Day 2

Key Activities

• Become intimately familiar with what you are meant to protect and at what level.
• Define processes, procedures, and checklists to align assessment strategies to business needs.
• Effectively communicate the introduction and goals of the Application Security assessment program.
• Provide a single point of contact for the program.

Asset Discovery

• Gather Internal, External and Hosted IP ranges.
• Catalogue known domains and subdomains.
• Identify asset meta-data locations. (CMDBs, GRCs, etc.).
• Identify site owners, where those are not already known.
• Gather assessment credentials, including multiple roles for horizontal and vertical testing.
• Identify the rate of application change (e.g. monthly, weekly, etc.…)

Asset Risk Prioritization

• Develop or leverage existing methodology for stack ranking the value of your assets to the business based on

impact to confidentiality, integrity and availability (C.I.A.). (See: [1])

POTENTIAL IMPACT

• Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool

For example:

1. Tier 1 = Targeted Govt./State sponsor.
2. Tier 2 = Hactivism
3. Tier 3 = Random Opportunistic

• Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.

Communication Plan

• Set expectations of assessment program for all interested parties.
• Alert Operations team of upcoming activities.
• Gather written buy-in from application stakeholders for the assessment activities.
• Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
• Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)