application security risk rating
Post on 14-Sep-2014
123 views
DESCRIPTION
Overview of challenges faced while risk assessment of applications and their vulnerabilities. Then demonstrating OWASP risk rating methodology to solve this problem statement. I presented on this topic at ISC2 Delhi meet in September, 2013TRANSCRIPT
![Page 1: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/1.jpg)
Application Security Risk Rating
Vaibhav GuptaSecurity Researcher – Adobe
in.linkedin.com/in/vaibhav0@VaibhavGupta_1
![Page 2: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/2.jpg)
2
$ whoami
Current Security Researcher - Adobe
Previous Sr. Information Security Engg. – Fortune 500 company
Before that.. InfoSec consultant at various companies
![Page 3: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/3.jpg)
3
Problem Statement
1. Limited resources to security test large threat landscape of web applications within enterprise
2. Assigning risk levels to vulnerabilities found in manual assessments
in.linkedin.com/in/vaibhav0
![Page 4: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/4.jpg)
4
Lets first deal with “1”
1. Limited resources to security test large threat landscape of web applications within enterprise
Increasing threat landscape
Slow pace of organizations to adopt secure coding practices
Does not make sense to address all issues simultaneouslyin.linkedin.com/in/vaibhav0
![Page 5: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/5.jpg)
5
Solution ?
Prioritization
Focus on categorizing into high, medium and low risk applications
in.linkedin.com/in/vaibhav0
![Page 6: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/6.jpg)
6
Approach – Risk Assessment of Applications
Analyze Business criticality of Applications
Analyze Risk Posture of Application
Categorize Applications based on Risk
Security Assessment Project Planning
in.linkedin.com/in/vaibhav0
![Page 7: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/7.jpg)
7
Analyze Business criticality of Application
Critical
Important
Strategic
Internal
in.linkedin.com/in/vaibhav0
![Page 8: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/8.jpg)
8Sr.# Questions Response
(Yes/No)1 Is the application facing the internet?2 Is this application dealing with credit card data?3 Is this application dealing with SSN or any other PII data?4 Does application host any classified or patented data?
5 If the application goes down, can it create threat to human life?
6 Will this application be subject to any compliance audits?
7 Is this application designed to aid Top Management or Board Members in decision making?
8 Does application implement any kind of authentication? If yes, please give additional details
9 Does application implement any kind of authorization? If yes, provide additional details
10Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with
Analyze Risk Posture of Application
![Page 9: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/9.jpg)
9
Categorize Applications based on Risk
Inventory
Business Criticalit
y
Risk Posture
Categorized
Inventory
Low
Medium
High
in.linkedin.com/in/vaibhav0
![Page 10: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/10.jpg)
10
Test Case - Categorize Applications based on Risk
in.linkedin.com/in/vaibhav0
Payroll application
![Page 11: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/11.jpg)
11
Lets deal with next problem statement: “2”
2. Assigning risk levels to vulnerabilities found in manual assessments
????Why are we
even considering this problem
statement
in.linkedin.com/in/vaibhav0
![Page 12: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/12.jpg)
12
OWASP: Risk Rating Methodology
There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.
Standard risk model :
Risk = Likelihood * Impact
in.linkedin.com/in/vaibhav0
![Page 13: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/13.jpg)
13
OWASP: Risk Rating Methodology - Steps
Step 1
• Identifying a Risk
Step 2
• Estimating Likelihood
Step 3
• Estimating Impact
Step 4
• Determining Severity of the Risk
Step 5
• Deciding What to Fix
Step 6
• Customizing Your Risk Rating Model
in.linkedin.com/in/vaibhav0
![Page 14: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/14.jpg)
14
Step 1: Identifying a Risk
What needs to be rated? XSS ? SQLi ?
Threat agents ?
Impact ?
in.linkedin.com/in/vaibhav0
![Page 15: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/15.jpg)
15
Step 2: Estimating Likelihood
Threat Agent Factors Skill level Motive Opportunity Size
Vulnerability Factors Ease of discovery Ease of exploit Awareness Intrusion detection
in.linkedin.com/in/vaibhav0
![Page 16: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/16.jpg)
16
Step 3: Estimating Impact
Technical Impact Factors Loss of confidentiality Loss of integrity Loss of availability Loss of accountability
Business Impact Factors Financial damage Reputation damage Non-compliance Privacy violation
in.linkedin.com/in/vaibhav0
![Page 17: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/17.jpg)
17
Step 4: Determining Severity of the Risk
Likelihood and Impact Levels0 to <3 LOW3 to <6 MEDUIM6 to 9 HIGH
in.linkedin.com/in/vaibhav0
h𝐿𝑖𝑘𝑒𝑙𝑖 𝑜𝑜𝑑𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙=𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠𝑇𝑜𝑡𝑎𝑙 𝑛𝑜𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
![Page 18: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/18.jpg)
18
Step 4: Determining Severity of the Risk (Cont..)
![Page 19: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/19.jpg)
19
Test Case - OWASP Risk Rating
in.linkedin.com/in/vaibhav0
![Page 20: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/20.jpg)
20
Step 5: Deciding What to Fix
in.linkedin.com/in/vaibhav0
PRIORITIZE
CriticalHigh
Medium
LowNote
Note: As a general rule, you should fix the most severe risks first
![Page 21: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/21.jpg)
21
Step 6: Customizing Your Risk Rating Model
“A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP
Adding factorsCustomizing optionsWeighting factors
in.linkedin.com/in/vaibhav0
![Page 22: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/22.jpg)
?? Questions ??
Vaibhav GuptaSecurity Researcher – Adobe
in.linkedin.com/in/vaibhav0@VaibhavGupta_1
![Page 23: Application Security Risk Rating](https://reader036.vdocuments.net/reader036/viewer/2022081412/54157e838d7f72336c8b46f5/html5/thumbnails/23.jpg)
23
References:
http://owasp.org/index.php/OWASP_Risk_Rating_Methodology
http://owasp.org