application security risk rating
Post on 14-Sep-2014
122 views
DESCRIPTION
Overview of challenges faced while risk assessment of applications and their vulnerabilities. Then demonstrating OWASP risk rating methodology to solve this problem statement. I presented on this topic at ISC2 Delhi meet in September, 2013TRANSCRIPT
Application Security Risk Rating
Vaibhav GuptaSecurity Researcher – Adobe
in.linkedin.com/in/vaibhav0@VaibhavGupta_1
2
$ whoami
Current Security Researcher - Adobe
Previous Sr. Information Security Engg. – Fortune 500 company
Before that.. InfoSec consultant at various companies
3
Problem Statement
1. Limited resources to security test large threat landscape of web applications within enterprise
2. Assigning risk levels to vulnerabilities found in manual assessments
in.linkedin.com/in/vaibhav0
4
Lets first deal with “1”
1. Limited resources to security test large threat landscape of web applications within enterprise
Increasing threat landscape
Slow pace of organizations to adopt secure coding practices
Does not make sense to address all issues simultaneouslyin.linkedin.com/in/vaibhav0
5
Solution ?
Prioritization
Focus on categorizing into high, medium and low risk applications
in.linkedin.com/in/vaibhav0
6
Approach – Risk Assessment of Applications
Analyze Business criticality of Applications
Analyze Risk Posture of Application
Categorize Applications based on Risk
Security Assessment Project Planning
in.linkedin.com/in/vaibhav0
7
Analyze Business criticality of Application
Critical
Important
Strategic
Internal
in.linkedin.com/in/vaibhav0
8Sr.# Questions Response
(Yes/No)1 Is the application facing the internet?2 Is this application dealing with credit card data?3 Is this application dealing with SSN or any other PII data?4 Does application host any classified or patented data?
5 If the application goes down, can it create threat to human life?
6 Will this application be subject to any compliance audits?
7 Is this application designed to aid Top Management or Board Members in decision making?
8 Does application implement any kind of authentication? If yes, please give additional details
9 Does application implement any kind of authorization? If yes, provide additional details
10Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with
Analyze Risk Posture of Application
9
Categorize Applications based on Risk
Inventory
Business Criticalit
y
Risk Posture
Categorized
Inventory
Low
Medium
High
in.linkedin.com/in/vaibhav0
10
Test Case - Categorize Applications based on Risk
in.linkedin.com/in/vaibhav0
Payroll application
11
Lets deal with next problem statement: “2”
2. Assigning risk levels to vulnerabilities found in manual assessments
????Why are we
even considering this problem
statement
in.linkedin.com/in/vaibhav0
12
OWASP: Risk Rating Methodology
There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.
Standard risk model :
Risk = Likelihood * Impact
in.linkedin.com/in/vaibhav0
13
OWASP: Risk Rating Methodology - Steps
Step 1
• Identifying a Risk
Step 2
• Estimating Likelihood
Step 3
• Estimating Impact
Step 4
• Determining Severity of the Risk
Step 5
• Deciding What to Fix
Step 6
• Customizing Your Risk Rating Model
in.linkedin.com/in/vaibhav0
14
Step 1: Identifying a Risk
What needs to be rated? XSS ? SQLi ?
Threat agents ?
Impact ?
in.linkedin.com/in/vaibhav0
15
Step 2: Estimating Likelihood
Threat Agent Factors Skill level Motive Opportunity Size
Vulnerability Factors Ease of discovery Ease of exploit Awareness Intrusion detection
in.linkedin.com/in/vaibhav0
16
Step 3: Estimating Impact
Technical Impact Factors Loss of confidentiality Loss of integrity Loss of availability Loss of accountability
Business Impact Factors Financial damage Reputation damage Non-compliance Privacy violation
in.linkedin.com/in/vaibhav0
17
Step 4: Determining Severity of the Risk
Likelihood and Impact Levels0 to <3 LOW3 to <6 MEDUIM6 to 9 HIGH
in.linkedin.com/in/vaibhav0
h𝐿𝑖𝑘𝑒𝑙𝑖 𝑜𝑜𝑑𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙=𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠𝑇𝑜𝑡𝑎𝑙 𝑛𝑜𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠
18
Step 4: Determining Severity of the Risk (Cont..)
19
Test Case - OWASP Risk Rating
in.linkedin.com/in/vaibhav0
20
Step 5: Deciding What to Fix
in.linkedin.com/in/vaibhav0
PRIORITIZE
CriticalHigh
Medium
LowNote
Note: As a general rule, you should fix the most severe risks first
21
Step 6: Customizing Your Risk Rating Model
“A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP
Adding factorsCustomizing optionsWeighting factors
in.linkedin.com/in/vaibhav0
?? Questions ??
Vaibhav GuptaSecurity Researcher – Adobe
in.linkedin.com/in/vaibhav0@VaibhavGupta_1
23
References:
http://owasp.org/index.php/OWASP_Risk_Rating_Methodology
http://owasp.org