This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Day 2"
From OWASP
Gabrielgumbs (talk | contribs) |
|||
| Line 5: | Line 5: | ||
*Provide a single point of contact for the program. | *Provide a single point of contact for the program. | ||
| + | <span id="Asset Discovery"></span> | ||
== Asset Discovery == | == Asset Discovery == | ||
*Gather Internal, External and Hosted IP ranges. | *Gather Internal, External and Hosted IP ranges. | ||
| Line 13: | Line 14: | ||
*Identify the rate of application change (e.g. monthly, weekly, etc.…) | *Identify the rate of application change (e.g. monthly, weekly, etc.…) | ||
| + | <span id="Asset Risk Prioritization"></span> | ||
== Asset Risk Prioritization == | == Asset Risk Prioritization == | ||
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on | *Develop or leverage existing methodology for stack ranking the value of your assets to the business based on | ||
| Line 57: | Line 59: | ||
*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets. | *Implement ISO 17799: Asset Management or similar standard to improve governance of application assets. | ||
| + | <span id="Communication Plan"></span> | ||
== Communication Plan == | == Communication Plan == | ||
*Set expectations of assessment program for all interested parties. | *Set expectations of assessment program for all interested parties. | ||
Revision as of 22:26, 5 January 2015
Key Activities
- Become intimately familiar with what you are meant to protect and at what level.
- Define processes, procedures, and checklists to align assessment strategies to business needs.
- Effectively communicate the introduction and goals of the Application Security assessment program.
- Provide a single point of contact for the program.
Asset Discovery
- Gather Internal, External and Hosted IP ranges.
- Catalogue known domains and subdomains.
- Identify asset meta-data locations. (CMDBs, GRCs, etc.).
- Identify site owners, where those are not already known.
- Gather assessment credentials, including multiple roles for horizontal and vertical testing.
- Identify the rate of application change (e.g. monthly, weekly, etc.…)
Asset Risk Prioritization
- Develop or leverage existing methodology for stack ranking the value of your assets to the business based on
impact to confidentiality, integrity and availability (C.I.A.). (See: [1])
POTENTIAL IMPACT
| SECURITY OBJECTIVE | LOW | MODERATE | HIGH |
|---|---|---|---|
| Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] |
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| Integrity
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542] |
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. |
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| Availability
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] |
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
- Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool
For example:
- Tier 1 = Targeted Govt./State sponsor.
- Tier 2 = Hactivism
- Tier 3 = Random Opportunistic
- Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.
Communication Plan
- Set expectations of assessment program for all interested parties.
- Alert Operations team of upcoming activities.
- Gather written buy-in from application stakeholders for the assessment activities.
- Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
- Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)
