SlideShare a Scribd company logo

Application Security Risk Rating

Download as PPTX, PDF
Vaibhav Gupta
Vaibhav Gupta

The document discusses two problems related to application security risk rating: 1) limited resources to test a large number of applications, and 2) assigning risk levels to vulnerabilities found during manual assessments. For the first problem, the document proposes prioritizing applications by categorizing them into high, medium, and low risk based on a risk assessment analyzing business criticality and risk posture. For the second problem, the document outlines the OWASP risk rating methodology in six steps: identifying risks, estimating likelihood, estimating impact, determining severity, deciding what to fix, and customizing the risk rating model.

TechnologyBusiness
1 of 23
Application Security Risk Rating Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
$ whoami 2  Current  Security Researcher - Adobe  Previous  Sr. Information Security Engg. – Fortune 500 company  Before that..  InfoSec consultant at various companies
Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. Assigning risk levels to vulnerabilities found in manual assessments 3 in.linkedin.com/in/vaibhav0
Lets first deal with “1” 4 1. Limited resources to security test large threat landscape of web applications within enterprise  Increasing threat landscape  Slow pace of organizations to adopt secure coding practices  Does not make sense to address all issues simultaneously in.linkedin.com/in/vaibhav0
Solution ? 5  Prioritization  Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibhav0
Approach – Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Application Categorize Applications based on Risk Security Assessment Project Planning in.linkedin.com/in/vaibhav0
Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card data? 3 Is this application dealing with SSN or any other PII data? 4 Does application host any classified or patented data? 5 If the application goes down, can it create threat to human life? 6 Will this application be subject to any compliance audits? 7 Is this application designed to aid Top Management or Board Members in decision making? 8 Does application implement any kind of authentication? If yes, please give additional details 9 Does application implement any kind of authorization? If yes, provide additional details 10 Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with Analyze Risk Posture of Application 8
Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High in.linkedin.com/in/vaibhav0
Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0  Payroll application
Lets deal with next problem statement: “2” 11 2. Assigning risk levels to vulnerabilities found in manual assessments ???? Why are we even considering this problem statement in.linkedin.com/in/vaibhav0
OWASP: Risk Rating Methodology 12  There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.  Standard risk model : Risk = Likelihood * Impact in.linkedin.com/in/vaibhav0
OWASP: Risk Rating Methodology - Steps 13 Step 1 • Identifying a Risk Step 2 • Estimating Likelihood Step 3 • Estimating Impact Step 4 • Determining Severity of the Risk Step 5 • Deciding What to Fix Step 6 • Customizing Your Risk Rating Model in.linkedin.com/in/vaibhav0
Step 1: Identifying a Risk 14  What needs to be rated?  XSS ?  SQLi ?  Threat agents ?  Impact ? in.linkedin.com/in/vaibhav0
Step 2: Estimating Likelihood 15  Threat Agent Factors  Skill level  Motive  Opportunity  Size  Vulnerability Factors  Ease of discovery  Ease of exploit  Awareness  Intrusion detection in.linkedin.com/in/vaibhav0
Step 3: Estimating Impact 16  Technical Impact Factors  Loss of confidentiality  Loss of integrity  Loss of availability  Loss of accountability  Business Impact Factors  Financial damage  Reputation damage  Non-compliance  Privacy violation in.linkedin.com/in/vaibhav0
Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedin.com/in/vaibhav0 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙 = 𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠 𝑇𝑜𝑡𝑎𝑙 𝑛𝑜 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
Step 4: Determining Severity of the Risk (Cont..) 18
Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general rule, you should fix the most severe risks first
Step 6: Customizing Your Risk Rating Model 21 “A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP  Adding factors  Customizing options  Weighting factors in.linkedin.com/in/vaibhav0
?? Questions ?? Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
References: 23  http://owasp.org/index.php/OWASP_Risk_Rating_ Methodology  http://owasp.org

Recommended

Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...QA or the Highway
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing servicesAlisha Henderson
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
Web-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsWeb-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsTandhy Simanjuntak
 
How ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key StakeholdersHow ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key Stakeholdersreeftim
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 

Recommended

Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...Digital transformation continues to drive IT strategy, How is QA and testing ...
Digital transformation continues to drive IT strategy, How is QA and testing ...QA or the Highway
 
A quick guide to application security testing services
A quick guide to application security testing servicesA quick guide to application security testing services
A quick guide to application security testing servicesAlisha Henderson
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
Web-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsWeb-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsTandhy Simanjuntak
 
How ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key StakeholdersHow ThreatModeler Benefits Key Stakeholders
How ThreatModeler Benefits Key Stakeholdersreeftim
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsVaibhav Gupta
 
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Elizabeth Steiner
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsITPSB Pty Ltd
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Simulazione di un Penetration Test
Simulazione di un Penetration TestSimulazione di un Penetration Test
Simulazione di un Penetration TestSalvatore Lentini
 
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club South Florida
 
Beyondfreud
BeyondfreudBeyondfreud
BeyondfreudTajana Klaric
 
Spark - Volume 3
Spark - Volume 3Spark - Volume 3
Spark - Volume 3S.P. Jain center of Management
 
tema 3 tema 1
tema 3 tema 1tema 3 tema 1
tema 3 tema 1failyn yousei chan
 
GPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsGPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsScott Wells
 
47035 0 mma
47035 0 mma47035 0 mma
47035 0 mmaOperator Warnet Vast Raha
 
Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Russel Harland
 
Pre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelPre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelVaibhav Gupta
 
Master version draft final
Master version draft finalMaster version draft final
Master version draft finalirbgcpartners
 
Foreign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaForeign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaVaibhav Gupta
 
Career Profile - Anshuman Jain
Career Profile - Anshuman JainCareer Profile - Anshuman Jain
Career Profile - Anshuman JainAnshuman Jain
 
13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-finalCleantechOpen
 
Publication listing
Publication listingPublication listing
Publication listingKevin D. Brown, Ph.D.
 
Spartacus and the slave war
Spartacus and the slave warSpartacus and the slave war
Spartacus and the slave wartastamal
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 

More Related Content

Viewers also liked

OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsVaibhav Gupta
 
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Elizabeth Steiner
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsITPSB Pty Ltd
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Simulazione di un Penetration Test
Simulazione di un Penetration TestSimulazione di un Penetration Test
Simulazione di un Penetration TestSalvatore Lentini
 
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club South Florida
 
GPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsGPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsScott Wells
 
Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Russel Harland
 
Pre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelPre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelVaibhav Gupta
 
Master version draft final
Master version draft finalMaster version draft final
Master version draft finalirbgcpartners
 
Foreign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaForeign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaVaibhav Gupta
 
Career Profile - Anshuman Jain
Career Profile - Anshuman JainCareer Profile - Anshuman Jain
Career Profile - Anshuman JainAnshuman Jain
 
13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-finalCleantechOpen
 
Spartacus and the slave war
Spartacus and the slave warSpartacus and the slave war
Spartacus and the slave wartastamal
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 

Viewers also liked (20)

OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security Considerations
 
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
Model-Based Systems Engineering Tool How To Use Innoslate Pt. 2
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT Projects
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
 
Simulazione di un Penetration Test
Simulazione di un Penetration TestSimulazione di un Penetration Test
Simulazione di un Penetration Test
 
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
Gilda's Club 2011 "Live! From South Florida...It's Saturday Night!" Virtual ...
 
Beyondfreud
BeyondfreudBeyondfreud
Beyondfreud
 
Spark - Volume 3
Spark - Volume 3Spark - Volume 3
Spark - Volume 3
 
tema 3 tema 1
tema 3 tema 1tema 3 tema 1
tema 3 tema 1
 
GPP Final Draft for Scott Wells
GPP Final Draft for Scott WellsGPP Final Draft for Scott Wells
GPP Final Draft for Scott Wells
 
47035 0 mma
47035 0 mma47035 0 mma
47035 0 mma
 
Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016Mercenaries Unleashed, 2016
Mercenaries Unleashed, 2016
 
Pre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta SamtelPre Internship Vaibhav Gupta Samtel
Pre Internship Vaibhav Gupta Samtel
 
Master version draft final
Master version draft finalMaster version draft final
Master version draft final
 
Foreign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav GuptaForeign Educational Institutions In India Vaibhav Gupta
Foreign Educational Institutions In India Vaibhav Gupta
 
Career Profile - Anshuman Jain
Career Profile - Anshuman JainCareer Profile - Anshuman Jain
Career Profile - Anshuman Jain
 
13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final13 0716 session 1 & 2 webinars-final
13 0716 session 1 & 2 webinars-final
 
Publication listing
Publication listingPublication listing
Publication listing
 
Spartacus and the slave war
Spartacus and the slave warSpartacus and the slave war
Spartacus and the slave war
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 

Similar to Application Security Risk Rating

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaiFour Consultancy
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptDorraLamouchi1
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.pptavisha23
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.pptAyidAlmgati
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
ASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk managementASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk managementarmelleguillermet
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group
 

Similar to Application Security Risk Rating (20)

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24 Webinar - Creating a sustainable application security program to dr...
 
Ownux global July 2023.pdf
Ownux global July 2023.pdfOwnux global July 2023.pdf
Ownux global July 2023.pdf
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t Ignore
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Ijetcas14 370
Ijetcas14 370Ijetcas14 370
Ijetcas14 370
 
ASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk managementASIS - Training #4 - Social innovation risk management
ASIS - Training #4 - Social innovation risk management
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
 

Recently uploaded

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Application Security Risk Rating

  • 1. Application Security Risk Rating Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
  • 2. $ whoami 2  Current  Security Researcher - Adobe  Previous  Sr. Information Security Engg. – Fortune 500 company  Before that..  InfoSec consultant at various companies
  • 3. Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. Assigning risk levels to vulnerabilities found in manual assessments 3 in.linkedin.com/in/vaibhav0
  • 4. Lets first deal with “1” 4 1. Limited resources to security test large threat landscape of web applications within enterprise  Increasing threat landscape  Slow pace of organizations to adopt secure coding practices  Does not make sense to address all issues simultaneously in.linkedin.com/in/vaibhav0
  • 5. Solution ? 5  Prioritization  Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibhav0
  • 6. Approach – Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Application Categorize Applications based on Risk Security Assessment Project Planning in.linkedin.com/in/vaibhav0
  • 7. Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
  • 8. Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card data? 3 Is this application dealing with SSN or any other PII data? 4 Does application host any classified or patented data? 5 If the application goes down, can it create threat to human life? 6 Will this application be subject to any compliance audits? 7 Is this application designed to aid Top Management or Board Members in decision making? 8 Does application implement any kind of authentication? If yes, please give additional details 9 Does application implement any kind of authorization? If yes, provide additional details 10 Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with Analyze Risk Posture of Application 8
  • 9. Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High in.linkedin.com/in/vaibhav0
  • 10. Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0  Payroll application
  • 11. Lets deal with next problem statement: “2” 11 2. Assigning risk levels to vulnerabilities found in manual assessments ???? Why are we even considering this problem statement in.linkedin.com/in/vaibhav0
  • 12. OWASP: Risk Rating Methodology 12  There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.  Standard risk model : Risk = Likelihood * Impact in.linkedin.com/in/vaibhav0
  • 13. OWASP: Risk Rating Methodology - Steps 13 Step 1 • Identifying a Risk Step 2 • Estimating Likelihood Step 3 • Estimating Impact Step 4 • Determining Severity of the Risk Step 5 • Deciding What to Fix Step 6 • Customizing Your Risk Rating Model in.linkedin.com/in/vaibhav0
  • 14. Step 1: Identifying a Risk 14  What needs to be rated?  XSS ?  SQLi ?  Threat agents ?  Impact ? in.linkedin.com/in/vaibhav0
  • 15. Step 2: Estimating Likelihood 15  Threat Agent Factors  Skill level  Motive  Opportunity  Size  Vulnerability Factors  Ease of discovery  Ease of exploit  Awareness  Intrusion detection in.linkedin.com/in/vaibhav0
  • 16. Step 3: Estimating Impact 16  Technical Impact Factors  Loss of confidentiality  Loss of integrity  Loss of availability  Loss of accountability  Business Impact Factors  Financial damage  Reputation damage  Non-compliance  Privacy violation in.linkedin.com/in/vaibhav0
  • 17. Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedin.com/in/vaibhav0 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙 = 𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠 𝑇𝑜𝑡𝑎𝑙 𝑛𝑜 𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
  • 18. Step 4: Determining Severity of the Risk (Cont..) 18
  • 19. Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
  • 20. Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general rule, you should fix the most severe risks first
  • 21. Step 6: Customizing Your Risk Rating Model 21 “A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP  Adding factors  Customizing options  Weighting factors in.linkedin.com/in/vaibhav0
  • 22. ?? Questions ?? Vaibhav Gupta Security Researcher – Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1

Editor's Notes

  1. Critical - > paypal.com for paypal Important -> Strategic - > company’s main website Internal -> payroll app/AMS