Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
OWASP Chennai Talk - Application Security Risk - The Full Circle
1. Application Security Risk -
The Full Circle
Abhay Bhargav
Chief Technology Officer
we45 Solutions India Pvt. Ltd.
2. An Introduction of Yours Truly
AppSec and PCI Compliance Lead at SISA
Performed over 50 security assessments across 18
countries.
Spoken at several events including the OWASP
AppSec NYC 2008
Trainer and Workshop Lead for Security Training
Workshops
My blog: http://citadelnotes.blogspot.com
4. The current state of AppSec
Awareness is on the rise
Myriad Materials and Tools to aid in security
Continually changing threat landscape
Web 2.0: Security Disaster Waiting to happen???
CONCLUSION: A science/art still in its infancy
5. AppSec Incidents - Evolution
Individual Application and
Database Attacks
Easy Availability of tools
for launching attacks
Rise of Polymorphic,
“Multi-tasking” Malware
Increasing trends of
hackers exploiting for
Monetary benefit.
6. Where is the Disconnect?
Caught up with Marketing
Hype
Training and Orientation
Bad RAP
7. Caught up with the Marketing
Hype
Fastest growing security
products segment -
Application Security
tools and products
Limitations grossly mis-
understood
Vendors banking on the
Compliance Craze
8. Training and Orientation
Developers have little or no idea about Web
Application Security.
Code review and Testing does not hone in on
Security issues.
The Time:Quality Dilemma - Organizational “Mis-
prioritization”
“Customer is King” approach may not work here
9. Bad RAP - Risk Assessment
Practices
Current Situation: Threat Modeling = Risk Assessment
No Integration to Organizational Risk Management
No Customer and Management Interaction
“The essential urge to complicate” - Overemphasis on
Controls and undermining Risk.
10. The Full Circle
identify security
identify critical assets
requirements
Risk Treatment Plan create threat profiles
identify impact & perform vulnerability
probability assessments
11. Getting the RAP right!
Critical Information Assets is the Watch-word
Customer/Management Interaction - Assessing their
Areas of Concern and providing Broad Security
Requirements
Threat Profiles - Basic to Technical progression
Detailed Security Requirements and Trust Boundaries
Impact Analysis- a sound business case measure for
management.
12. The Benefits
RAP feeds the SDLC
Management/Customer involvement - Awareness and
Budgetary benefits.
“Abuse” Cases - Byproduct of vulnerability assessment
Impact Analysis - True measure of Cost vs Benefit
Provides clear requirements to Architects and
Developers
13. Thank you!!!
Questions??
My blog: http://citadelnotes.blogspot.com
Keep in touch: http://www.linkedin.com/in/
abhaybhargav
Email: abhay.bhargav@sisa.co.in,
abhaybhargav@gmail.com