This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Day 2"
From OWASP
(Created page with "== Key Activities == *Become intimately familiar with what you are meant to protect and at what level. *Define processes, procedures, and checklists to align assessment strate...") |
|||
| Line 48: | Line 48: | ||
|} | |} | ||
| − | *Map asset criticality against attacker profiles with use of a GRC* (Governance Risk Management and Compliance) | + | *Map asset criticality against attacker profiles with use of a GRC* (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool |
| − | tool if available, or using an information asset register such as the University of Oxford Information Asset Register | ||
| − | Tool | ||
For example: | For example: | ||
| − | *Tier 1 = Targeted Govt./State sponsor. | + | **Tier 1 = Targeted Govt./State sponsor. |
| − | *Tier 2 = Hactivism | + | **Tier 2 = Hactivism |
| − | *Tier 3 = Random Opportunistic | + | **Tier 3 = Random Opportunistic |
*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets. | *Implement ISO 17799: Asset Management or similar standard to improve governance of application assets. | ||
| Line 63: | Line 61: | ||
*Alert Operations team of upcoming activities. | *Alert Operations team of upcoming activities. | ||
*Gather written buy-in from application stakeholders for the assessment activities. | *Gather written buy-in from application stakeholders for the assessment activities. | ||
| − | *Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and | + | *Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards. |
| − | guidelines and enforce these in compliance with relevant global regulations and standards. | ||
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST) | *Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST) | ||
Revision as of 17:27, 15 December 2014
Key Activities
- Become intimately familiar with what you are meant to protect and at what level.
- Define processes, procedures, and checklists to align assessment strategies to business needs.
- Effectively communicate the introduction and goals of the Application Security assessment program.
- Provide a single point of contact for the program.
Asset Discovery
- Gather Internal, External and Hosted IP ranges.
- Catalogue known domains and subdomains.
- Identify asset meta-data locations. (CMDBs, GRCs, etc.).
- Identify site owners, where those are not already known.
- Gather assessment credentials, including multiple roles for horizontal and vertical testing.
- Identify the rate of application change (e.g. monthly, weekly, etc.…)
Asset Risk Prioritization
- Develop or leverage existing methodology for stack ranking the value of your assets to the business based on
impact to confidentiality, integrity and availability (C.I.A.). (See: [1])
POTENTIAL IMPACT
| SECURITY OBJECTIVE | LOW | MODERATE | HIGH |
|---|---|---|---|
| Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] |
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| Integrity
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542] |
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. |
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| Availability
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] |
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
- Map asset criticality against attacker profiles with use of a GRC* (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool
For example:
- Tier 1 = Targeted Govt./State sponsor.
- Tier 2 = Hactivism
- Tier 3 = Random Opportunistic
- Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.
Communication Plan
- Set expectations of assessment program for all interested parties.
- Alert Operations team of upcoming activities.
- Gather written buy-in from application stakeholders for the assessment activities.
- Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
- Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)
