SlideShare a Scribd company logo

Mapping Application Security to Business Value - Redspin Information Security

Redspin, Inc.
Redspin, Inc.

Mapping Application Security To Business Value: Considerations and Recommendations For IT and Business Decision Makers

1 of 11
Download to read offline
Mapping Application Security To Business Value: Considerations And Recommendations For IT And Business Decision Makers Because applications are a reflection of the business, we believe application security plays a major role in creating and retaining business value system. 6450 Via Real, Suite3 Carpinteria, CA 93013 WHITE PAPER 800-721-9177 805-684-6858
TABLE OF CONTENTS 1 Summary 2 The Role of Applications within the Information Security System 3 Secure Software Development 4 Integrating the Application within the Information Security System 5 Creating Business Value 6 Business Impact Page 1 | www.redspin.com 2009 | White Paper
Summary This white paper outlines considerations and the impact of the combination of and recommendations for reducing the previous two factors on companies business risk by ensuring that your web and the economy. As is often the case applications are secure. in business, this framework is measured as an index (the shift index) comprised Our goal is to present information of three components: foundation, flow and impact. The foundation index is that will be helpful not only to IT and strongly influenced by computing and information security professionals communications (Internet) infrastructure. The flow index is influenced by but business unit general managers information sharing and Internet activity. The impact index is influenced by as well. We will examine the brand loyalty and competitive intensity. process of managing applications The article concludes by challenging executives on how can they best create throughout their lifecycle. and capture value by managing these factors. In an earlier white paper we introduced We consider a simple top-down system for making the Throughout this paper we will examine association between security initiatives what can be done with respect to application security and business metrics for the purpose application security in terms of enabling of better managing the information business by actively managing these from the standpoint security system. In this white paper we factors. Because applications are a will examine the relationship between reflection of the business, we believe of supporting an investments in application security and application security plays a major role the metrics that drive business growth. in creating and retaining business value. effective compute We will also explore the various We frame the discussion of this role as alternatives to approaching application part of the overall security system whose and communications security as well as the pros and cons efficacy can be evaluated in terms suggested by Seely-Brown and Davidson. associated with each. infrastructure... In a recent Harvard Business Review We consider application security from the standpoint of supporting an article titled “The Big Shift” (HBR; July- effective compute and communications August 2009; John Seely-Brown, Lang infrastructure (positively impacting the Davidson) the authors presented the foundation index). We examine the role idea that in times of economic crisis of applications in supporting the flow of such as those we face now, traditional information and knowledge resources in metrics for managing business may be a secure fashion (positively impacting the insufficient to point the way forward. flow index). Lastly, we explore methods The HBR article presents a framework for to securely deploy applications and understanding business transformation business process to protect corporate in terms of three factors: foundations for brands and promote competitive major change (such as compute power advantage (positively affecting the and Internet usage), flows of resources impact index). (such as information and knowledge) Page 2 | www.redspin.com 2009 | White Paper
The Role Of Applications Within The Information Security System For an application security system to support the business we must treat it like a system. It must have structure and be measurable. We suggest a different approach that starts with a top down perspective. We also believe that a system must be rich with the necessary information but simple enough to support business decision making. Our application security system uses the terms presented in the HBR article. Ultimately we have three elements to manage with three associated indices to track. The system is illustrated in table 1. Foundation Flow Impact Key Elements Storage, Compute, Data, Information, Business Applications, Knowledge, People Processes, Communications Business Value Infrastructure Key Metric Availability Confidentiality Integrity Table 1. High level elements and metrics associated with the Information Security System Note that aspects of application security make contributions in all three categories. Next, we must think about the elements that connect the application security system with the business. As with any other major subsystem of the overall information security system, application security is a factor to consider in each major area of the systems. An application security system must be driven by policy, integrated with the overall strategy and tightly coupled with the controls that carry out holistic protection objectives. An ideal description of the customer security system is shown in the following diagram: The Role Of Applications Within The Information Security System Figure 1. The Information Security System Page 3 | www.redspin.com 2009 | White Paper
Now, let’s examine where various aspects of the application security program fit in. Table 2 illustrates some key application security areas and their relation to our foundation, flow, impact model of the information security system. Foundation Flow Impact Key Elements Storage, Compute, Data, Information, Business Applications, Knowledge, People Processes, Communications Business value Infrastructure Key Metric Availability Confidentiality Integrity Application Developer Training Data Classification System Integration Areas Architecture Information Privilege Change Management Threat Modeling Identity and Access Regulatory Management Compliance Privacy Audit Process Risk Assessment Code Review Security Enforcement Incident Response Mechanisms Security Checklists Encryption and Key Production Testing Management Source Code Pre-Production Risk Management Analysis Testing For an information security system to be running optimally managers must make decisions about each of these application security areas and put in place processes to carry out their decisions. If managers ignore their responsibility or take shortcuts on process, ad- hoc decisions will fill the void. These decisions often have disastrous results. Let’s discuss a few of the application security areas in each category to explore the relationship to the overall information security system and business value contribution through the foundation, flow and impact framework. Page 4 | www.redspin.com 2009 | White Paper
Foundation – Secure Software Development Developer Training This scheme aims to characterize the As web applications have become threats with respect to the exploit that more fundamental to the business, may be employed. This clever acronym security training which may often have stands for: started through ad-hoc processes must become formalized and widespread. Developers cannot be held accountable S poofing Identity for security issues if they have not been adequately trained. We recommend Tampering With Data general purpose security training for all R epudiation team members including QA staff. We would also recommend specific training I nformation Disclosure targeted by development role. D enial Of Service Architecture E levation Of Privilege Just as the functional architecture specifies the relationship between the major subsystems that make up the These areas provide a helpful application, the same must be true of the mechanism for enumerating threats to core security services that govern security the application. of the application. Often the team can draw upon general application security Risk Assessment policies and specify how these general As with any endeavor related to security, policies manifest themselves in the we recommend a risk based approach specific application environment. For where development effort to secure the example, the general policy may make application is guided by the risks to statements regarding input validation, but business. Closely associated with this the architecture must refine these specific process is a scoring scheme to help to the business requirements and security evaluate risk to the application. Another context associated with the application. acronym applies to this problem as well: Threat Modeling DREAD. In order to have an understanding of DREAD attempts to quantify, compare and the risks associated with an application; prioritize the amount of risk presented by Often the team can developers must understand the threats a given threat. It stands for that are present. A common practice draw upon general is to develop a threat model that characterizes the threats and risks to application security the application. Microsoft has invested D amage Potential significant resources in formalizing R eproducibility policies and specify this process. They recommend a step by step process of identifying security E xploitability how these general objectives; reviewing the application A ffected Users in terms of components, data flows policies manifest and trust boundaries; decomposing D iscoverability the application in terms of components themselves in the to identify areas where security needs to be evaluated; creating a structured Typically each of these areas is assessed specific application list of threats; and enumerating likely vulnerabilities associated with the on a scale of 1 to 10 with 10 referring class of application in development. to the most severe risk. As always risk environment. To assist in this effort of threat and risk needs to be evaluated in terms of both modeling Microsoft advocates a threat probability and impact. classification scheme known as STRIDE. Page 5 | www.redspin.com 2009 | White Paper
Code Review We recommend that an application in development pass a thorough code review. By no means, do we expect each developer to walk through their sections line by line. In contrast, this is an exercise that ensures that common assumptions are agreed upon, and no major misunderstandings are present. A reasonable sample outline is suggested as follows: • Monitoring of security metrics is supported. • Secure operational environment is specified. • Attack surface and threat environment is understood. • Misuse cases have been identified. • Global security policy (for the project scope) is in place. • Resource and trust boundaries have been identified. • User roles and resource capabilities are understood. • Security relevant requirements have been documented. In practice the agenda and topics covered will undoubtedly be lengthier, but this serves to give you a flavor of the process. Security Checklists These simple checklists are often useful for developers to keep security principles in mind. Listed below is a subset of an actual checklist. These lists should also adapt themselves to the business goals, threat environment and usage scenarios associated with the application. Procedure Category Goal Denial Custom Application Does application continue to of Service Vulnerability function normally when given abnormally large input values, query strings, or cookie strings? Cross Site Custom Application Does the application allow scripts to be Scripting Vulnerability reflected within the HTML content stream and execute when viewed in a browser? Does the application allow users to store persistently harmful scripts? SQL Injection Custom Application Does the application allow a user to Vulnerability elicit database errors or run arbitrary database commands by sending unexpected input sequences? OS-level Custom Application Does the application allow a user to Command Vulnerability execute system commands by submitting Injection specially crafted values in form fields and/or query strings? Authorization Authentication Does the application successfully restrict Mechanisms access to all pages, scripts and objects for which authentication is required? Is it possible to access restricted resources via forceful browsing? Authorized Authentication Does the application properly enforce Pages/Functions Mechanisms security controls to registered or authenticated users? Does the application allow a user to manipulate query strings and obtain access to restricted URLs? Authentication SSL Security Does the application allow user Endpoint passwords to be submitted over Request Should non-SSL connections? Page 6 | www.redspin.com be HTTPS 2009 | White Paper
Security Checklist (Cont.) Procedure Category Goal Authentication SSL Security Does the application allow user Endpoint passwords to be submitted over Request Should non-SSL connections? be HTTPS Credential SSL Security Once an SSL session is established, are Transport Over there any cases when a user browses an Encrypted to an HTTP resource? Channel Session Token Session Security Does the application utilize session IDs Security that are sufficiently long and random? Session Session Security Does the re-use of Session IDs allow Hijacking one user to obtain access to another user’s session? HTTP Methods Infrastructure What HTTP methods does the web server Testing support? Does the web server support HTTP methods such as PUT or DELETE? Source code analysis Web Server Infrastructure Are there configuration dependent Configuration Testing vulnerabilities on the server? Depending tools can provide Common Paths upon the web server type, what are the most common configuration errors and a useful point are they present? of automation Directory Browsing Infrastructure Testing Can any directories be browsed? in identifying User Error Environment Does the application reveal sensitive Messages Security information in its error messages related to potential risks and the presence or absence of user accounts? vulnerabilities. Source Code Analysis the threat profile for the system and any Source code analysis tools can provide additional supporting documentation. a useful point of automation in identifying The team is then equipped to examine potential risks and vulnerabilities. This the tool output and determine whether process may easily be integrated within risks are relevant or not. The threat profile the build cycle. However, when it comes may also help rule out potential risks and to analysis those performing the analysis vulnerabilities. Nevertheless, the findings must be equipped with the system in scope must be addressed. requirements and security specifications; Page 7 | www.redspin.com 2009 | White Paper
Flow – Integrating The Application Within The Information Security System Data Classification Security Enforcement Although this is a system wide information Mechanisms security initiative application developers Keep in mind that the application resides and owners should create an inventory of within the infrastructure and you should data expected to be used and generated take full advantage of the enforcement by the application. This exercise typically mechanisms that exist. The same is true of classifies data as High Business Impact monitoring mechanisms. The application (HBI), Medium Business Impact (MBI) team does have to exert effort to ensure or Low Business Impact (LBI) depending that they understand how enforcement on the business requirements and the works and what they expect to achieve confidentiality, integrity and availability (whitelisting, blacklisting, etc.). implications. Corporate security policy should help in this regard. Encryption and Key Management Information Privilege Encryption can play a key role in reducing Again corporate security policy can the attack surface for critical data. Here, act as a reference point in making you can use the output of the data decisions regarding information classification exercise to decide what privilege. Ultimately the decisions in to encrypt. Key management is also an this area will reside in the application important factor in the overall process. A security specification. It is useful though critical attribute to seek out are solutions to consider the total scope of information where you don’t have to change your sources and the associated privilege database table sizes to accommodate levels. Internal policy requirements as encryption. In other words, the encrypted well as regulatory requirements will aid data is the same size and data type as in shaping these decisions. the clear text data. Identity and Access Preproduction Testing Management Whether performed by QA or operations When making identity and access pre-production testing is usually performed management decisions it is important using black box tools and should be done to have a clear understanding of the in an environment that is nearly (if not) type of customers the application will be identical to the production environment. addressing. Clearly, different solutions This activity should be performed as part will present themselves for a consumer of the daily build cycle. The goal should facing banking application than for an be a systematic reduction in the number internal travel and expense system. It of vulnerabilities over time even as new The goal should be a is best to make this decision early and functionality is added. then iterate and refine implementation systematic reduction strategies as you refine the threat and risk models as well as the application in the number of specification. Privacy vulnerabilities over Privacy is another area that should be dictated by corporate security policy and time even as new reinforced by the application. There may be circumstances where the application functionality is is intended to be used internationally and corporate policy has not yet caught added. up with privacy laws in those countries. In this case the application team must do their own research and fold back the results into corporate policy. Page 8 | www.redspin.com 2009 | White Paper
Impact – Creating Business Value System Integration Very few applications in modern environments exist as standalone entities. At the very least they employ directory services or back-up services. In most circumstances the application is providing or receiving data from other applications, sometimes directly or quite commonly through an enterprise message bus. It is imperative that the test environment reflects these conditions and that no vulnerabilities are introduced through this additional connectivity. Change Management Change management controls when fixes to the application may be introduced. Processes should be stipulated by policy. An important practice is to document well the circumstances surrounding the need for the change. Often, a new set of vulnerabilities will have been found, but it is equally important to note if there has been a change in threat model or with the supporting infrastructure. Regulatory Compliance We advocate creating policy such that internal compliance encompasses regulatory requirements. In any circumstance testing procedures need to ensure compliance with the applicable regulations. This is often a good opportunity to perform a web application assessment from a trusted third party in that compliance is generally a cut and dried area, but the assessment may also surface other important areas of consideration. Audit Process One aspect of the secure application development process should consider making the audit process easy and predictable. Strong documentation, predictable logging, and demonstration of adherence to policy all contribute towards a successful audit experience. Most importantly anticipating and preparing for an audit makes this task just another predictable item on the schedule rather than a fear inducing experience that can disrupt performance to schedule. Incident Response What happens if there is a data breach? We recommend that you prepare in advance for the actions that will be taken. Further, responding to an incident will extend beyond just the core applications team. Be clear on the roles and responsibilities of security, operations and your own applications group. Production Testing To assess applications running in production a different strategy must be employed. One potential approach is to do application penetration testing with a suite of attacks that are known to be non-invasive and likely will not take down the application. A better option, if the application is deployed in a virtualized environment, is to take a “snapshot” of the application to be tested. This image is then moved to a staging environment where it can be tested thoroughly. When vulnerabilities are identified the application must be fixed, tested and then released back to production under change control. Risk Management Another important practice is to actively manage risk associated with the application. We have found that this can be done most effectively by developing a model that accounts for the likelihood and probability of loss related events. For example, quantitatively modeling the risk of financial loss due to data breach, fines associated with non- compliance or business loss due to application downtime can be helpful in terms of allocating resources for prevention. But it is also useful in terms of helping management understand why so much effort is being expended around application security. Once again, this is an ongoing process that must stay current with emerging threats whether internal, external or from partner organizations. Page 9 | www.redspin.com 2009 | White Paper
Business Impact The most important result of following this process is an application that is up and running and fulfilling its mission whether that is to make employees more productive or to generate revenue through online transactions. The extended team, including operations, security and business unit management should have a high degree of confidence in the following areas: • The corporate brand is protected • Risk has been minimized • The service will be available (or at least not down because of security issues) • Employees will be productive • Regulatory fines will be avoided • Reputational damage will be avoided About Redspin www.redspin.com Redspin delivers the highest quality information security assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in areas such as health care, financial services and hotels, casinos and resorts as well as retailers and technology providers. Some of the largest communications providers and commercial banks rely upon Redspin to provide an effective technical solution tailored to their business context, allowing them to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios. Penetration Testing Page 10 | www.redspin.com 2009 | White Paper

Recommended

Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
Ken M. Shaurette
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
Arun Gopinath
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
Appsian
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017
Merry D'souza
 

Recommended

Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
Ken M. Shaurette
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
Arun Gopinath
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
Appsian
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017
Merry D'souza
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
Hansa Edirisinghe
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security Infographic
Booz Allen Hamilton
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDMagazine
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 
Plan for the Worst; Fight for the Best
Plan for the Worst; Fight for the BestPlan for the Worst; Fight for the Best
Plan for the Worst; Fight for the Best
Hewlett Packard Enterprise Business Value Exchange
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
Hewlett Packard Enterprise Business Value Exchange
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
IJNSA Journal
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
Phil Agcaoili
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
EMC
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
Joey Jablonski
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
pk4
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
Apoorva Ajmani
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
Belinda Edwards
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
ADGP, Public Grivences, Bangalore
 
Secure by design
Secure by designSecure by design
Secure by design
Arun Gopinath
 
G1803044045
G1803044045G1803044045
G1803044045
IOSR Journals
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
elinoraudley582231
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
ijcsit
 

More Related Content

What's hot

SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
Hansa Edirisinghe
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security Infographic
Booz Allen Hamilton
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDMagazine
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 
Plan for the Worst; Fight for the Best
Plan for the Worst; Fight for the BestPlan for the Worst; Fight for the Best
Plan for the Worst; Fight for the Best
Hewlett Packard Enterprise Business Value Exchange
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
Hewlett Packard Enterprise Business Value Exchange
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
IJNSA Journal
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
Phil Agcaoili
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
EMC
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
Joey Jablonski
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
pk4
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
Apoorva Ajmani
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
Belinda Edwards
 

What's hot (17)

SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security Infographic
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Plan for the Worst; Fight for the Best
Plan for the Worst; Fight for the BestPlan for the Worst; Fight for the Best
Plan for the Worst; Fight for the Best
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 

Similar to Mapping Application Security to Business Value - Redspin Information Security

Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
ADGP, Public Grivences, Bangalore
 
Secure by design
Secure by designSecure by design
Secure by design
Arun Gopinath
 
G1803044045
G1803044045G1803044045
G1803044045
IOSR Journals
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
elinoraudley582231
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
ijcsit
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
christophefeltus
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
Luxembourg Institute of Science and Technology
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
NextLabs, Inc.
 
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
ijcsit
 
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
AIRCC Publishing Corporation
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
Leo de Sousa
 
A System Approach For Defining Data Center Value Proposition.pdf
A System Approach For Defining Data Center Value Proposition.pdfA System Approach For Defining Data Center Value Proposition.pdf
A System Approach For Defining Data Center Value Proposition.pdf
Vernette Whiteside
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
IOSR Journals
 
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
jeanettehully
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
IJNSA Journal
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
Pierre Samson
 
Getronics - Governance and the Cloud
Getronics - Governance and the CloudGetronics - Governance and the Cloud
Getronics - Governance and the Cloud
Maurice Remmé
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
subramanian K
 
Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...
Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...
Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...
AI Publications
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
CSCJournals
 

Similar to Mapping Application Security to Business Value - Redspin Information Security (20)

Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
Secure by design
Secure by designSecure by design
Secure by design
 
G1803044045
G1803044045G1803044045
G1803044045
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
 
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
 
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
TOWARDS AN APPROACH FOR INTEGRATING BUSINESS CONTINUITY MANAGEMENT INTO ENTER...
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
A System Approach For Defining Data Center Value Proposition.pdf
A System Approach For Defining Data Center Value Proposition.pdfA System Approach For Defining Data Center Value Proposition.pdf
A System Approach For Defining Data Center Value Proposition.pdf
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
 
Getronics - Governance and the Cloud
Getronics - Governance and the CloudGetronics - Governance and the Cloud
Getronics - Governance and the Cloud
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
 
Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...
Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...
Investigating the use of an Artificial Intelligence Model in an ERP Cloud-Bas...
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
 

More from Redspin, Inc.

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
Redspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
Redspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
Redspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
Redspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
Redspin, Inc.
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
Redspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
Redspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
Redspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
Redspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
Redspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
Redspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
Redspin, Inc.
 

More from Redspin, Inc. (20)

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 

Recently uploaded

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

Mapping Application Security to Business Value - Redspin Information Security

  • 1. Mapping Application Security To Business Value: Considerations And Recommendations For IT And Business Decision Makers Because applications are a reflection of the business, we believe application security plays a major role in creating and retaining business value system. 6450 Via Real, Suite3 Carpinteria, CA 93013 WHITE PAPER 800-721-9177 805-684-6858
  • 2. TABLE OF CONTENTS 1 Summary 2 The Role of Applications within the Information Security System 3 Secure Software Development 4 Integrating the Application within the Information Security System 5 Creating Business Value 6 Business Impact Page 1 | www.redspin.com 2009 | White Paper
  • 3. Summary This white paper outlines considerations and the impact of the combination of and recommendations for reducing the previous two factors on companies business risk by ensuring that your web and the economy. As is often the case applications are secure. in business, this framework is measured as an index (the shift index) comprised Our goal is to present information of three components: foundation, flow and impact. The foundation index is that will be helpful not only to IT and strongly influenced by computing and information security professionals communications (Internet) infrastructure. The flow index is influenced by but business unit general managers information sharing and Internet activity. The impact index is influenced by as well. We will examine the brand loyalty and competitive intensity. process of managing applications The article concludes by challenging executives on how can they best create throughout their lifecycle. and capture value by managing these factors. In an earlier white paper we introduced We consider a simple top-down system for making the Throughout this paper we will examine association between security initiatives what can be done with respect to application security and business metrics for the purpose application security in terms of enabling of better managing the information business by actively managing these from the standpoint security system. In this white paper we factors. Because applications are a will examine the relationship between reflection of the business, we believe of supporting an investments in application security and application security plays a major role the metrics that drive business growth. in creating and retaining business value. effective compute We will also explore the various We frame the discussion of this role as alternatives to approaching application part of the overall security system whose and communications security as well as the pros and cons efficacy can be evaluated in terms suggested by Seely-Brown and Davidson. associated with each. infrastructure... In a recent Harvard Business Review We consider application security from the standpoint of supporting an article titled “The Big Shift” (HBR; July- effective compute and communications August 2009; John Seely-Brown, Lang infrastructure (positively impacting the Davidson) the authors presented the foundation index). We examine the role idea that in times of economic crisis of applications in supporting the flow of such as those we face now, traditional information and knowledge resources in metrics for managing business may be a secure fashion (positively impacting the insufficient to point the way forward. flow index). Lastly, we explore methods The HBR article presents a framework for to securely deploy applications and understanding business transformation business process to protect corporate in terms of three factors: foundations for brands and promote competitive major change (such as compute power advantage (positively affecting the and Internet usage), flows of resources impact index). (such as information and knowledge) Page 2 | www.redspin.com 2009 | White Paper
  • 4. The Role Of Applications Within The Information Security System For an application security system to support the business we must treat it like a system. It must have structure and be measurable. We suggest a different approach that starts with a top down perspective. We also believe that a system must be rich with the necessary information but simple enough to support business decision making. Our application security system uses the terms presented in the HBR article. Ultimately we have three elements to manage with three associated indices to track. The system is illustrated in table 1. Foundation Flow Impact Key Elements Storage, Compute, Data, Information, Business Applications, Knowledge, People Processes, Communications Business Value Infrastructure Key Metric Availability Confidentiality Integrity Table 1. High level elements and metrics associated with the Information Security System Note that aspects of application security make contributions in all three categories. Next, we must think about the elements that connect the application security system with the business. As with any other major subsystem of the overall information security system, application security is a factor to consider in each major area of the systems. An application security system must be driven by policy, integrated with the overall strategy and tightly coupled with the controls that carry out holistic protection objectives. An ideal description of the customer security system is shown in the following diagram: The Role Of Applications Within The Information Security System Figure 1. The Information Security System Page 3 | www.redspin.com 2009 | White Paper
  • 5. Now, let’s examine where various aspects of the application security program fit in. Table 2 illustrates some key application security areas and their relation to our foundation, flow, impact model of the information security system. Foundation Flow Impact Key Elements Storage, Compute, Data, Information, Business Applications, Knowledge, People Processes, Communications Business value Infrastructure Key Metric Availability Confidentiality Integrity Application Developer Training Data Classification System Integration Areas Architecture Information Privilege Change Management Threat Modeling Identity and Access Regulatory Management Compliance Privacy Audit Process Risk Assessment Code Review Security Enforcement Incident Response Mechanisms Security Checklists Encryption and Key Production Testing Management Source Code Pre-Production Risk Management Analysis Testing For an information security system to be running optimally managers must make decisions about each of these application security areas and put in place processes to carry out their decisions. If managers ignore their responsibility or take shortcuts on process, ad- hoc decisions will fill the void. These decisions often have disastrous results. Let’s discuss a few of the application security areas in each category to explore the relationship to the overall information security system and business value contribution through the foundation, flow and impact framework. Page 4 | www.redspin.com 2009 | White Paper
  • 6. Foundation – Secure Software Development Developer Training This scheme aims to characterize the As web applications have become threats with respect to the exploit that more fundamental to the business, may be employed. This clever acronym security training which may often have stands for: started through ad-hoc processes must become formalized and widespread. Developers cannot be held accountable S poofing Identity for security issues if they have not been adequately trained. We recommend Tampering With Data general purpose security training for all R epudiation team members including QA staff. We would also recommend specific training I nformation Disclosure targeted by development role. D enial Of Service Architecture E levation Of Privilege Just as the functional architecture specifies the relationship between the major subsystems that make up the These areas provide a helpful application, the same must be true of the mechanism for enumerating threats to core security services that govern security the application. of the application. Often the team can draw upon general application security Risk Assessment policies and specify how these general As with any endeavor related to security, policies manifest themselves in the we recommend a risk based approach specific application environment. For where development effort to secure the example, the general policy may make application is guided by the risks to statements regarding input validation, but business. Closely associated with this the architecture must refine these specific process is a scoring scheme to help to the business requirements and security evaluate risk to the application. Another context associated with the application. acronym applies to this problem as well: Threat Modeling DREAD. In order to have an understanding of DREAD attempts to quantify, compare and the risks associated with an application; prioritize the amount of risk presented by Often the team can developers must understand the threats a given threat. It stands for that are present. A common practice draw upon general is to develop a threat model that characterizes the threats and risks to application security the application. Microsoft has invested D amage Potential significant resources in formalizing R eproducibility policies and specify this process. They recommend a step by step process of identifying security E xploitability how these general objectives; reviewing the application A ffected Users in terms of components, data flows policies manifest and trust boundaries; decomposing D iscoverability the application in terms of components themselves in the to identify areas where security needs to be evaluated; creating a structured Typically each of these areas is assessed specific application list of threats; and enumerating likely vulnerabilities associated with the on a scale of 1 to 10 with 10 referring class of application in development. to the most severe risk. As always risk environment. To assist in this effort of threat and risk needs to be evaluated in terms of both modeling Microsoft advocates a threat probability and impact. classification scheme known as STRIDE. Page 5 | www.redspin.com 2009 | White Paper
  • 7. Code Review We recommend that an application in development pass a thorough code review. By no means, do we expect each developer to walk through their sections line by line. In contrast, this is an exercise that ensures that common assumptions are agreed upon, and no major misunderstandings are present. A reasonable sample outline is suggested as follows: • Monitoring of security metrics is supported. • Secure operational environment is specified. • Attack surface and threat environment is understood. • Misuse cases have been identified. • Global security policy (for the project scope) is in place. • Resource and trust boundaries have been identified. • User roles and resource capabilities are understood. • Security relevant requirements have been documented. In practice the agenda and topics covered will undoubtedly be lengthier, but this serves to give you a flavor of the process. Security Checklists These simple checklists are often useful for developers to keep security principles in mind. Listed below is a subset of an actual checklist. These lists should also adapt themselves to the business goals, threat environment and usage scenarios associated with the application. Procedure Category Goal Denial Custom Application Does application continue to of Service Vulnerability function normally when given abnormally large input values, query strings, or cookie strings? Cross Site Custom Application Does the application allow scripts to be Scripting Vulnerability reflected within the HTML content stream and execute when viewed in a browser? Does the application allow users to store persistently harmful scripts? SQL Injection Custom Application Does the application allow a user to Vulnerability elicit database errors or run arbitrary database commands by sending unexpected input sequences? OS-level Custom Application Does the application allow a user to Command Vulnerability execute system commands by submitting Injection specially crafted values in form fields and/or query strings? Authorization Authentication Does the application successfully restrict Mechanisms access to all pages, scripts and objects for which authentication is required? Is it possible to access restricted resources via forceful browsing? Authorized Authentication Does the application properly enforce Pages/Functions Mechanisms security controls to registered or authenticated users? Does the application allow a user to manipulate query strings and obtain access to restricted URLs? Authentication SSL Security Does the application allow user Endpoint passwords to be submitted over Request Should non-SSL connections? Page 6 | www.redspin.com be HTTPS 2009 | White Paper
  • 8. Security Checklist (Cont.) Procedure Category Goal Authentication SSL Security Does the application allow user Endpoint passwords to be submitted over Request Should non-SSL connections? be HTTPS Credential SSL Security Once an SSL session is established, are Transport Over there any cases when a user browses an Encrypted to an HTTP resource? Channel Session Token Session Security Does the application utilize session IDs Security that are sufficiently long and random? Session Session Security Does the re-use of Session IDs allow Hijacking one user to obtain access to another user’s session? HTTP Methods Infrastructure What HTTP methods does the web server Testing support? Does the web server support HTTP methods such as PUT or DELETE? Source code analysis Web Server Infrastructure Are there configuration dependent Configuration Testing vulnerabilities on the server? Depending tools can provide Common Paths upon the web server type, what are the most common configuration errors and a useful point are they present? of automation Directory Browsing Infrastructure Testing Can any directories be browsed? in identifying User Error Environment Does the application reveal sensitive Messages Security information in its error messages related to potential risks and the presence or absence of user accounts? vulnerabilities. Source Code Analysis the threat profile for the system and any Source code analysis tools can provide additional supporting documentation. a useful point of automation in identifying The team is then equipped to examine potential risks and vulnerabilities. This the tool output and determine whether process may easily be integrated within risks are relevant or not. The threat profile the build cycle. However, when it comes may also help rule out potential risks and to analysis those performing the analysis vulnerabilities. Nevertheless, the findings must be equipped with the system in scope must be addressed. requirements and security specifications; Page 7 | www.redspin.com 2009 | White Paper
  • 9. Flow – Integrating The Application Within The Information Security System Data Classification Security Enforcement Although this is a system wide information Mechanisms security initiative application developers Keep in mind that the application resides and owners should create an inventory of within the infrastructure and you should data expected to be used and generated take full advantage of the enforcement by the application. This exercise typically mechanisms that exist. The same is true of classifies data as High Business Impact monitoring mechanisms. The application (HBI), Medium Business Impact (MBI) team does have to exert effort to ensure or Low Business Impact (LBI) depending that they understand how enforcement on the business requirements and the works and what they expect to achieve confidentiality, integrity and availability (whitelisting, blacklisting, etc.). implications. Corporate security policy should help in this regard. Encryption and Key Management Information Privilege Encryption can play a key role in reducing Again corporate security policy can the attack surface for critical data. Here, act as a reference point in making you can use the output of the data decisions regarding information classification exercise to decide what privilege. Ultimately the decisions in to encrypt. Key management is also an this area will reside in the application important factor in the overall process. A security specification. It is useful though critical attribute to seek out are solutions to consider the total scope of information where you don’t have to change your sources and the associated privilege database table sizes to accommodate levels. Internal policy requirements as encryption. In other words, the encrypted well as regulatory requirements will aid data is the same size and data type as in shaping these decisions. the clear text data. Identity and Access Preproduction Testing Management Whether performed by QA or operations When making identity and access pre-production testing is usually performed management decisions it is important using black box tools and should be done to have a clear understanding of the in an environment that is nearly (if not) type of customers the application will be identical to the production environment. addressing. Clearly, different solutions This activity should be performed as part will present themselves for a consumer of the daily build cycle. The goal should facing banking application than for an be a systematic reduction in the number internal travel and expense system. It of vulnerabilities over time even as new The goal should be a is best to make this decision early and functionality is added. then iterate and refine implementation systematic reduction strategies as you refine the threat and risk models as well as the application in the number of specification. Privacy vulnerabilities over Privacy is another area that should be dictated by corporate security policy and time even as new reinforced by the application. There may be circumstances where the application functionality is is intended to be used internationally and corporate policy has not yet caught added. up with privacy laws in those countries. In this case the application team must do their own research and fold back the results into corporate policy. Page 8 | www.redspin.com 2009 | White Paper
  • 10. Impact – Creating Business Value System Integration Very few applications in modern environments exist as standalone entities. At the very least they employ directory services or back-up services. In most circumstances the application is providing or receiving data from other applications, sometimes directly or quite commonly through an enterprise message bus. It is imperative that the test environment reflects these conditions and that no vulnerabilities are introduced through this additional connectivity. Change Management Change management controls when fixes to the application may be introduced. Processes should be stipulated by policy. An important practice is to document well the circumstances surrounding the need for the change. Often, a new set of vulnerabilities will have been found, but it is equally important to note if there has been a change in threat model or with the supporting infrastructure. Regulatory Compliance We advocate creating policy such that internal compliance encompasses regulatory requirements. In any circumstance testing procedures need to ensure compliance with the applicable regulations. This is often a good opportunity to perform a web application assessment from a trusted third party in that compliance is generally a cut and dried area, but the assessment may also surface other important areas of consideration. Audit Process One aspect of the secure application development process should consider making the audit process easy and predictable. Strong documentation, predictable logging, and demonstration of adherence to policy all contribute towards a successful audit experience. Most importantly anticipating and preparing for an audit makes this task just another predictable item on the schedule rather than a fear inducing experience that can disrupt performance to schedule. Incident Response What happens if there is a data breach? We recommend that you prepare in advance for the actions that will be taken. Further, responding to an incident will extend beyond just the core applications team. Be clear on the roles and responsibilities of security, operations and your own applications group. Production Testing To assess applications running in production a different strategy must be employed. One potential approach is to do application penetration testing with a suite of attacks that are known to be non-invasive and likely will not take down the application. A better option, if the application is deployed in a virtualized environment, is to take a “snapshot” of the application to be tested. This image is then moved to a staging environment where it can be tested thoroughly. When vulnerabilities are identified the application must be fixed, tested and then released back to production under change control. Risk Management Another important practice is to actively manage risk associated with the application. We have found that this can be done most effectively by developing a model that accounts for the likelihood and probability of loss related events. For example, quantitatively modeling the risk of financial loss due to data breach, fines associated with non- compliance or business loss due to application downtime can be helpful in terms of allocating resources for prevention. But it is also useful in terms of helping management understand why so much effort is being expended around application security. Once again, this is an ongoing process that must stay current with emerging threats whether internal, external or from partner organizations. Page 9 | www.redspin.com 2009 | White Paper
  • 11. Business Impact The most important result of following this process is an application that is up and running and fulfilling its mission whether that is to make employees more productive or to generate revenue through online transactions. The extended team, including operations, security and business unit management should have a high degree of confidence in the following areas: • The corporate brand is protected • Risk has been minimized • The service will be available (or at least not down because of security issues) • Employees will be productive • Regulatory fines will be avoided • Reputational damage will be avoided About Redspin www.redspin.com Redspin delivers the highest quality information security assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in areas such as health care, financial services and hotels, casinos and resorts as well as retailers and technology providers. Some of the largest communications providers and commercial banks rely upon Redspin to provide an effective technical solution tailored to their business context, allowing them to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios. Penetration Testing Page 10 | www.redspin.com 2009 | White Paper