This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Day 2

From OWASP
Revision as of 22:43, 5 January 2015 by Gabrielgumbs (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

< Back to The Application_Security_Program_Quick_Start_Guide


Key Activities

  • Become intimately familiar with what you are meant to protect and at what level.
  • Define processes, procedures, and checklists to align assessment strategies to business needs.
  • Effectively communicate the introduction and goals of the Application Security assessment program.
  • Provide a single point of contact for the program.

Asset Discovery

  • Gather Internal, External and Hosted IP ranges.
  • Catalogue known domains and subdomains.
  • Identify asset meta-data locations. (CMDBs, GRCs, etc.).
  • Identify site owners, where those are not already known.
  • Gather assessment credentials, including multiple roles for horizontal and vertical testing.
  • Identify the rate of application change (e.g. monthly, weekly, etc.…)

Asset Risk Prioritization

  • Develop or leverage existing methodology for stack ranking the value of your assets to the business based on

impact to confidentiality, integrity and availability (C.I.A.). (See: [1])

POTENTIAL IMPACT

SECURITY OBJECTIVE LOW MODERATE HIGH
Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity

Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on

organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability

Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
  • Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool

For example:

  1. Tier 1 = Targeted Govt./State sponsor.
  2. Tier 2 = Hactivism
  3. Tier 3 = Random Opportunistic
  • Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.

Communication Plan

  • Set expectations of assessment program for all interested parties.
  • Alert Operations team of upcoming activities.
  • Gather written buy-in from application stakeholders for the assessment activities.
  • Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
  • Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)

< Back to The Application_Security_Program_Quick_Start_Guide