Step 4: Determining Severity of the Risk (Cont..) 18
  • 19. Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
  • 20. Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general rule, you should fix the most severe risks first
  • 21. Step 6: Customizing Your Risk Rating Model 21 “A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP  Adding factors  Customizing options  Weighting factors in.linkedin.com/in/vaibhav0
  • 22. ?? Questions ?? Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1

Editor's Notes

  1. Critical - > paypal.com for paypal Important -> Strategic - > company’s main website Internal -> payroll app/AMS