This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Day 2
< Back to The Application_Security_Program_Quick_Start_Guide
Key Activities
- Become intimately familiar with what you are meant to protect and at what level.
- Define processes, procedures, and checklists to align assessment strategies to business needs.
- Effectively communicate the introduction and goals of the Application Security assessment program.
- Provide a single point of contact for the program.
Asset Discovery
- Gather Internal, External and Hosted IP ranges.
- Catalogue known domains and subdomains.
- Identify asset meta-data locations. (CMDBs, GRCs, etc.).
- Identify site owners, where those are not already known.
- Gather assessment credentials, including multiple roles for horizontal and vertical testing.
- Identify the rate of application change (e.g. monthly, weekly, etc.…)
Asset Risk Prioritization
- Develop or leverage existing methodology for stack ranking the value of your assets to the business based on
impact to confidentiality, integrity and availability (C.I.A.). (See: [1])
POTENTIAL IMPACT
SECURITY OBJECTIVE | LOW | MODERATE | HIGH |
---|---|---|---|
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] |
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Integrity
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542] |
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. |
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Availability
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] |
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
- Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool
For example:
- Tier 1 = Targeted Govt./State sponsor.
- Tier 2 = Hactivism
- Tier 3 = Random Opportunistic
- Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.
Communication Plan
- Set expectations of assessment program for all interested parties.
- Alert Operations team of upcoming activities.
- Gather written buy-in from application stakeholders for the assessment activities.
- Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
- Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)
< Back to The Application_Security_Program_Quick_Start_Guide