This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Business Justification for Application Security Assessment"

From OWASP
Jump to: navigation, search
m (Reverted edits by LetocOdele (Talk) to last version by KirstenS)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new162.html 2 4941744.stm asia go hi news.bbc.co.uk rss south ] [http://s1.shard.jp/galeach/new98.html akedemi fantasia tour ] [http://s1.shard.jp/frhorton/8vpfwob3s.html african canadian music singer spiritual ] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/losaul/limousine-hire.html online toy shop australia ] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/galeach/ asia east map north ] [http://s1.shard.jp/frhorton/6jht1xnfg.html african frog endangered ] [http://s1.shard.jp/bireba/antivirus-tests.html etrust ez antivirus review ] [http://s1.shard.jp/olharder/autopilot-off-clockwork.html auto detailing flyers ] [http://s1.shard.jp/galeach/new71.html plantasia bonsai] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/olharder/opforce-it-automation.html automotive technician schooling ] [http://s1.shard.jp/losaul/australian-cricket.html australian atlas victoria ] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/canadian-auto.html canadian auto protection] [http://s1.shard.jp/galeach/new150.html asian movie archive password ] [http://s1.shard.jp/galeach/new172.html dysphasia in children ] [http://s1.shard.jp/olharder/autobiography.html auto sales training magazine ] [http://s1.shard.jp/losaul/severe-droughts.html australia kings canyon garden of eden ] [http://s1.shard.jp/bireba/avp-antivirus-free.html winantivirus popup ] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/olharder/baltimore-auto.html auto michigan salvage ] [http://s1.shard.jp/galeach/new114.html camtasia 2.1.1 ] [http://s1.shard.jp/losaul/australia-phone.html bushtracker australia ] [http://s1.shard.jp/frhorton/yzxhrnmp9.html african american gold jewelry ] [http://s1.shard.jp/galeach/new21.html asian women dating caucasian men ] [http://s1.shard.jp/olharder/automotive-suspension.html lowest online auto rates ] [http://s1.shard.jp/losaul/open-source-software.html end of daylight savings australia ] [http://s1.shard.jp/losaul/australian-emus.html university australia ranking ] [http://s1.shard.jp/olharder/aaa-auto-sales.html auto barn of evanston ] [http://s1.shard.jp/olharder/car-ezautoshippersnet.html checker auto part las vegas nv ] [http://s1.shard.jp/galeach/new95.html asia carrera movie list ] [http://s1.shard.jp/bireba/antivirus-cd.html abg antivirus free download ] [http://s1.shard.jp/olharder/alberta-auto.html auto service company toyota ] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/galeach/new91.html asian restaurants new york] [http://s1.shard.jp/olharder/automotive-repair.html auto insurance massachusetts online ] [http://s1.shard.jp/olharder/canadian-auto.html auto buying services ] [http://s1.shard.jp/galeach/new166.html asian appetizer ] [http://s1.shard.jp/frhorton/cwoxkek8d.html embassy bombing in africa ] [http://s1.shard.jp/bireba/alertaantivirus.html norton antivirus keygen 2005 ] [http://s1.shard.jp/bireba/norton-antivirus.html avant antivirus ] [http://s1.shard.jp/galeach/new13.html a map of southeast asia ] [http://s1.shard.jp/losaul/car-importers-australia.html mining contractors australia ] [http://s1.shard.jp/bireba/download-norton.html panda antivirus free ] [http://s1.shard.jp/losaul/australian-landrover.html australia uranium company ] [http://s1.shard.jp/galeach/new130.html asian desires 2 ] 
 
http://www.textviroliricdar.com
 
 
Today's enterprise and the end users have increasingly become dependent on IT applications. IT Applications (most of them are web based) allow customers/users to directly access personal and confidential information, encouraging self-driven model, decreasing business cost. Critical business functions are dependent successful functioning of the IT applications e.g. enterprise such as eBay, Amazon.com has most of their business dependent on their Internet facing flagship applications.  
 
Today's enterprise and the end users have increasingly become dependent on IT applications. IT Applications (most of them are web based) allow customers/users to directly access personal and confidential information, encouraging self-driven model, decreasing business cost. Critical business functions are dependent successful functioning of the IT applications e.g. enterprise such as eBay, Amazon.com has most of their business dependent on their Internet facing flagship applications.  
  

Revision as of 19:55, 26 May 2009

Today's enterprise and the end users have increasingly become dependent on IT applications. IT Applications (most of them are web based) allow customers/users to directly access personal and confidential information, encouraging self-driven model, decreasing business cost. Critical business functions are dependent successful functioning of the IT applications e.g. enterprise such as eBay, Amazon.com has most of their business dependent on their Internet facing flagship applications.

There is exponential increase in vulnerabilities found in Web Applications putting significant financial impact to the enterprise and privacy of the end users. Gartner's recent studies[1] shows that hackers are moving towards web application based attacks, 75% of total attacks now occur on Web applications. Systems and network administrators in last 5-10 years (end 1990s to early 00s) have achieved significant maturity on controlling OS and network level attacks. Strong OS hardening/patching procedures coupled with well managed firewalls provides sufficient surety to the business that these layers are secure and not easy to penetrate.

This is yet not true for applications, especially web applications. Web applications provide a logical tunnel from outside/Internet to the backend databases inside the enterprise. Web applications are complex piece of code with a mix of customized business logic, third party libraries, back-end database routines and integration to multiple other applications. Complexity increases potential points of failures. A recent study by penetration testers [2] shows that more than 95% of web applications have some sort of vulnerability.

What pressures business is coming under?

Compliance and Regulatory Needs

Sarbanes-Oxley for financial accounting, HIPAA for safe handling of medical records, Gramm-Leach-Bliley for privacy of customer and PCI to safely process and handle credit card information. List is endless. Achieving compliance to regulations imposed by government and industry is one of the top priorities for business. Compliance entails having strong security controls in your IT applications and associated processes. Security assessment helps to check compliances and in some case required.


Increasing Cost of Security Breaches

Cost of security breaches is increasing. It is not only loosing the customer confidence but enterprise may end up paying heavy penalties. Payment Card Industry (PCI) recently announced $50,000 fine per incident if cardholder data is compromised. ChoicePoint, lost information of 145,000 customers in 2005 and ended up spending $11.4 million in related cost.


Awareness of Users

Users have become much more aware and attentive towards the privacy, confidentiality and safekeeping of their personal information. Media has helped to create awareness. Comments like ".. I refused to enter my credit card information as I don't see the padlock [SSL] at bottom of my browser window..." are common.


What is there to lose

Ultimate question for business may be what is there to lose.

  • Data, which may be the biggest asset in the enterprise
  • Public Image and Confidence of Customers
  • Availability of applications causing unplanned blackouts for business


We have talked about what are potential business impacts due to insecure applications. Application Security Assessment helps to figure out what are the weaknesses and potential issues in our web application. Helps business spend the security dollars where it is most required. And way to consistently keep our applications one notch higher than the attackers.

References

[1]. Gartner, Nov 2005 <http://gartner.com>

[2]. Studies from numerous penetration tests by Imperva <http://www.imperva.com/application_defense_center/papers/how_safe_is_it.html>

This is a control. To view all control, please see the Control Category page.