The document discusses two problems related to application security risk rating: 1) limited resources to test a large number of applications, and 2) assigning risk levels to vulnerabilities found during manual assessments. For the first problem, the document proposes prioritizing applications by categorizing them into high, medium, and low risk based on a risk assessment analyzing business criticality and risk posture. For the second problem, the document outlines the OWASP risk rating methodology in six steps: identifying risks, estimating likelihood, estimating impact, determining severity, deciding what to fix, and customizing the risk rating model.
2. $ whoami
2
Current
Security Researcher - Adobe
Previous
Sr. Information Security Engg. – Fortune 500 company
Before that..
InfoSec consultant at various companies
3. Problem Statement
1. Limited resources to security test large threat
landscape of web applications within enterprise
2. Assigning risk levels to vulnerabilities found in
manual assessments
3
in.linkedin.com/in/vaibhav0
4. Lets first deal with “1”
4
1. Limited resources to security test large threat
landscape of web applications within enterprise
Increasing threat landscape
Slow pace of organizations to adopt secure coding practices
Does not make sense to address all issues simultaneously
in.linkedin.com/in/vaibhav0
5. Solution ?
5
Prioritization
Focus on categorizing into high, medium and low risk
applications
in.linkedin.com/in/vaibhav0
6. Approach – Risk Assessment of Applications
6
Analyze Business criticality of Applications
Analyze Risk Posture of Application
Categorize Applications based on Risk
Security Assessment Project Planning
in.linkedin.com/in/vaibhav0
8. Sr.
#
Questions
Response
(Yes/No)
1 Is the application facing the internet?
2 Is this application dealing with credit card data?
3 Is this application dealing with SSN or any other PII data?
4 Does application host any classified or patented data?
5 If the application goes down, can it create threat to human life?
6 Will this application be subject to any compliance audits?
7
Is this application designed to aid Top Management or Board Members in
decision making?
8
Does application implement any kind of authentication? If yes, please give
additional details
9
Does application implement any kind of authorization? If yes, provide
additional details
10
Is this application developed as a plug-in or extension for other application? If
yes, please provide additional details on what all applications it will be
working with
Analyze Risk Posture of Application
8
9. Categorize Applications based on Risk
9
Inventory
Business
Criticality
Risk
Posture
Categorized
Inventory
Low
Medium
High
in.linkedin.com/in/vaibhav0
10. Test Case - Categorize Applications based on Risk
10
in.linkedin.com/in/vaibhav0
Payroll application
11. Lets deal with next problem statement: “2”
11
2. Assigning risk levels to vulnerabilities found in
manual assessments
????
Why are we
even
considering this
problem
statement
in.linkedin.com/in/vaibhav0
12. OWASP: Risk Rating Methodology
12
There are many different approaches to risk analysis.
The OWASP approach is based on standard
methodologies and is customized for application
security.
Standard risk model :
Risk = Likelihood * Impact
in.linkedin.com/in/vaibhav0
13. OWASP: Risk Rating Methodology - Steps
13
Step 1
• Identifying a Risk
Step 2
• Estimating Likelihood
Step 3
• Estimating Impact
Step 4
• Determining Severity of the Risk
Step 5
• Deciding What to Fix
Step 6
• Customizing Your Risk Rating Model
in.linkedin.com/in/vaibhav0
14. Step 1: Identifying a Risk
14
What needs to be rated?
XSS ?
SQLi ?
Threat agents ?
Impact ?
in.linkedin.com/in/vaibhav0
16. Step 3: Estimating Impact
16
Technical Impact Factors
Loss of confidentiality
Loss of integrity
Loss of availability
Loss of accountability
Business Impact Factors
Financial damage
Reputation damage
Non-compliance
Privacy violation
in.linkedin.com/in/vaibhav0
17. Step 4: Determining Severity of the Risk
17
Likelihood and Impact Levels
0 to <3 LOW
3 to <6 MEDUIM
6 to 9 HIGH
in.linkedin.com/in/vaibhav0
𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙 =
𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
𝑇𝑜𝑡𝑎𝑙 𝑛𝑜 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
19. Test Case - OWASP Risk Rating
19
in.linkedin.com/in/vaibhav0
20. Step 5: Deciding What to Fix
20
in.linkedin.com/in/vaibhav0
PRIORITIZE
Critical
High
Medium
Low
Note
Note: As a general rule, you should fix the most severe risks first
21. Step 6: Customizing Your Risk Rating Model
21
“A tailored model is much more likely to produce
results that match people's perceptions about what is a
serious risk”
- OWASP
Adding factors
Customizing options
Weighting factors
in.linkedin.com/in/vaibhav0