application risk prioritization - hands on - part 2 of 2 - secure360 2015
TRANSCRIPT
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
“Hands-‐On” Session
by Yan Kravchenko
App Security? There is a metric for that!
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
About Me
Yan Kravchenko, CSSLP, CISSP, CISA, CISM, QSA
Compliance Advisory Prac'ce Lead [email protected] 612-‐455-‐8485 TwiWer: @yanfosec Contributor: hWps://www.netspi.com/blog/
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Agenda • Model Overview • Developing Impact / Significance Factors • Performing an Assessment • Analyzing the Data – Configuring the Spreadsheet – Impor'ng / entering data – Crea'ng Dashboards
• Next steps
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Model Overview
• Qualita've analysis of app-‐security • Based on OpenSAMM • Correlates two different types of risks • Under Development • Will be donated back to OWASP
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Goals / Objec'ves • Enhance the ability to manage the en're applica'on security
porgolio • Normalize risk scoring between different applica'ons • Allow applica'on security op'miza'on through efficient
“what-‐if” calcula'ons • Help iden'fy insecure applica'ons • Metrics should support the ability to make applica'on
security decisions • Measure accomplishments and highlights applica'on risk
reduc'on ac'vi'es
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Developing Sta'c Risks
• Make each one count • Relate each risk to business • Focus on data easy to get • Limit to no more than 12 • Focus on “permanent” risk factors
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Performing Assessment
• Iden'fy applica'on owners • Roll out a survey… or not… • Meet with applica'on owners and review gathered informa'on
• If necessary, make changes quickly
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Analyzing the Data
“The Spreadsheet”
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Next Steps
• Evaluate Baseline • Find visualiza'ons that maWer • Report back to applica'on owners • Iden'fy your top own Top 10 • Increase scope / opera'onalize re-‐assessments
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
How you can help
• Provide feedback / ideas / cri'cisms • Let the world know you are using OpenSAMM • Consider contribu'ng your SAMM data • Par'cipate / help organize local SIG • Par'cipate in local OWASP MSP chapter mee'ngs
Celebra'ng a decade of guiding security professionals.
@Secure360 or #Sec360 www.Secure360.org
Ques'ons?
• Model Overview • Developing Impact / Significance Factors
• Performing an Assessment • Analyzing the Data • Next steps
Yan Kravchenko – 612-‐455-‐8485 [email protected]