Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Application Security Risk Rating Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
$ whoami 2  Current  Security Researcher - Adobe  Previous  Sr. Information Security Engg. – Fortune 500 company  Bef...
Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. As...
Lets first deal with “1” 4 1. Limited resources to security test large threat landscape of web applications within enterpr...
Solution ? 5  Prioritization  Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibh...
Approach – Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Applicat...
Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card...
Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High ...
Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0  Payroll application
Lets deal with next problem statement: “2” 11 2. Assigning risk levels to vulnerabilities found in manual assessments ????...
OWASP: Risk Rating Methodology 12  There are many different approaches to risk analysis. The OWASP approach is based on s...
OWASP: Risk Rating Methodology - Steps 13 Step 1 • Identifying a Risk Step 2 • Estimating Likelihood Step 3 • Estimating I...
Step 1: Identifying a Risk 14  What needs to be rated?  XSS ?  SQLi ?  Threat agents ?  Impact ? in.linkedin.com/in/v...
Step 2: Estimating Likelihood 15  Threat Agent Factors  Skill level  Motive  Opportunity  Size  Vulnerability Factor...
Step 3: Estimating Impact 16  Technical Impact Factors  Loss of confidentiality  Loss of integrity  Loss of availabili...
Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedi...
Step 4: Determining Severity of the Risk (Cont..) 18
Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general ru...
Step 6: Customizing Your Risk Rating Model 21 “A tailored model is much more likely to produce results that match people's...
?? Questions ?? Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
References: 23  http://owasp.org/index.php/OWASP_Risk_Rating_ Methodology  http://owasp.org
Upcoming SlideShare
Loading in …5
×

Application Security Risk Rating

2,280 views

Published on

Overview of challenges faced while risk assessment of applications and their vulnerabilities. Then demonstrating OWASP risk rating methodology to solve this problem statement.
I presented on this topic at ISC2 Delhi meet in September, 2013

Published in: Technology, Business
no profile picture user

  • Login to see the comments

Application Security Risk Rating

  1. 1. Application Security Risk Rating Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
  2. 2. $ whoami 2  Current  Security Researcher - Adobe  Previous  Sr. Information Security Engg. – Fortune 500 company  Before that..  InfoSec consultant at various companies
  3. 3. Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. Assigning risk levels to vulnerabilities found in manual assessments 3 in.linkedin.com/in/vaibhav0
  4. 4. Lets first deal with “1” 4 1. Limited resources to security test large threat landscape of web applications within enterprise  Increasing threat landscape  Slow pace of organizations to adopt secure coding practices  Does not make sense to address all issues simultaneously in.linkedin.com/in/vaibhav0
  5. 5. Solution ? 5  Prioritization  Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibhav0
  6. 6. Approach – Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Application Categorize Applications based on Risk Security Assessment Project Planning in.linkedin.com/in/vaibhav0
  7. 7. Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
  8. 8. Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card data? 3 Is this application dealing with SSN or any other PII data? 4 Does application host any classified or patented data? 5 If the application goes down, can it create threat to human life? 6 Will this application be subject to any compliance audits? 7 Is this application designed to aid Top Management or Board Members in decision making? 8 Does application implement any kind of authentication? If yes, please give additional details 9 Does application implement any kind of authorization? If yes, provide additional details 10 Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with Analyze Risk Posture of Application 8
  9. 9. Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High in.linkedin.com/in/vaibhav0
  10. 10. Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0  Payroll application
  11. 11. Lets deal with next problem statement: “2” 11 2. Assigning risk levels to vulnerabilities found in manual assessments ???? Why are we even considering this problem statement in.linkedin.com/in/vaibhav0
  12. 12. OWASP: Risk Rating Methodology 12  There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.  Standard risk model : Risk = Likelihood * Impact in.linkedin.com/in/vaibhav0
  13. 13. OWASP: Risk Rating Methodology - Steps 13 Step 1 • Identifying a Risk Step 2 • Estimating Likelihood Step 3 • Estimating Impact Step 4 • Determining Severity of the Risk Step 5 • Deciding What to Fix Step 6 • Customizing Your Risk Rating Model in.linkedin.com/in/vaibhav0
  14. 14. Step 1: Identifying a Risk 14  What needs to be rated?  XSS ?  SQLi ?  Threat agents ?  Impact ? in.linkedin.com/in/vaibhav0
  15. 15. Step 2: Estimating Likelihood 15  Threat Agent Factors  Skill level  Motive  Opportunity  Size  Vulnerability Factors  Ease of discovery  Ease of exploit  Awareness  Intrusion detection in.linkedin.com/in/vaibhav0
  16. 16. Step 3: Estimating Impact 16  Technical Impact Factors  Loss of confidentiality  Loss of integrity  Loss of availability  Loss of accountability  Business Impact Factors  Financial damage  Reputation damage  Non-compliance  Privacy violation in.linkedin.com/in/vaibhav0
  17. 17. Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedin.com/in/vaibhav0 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙 = 𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠 𝑇𝑜𝑡𝑎𝑙 𝑛𝑜 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
  18. 18. Step 4: Determining Severity of the Risk (Cont..) 18
  19. 19. Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
  20. 20. Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general rule, you should fix the most severe risks first
  21. 21. Step 6: Customizing Your Risk Rating Model 21 “A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP  Adding factors  Customizing options  Weighting factors in.linkedin.com/in/vaibhav0
  22. 22. ?? Questions ?? Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
  23. 23. References: 23  http://owasp.org/index.php/OWASP_Risk_Rating_ Methodology  http://owasp.org

×