Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byHoward Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1

2 Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec June 2004 NYC http://www.owasp.org ISO 17799 Project Review Stan Guzik, CISSP, MCP Chief Technology Officer Immediatech Corp. ISO 17799 Project Lead sguzik@immediatech.com

3 OWASP AppSec 2004 2 What Will Be Covered?  Background On The ISO 17799 Project  What Is Information Security?  Information Security Threats  Developing Security Management Policies/Procedures  What Is The ISO 17799?  ISO 17799 OWASP Project Details  Implementation Example  Critical Success Factors  OWASP Needs Your Feedback  References

4 OWASP AppSec 2004 3 Background On The ISO 17799 Project  OWASP Holistic Approach To Security  Top Ten  Guide  Testing  WebGoat  ISO 17799  Challenges Of Today’s Web Applications  Security - CIA  24x7x365 uptime  Fast and easy to use  Integration with external systems  Fast SDLC due to market pressures  Bug free  Customers expect it at no/low cost

5 OWASP AppSec 2004 4 Background On The ISO 17799 Project  Management Of Web Applications In Production  Traditional IT organizations are not familiar with web app security management  Auditors as head of IT (EDP)  Internet applications  20 Year old policy/procedures do not apply  Benefits Of Applying ISO 17799  Increased security  Increased uptime  ROI – Fighting Fires  Keep your job

6 OWASP AppSec 2004 5 What Is Information Security?  Information Is An Asset – Value  Information Protection – Ensure Business Continuity, minimize damage, legal requirements  Information Forms – Electronic, Paper, Spoken, and etc…  Information Preservation  Confidentiality – Information is not disclosed to unauthorized subjects  Integrity – Accuracy and completeness of information and only modified by authorized subjects  Availability – Authorized subjects are granted assess to information. (SLA)  Information Security Controls – Policies, procedures, practices, organizational structure, and HW/SW.

7 OWASP AppSec 2004 6 Information Security Threats  Viruses  Hackers  Espionage  Sabotage  Vandalism  Fire  Flood  Employee With A Big Mouth (HR Info)

8 OWASP AppSec 2004 7 Information Security Threats  Today Organizations Are More Vulnerable  Interconnected public and private networks  System complexities in achieving access controls  Lack of security conscious developers – focus on functionality & performance.  Shorter Time To Market  Supplement Secure Applications With Appropriate Security Management Policies/Procedures  Secure applications running in an unsecured environments  Secure applications and a secured environment running with insecure operations  Etc…

9 OWASP AppSec 2004 8 Develop Security Management Policies/Procedures  Legal, Regulatory, Contractual Requirements, Due Diligence  Risk Assessment – Threats to Assets  The likelihood a threat will occur and evaluate its impact on an asset  Quantitative Risk Assessment –Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific realized threat against a specific asset: »ALE = ARO * SLE –Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat or risk will occur (probability determination) –Single Loss Expectancy (SLE) –- Cost associated with a single realized risk against a specific asset. »SLE = Asset Value * EF –Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk –Example – DOS Web Application (Input Validation) »Asset Values = $2,000,000 »EF = 20% »SLE =$2,000,000 * 20% = $400,000 »ARO = 10% »ALE = 10% * $400,000 = $40,000

10 OWASP AppSec 2004 9  Qualitative Risk Assessment –Scenario/Judgment Based –Experience Based …  Risk Assessment Results  Determine the appropriate management actions  Set priorities for managing information security risk  Implement controls to protect against realized risk Develop Security Management Policies/Procedures

11 OWASP AppSec 2004 10  Select Appropriate Security Controls  Implement controls to ensure risks are reduced to an acceptable level.  Controls should be selected based on the cost of implementation in relation to the risk being reduced and the potential losses if a security breach occurs. Develop Security Management Policies/Procedures

12 OWASP AppSec 2004 11 What Is The ISO 17799 Standard?  ISO – International Organization for Standardization  Complete Set Of Controls To Ensure The Best Practices For Information Security  The Major Standard - Internationally Recognized Information Security Standard  Guideline - Guiding principle providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practices for information security.  Legislative Controls  12.1.4 – Data Protection and Privacy of Personal Information  12.1.3 – Safeguarding of Organizational Records  12.1.2 – Intellectual Property Rights  Best Practices  3.1 – Information Security Policy Document  4.1.3 – Allocation of Information Security Responsibilities  6.2.1 – Information Security Education and Training  6.3.1 – Reporting Security Incidents  11.1 Business Continuity Management

13 OWASP AppSec 2004 12 What Is The ISO 17799 Standard?  10 Sections  Security Policy – To provide management direction & support for information security  Organizational Security – Manage information security within the organization  Asset Classification and Control – To maintain appropriate protection of organizational assets  Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities  Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information  Communications and Operations Management – To ensure the correct and secure operations of information processing facilities  Access Control – Control access to information  System Development and Maintenance – To ensure security is built into information systems  Business Continuity Management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters  Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual

14 OWASP AppSec 2004 13 ISO 17799 OWASP Project Details  Documentation Project  Toolbox Of Sample Templates Of ISO 17799 Policies & Procedures  What Exists Today  ISO 17799 Is A Standard Not a tool  Not Many Publicly Available Templates  Commercial Licensed Templates Are Poor Quality

15 OWASP AppSec 2004 14 Implementation Example  8.1.2 Operational Change Control  Inadequate control may cause system or security failures  Formal management responsibilities and procedures should be in place  Operational programs subject to strict change control  Current State Of Project  Many templates  Todo: Pull all templates together into a consistent format and publish

16 OWASP AppSec 2004 15 Critical Success Factors  Targeted Risk Assessment  Implement Good Controls  Use Already Proven Policies & Procedures  Training & Awareness  Get Some More Sleep At Night!!!

17 OWASP AppSec 2004 16 OWASP Needs Your Feedback!  Send Us Your Templates  Modifications To Existing Templates  Can you get involved?

18 OWASP AppSec 2004 17 References  ISO/IEC 17799:2000(E)  CISSP:Certified Information Systems Security Professional Study Guide, Ed Tittel  OWASP ISO 17799 Project

Download ppt "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Innovation or Necessity? ISM 158 By: Sepehr Saeb.

Innovation or Necessity? ISM 158 By: Sepehr Saeb.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
ISO Information Security Management

ISO Information Security Management
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

Similar presentations

Ads by Google