Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byDortha Bridges Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Asia Pacific Conference 2008 Business Risk & Compliance Considerations for Application Security Malathi Carthigaser Principal Consultant b-sec Consulting mcarthigaser@b-sec.com + 61 3 9682 0233 28 th February 2008

2 OWASP 2 What will this talk cover?  Drivers to App Sec Requirements and Controls  Business Risk  Compliance Considerations  Common Problems due to risk management process failures (b-sec Consulting observations)

3 OWASP How will this talk help you?  Awareness of common problems  Assessment of all risks  Addressing risks appropriately 3

4 OWASP Business Risks and Application Security “In 2005 and 2006 alone, over 100 million private records were reported stolen from American businesses; a significant portion (65 percent) of which was compromised as a direct result of a software breach.” “The Case for Application Security”, Fortify Software 4

5 OWASP Security Breach – Financial Costs 5 “Calculating the Cost of a Security Breach” April 10, 2007, Forrester Research Average cost of a data breach, involving 20,000 to 30,000 data records

6 OWASP What is Risk? 6 Threat Vulnerability in asset/process Risk ImpactLikelihood Exploit

7 OWASP What is Security Risk?  Probability of a compromise to Confidentiality, Integrity or Availability  Occurs due to inadequate Security Controls 7

8 OWASP Business Risk vs Technical Risk  Business Risk Negative impacts at the Organisational level e.g. Damage to reputation  Technical Risk Negative impacts at the System (application / data) level e.g. Privilege escalation 8

9 OWASP Business vs Technical Risk : An Example 9

10 OWASP Business Risk - Causes 10 Application and Data Policy / Process People Media Portable Devices Physical Infrastructure Business Risk

11 OWASP  “Web application vulnerabilities in open-source as well as custom- built applications account for almost half the total number of vulnerabilities being discovered in the past year” [ SANS Top 20 2007 ]  Targeted attacks (data theft) and the “professionalisation of cybercrime” motivated by financial gain [ CSI Survey 2007 ]  Credit card fraud (financial data)  Identity theft (personal data) Not all security breaches are reported Not all security breaches are detected Majority of applications tested by b-sec Consulting has at least one high severity security vulnerability Trends - Application Security impacts on Business Risk 11

12 OWASP Attacker Skills and Attack Types 12  Number of Unique Visitors  79 unique visitors  Number of Attacks  17,122 total  7,564 XSS  4,477 Unhandled Exceptions  2,381 Decoy Tampering  1,694 SQL Injection  Number of Successful Attacks  0 Attacks exploited the application  27 Attacks deemed sophisticated Results collated by Fortify Software during Black Hat 2007 Attacks against the “MyRewards” on-line shopping web site protected by Fortify Defender XSS No Code Words Identified Identified Code Word XSS Unhandled Exception SQL Injection Decoy Tampering Command Injection No Code Words Identified Identified Code Word 17,12279

13 OWASP Security = Risk Management “Risk management is the term applied to a logical and systematic method of establishing the context of, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimise losses.” [ Handbook 231 ] 13

14 OWASP Addressing Risk 14 Select and implement appropriate security controls to reduce the risk to an acceptable level Business Risk  Application Security Requirements and Controls Risks Controls GAP

15 OWASP When to Consider Risks 15

16 OWASP Compliance Considerations for Application Security 16

17 OWASP Compliance Considerations 17 Security Requirements

18 OWASP Which compliance areas apply to a given application? Examples:  Privacy data  Privacy Principles  Credit card data  PCI DSS 18

19 OWASP Legal Obligations: Privacy Principles 19

20 OWASP Regulatory Obligations: PCI DSS 20

21 OWASP Common problems - b-sec Consulting observations  Weak Authorisation Controls  Poor Management of Outsourced Software Development / Application Hosting 21

22 OWASP “Authorisation ensures that the authenticated user has the appropriate privileges to access resources. The resources a user has access to depends on his/her role.” [ OWASP Guide ] Weak Authorisation Controls 22 (Based on over 200+ web applications in the last 4 years) Direct URL access, parameter manipulation, sequential IDs, SQL injection, Cross-Site Scripting etc…

23 OWASP Example : Financial Institution  Financial transactions implemented well  Access to bank account statements implemented poorly  Unauthorised access to data  Exposure of sensitive data; potentially across entire system  Activity not logged; not detected 23 Unauthorised data access via URL manipulation and sequential IDs https://www.highly-sensitive-data.com/sensitive-record.aspx?ID=100

24 OWASP 24 Technical Risks Breach of data confidentiality Privilege escalation Weak Authorisation Controls Business Risks Sensitive data exposure (potentially across entire system) Negative Reputational impacts Non-compliance with Privacy Principles Non-compliance with PCI DSS

25 OWASP Poor Management of Outsourced Software Development / Application Hosting  Remain accountable for Security and Risk Management  Need to clearly specify Security Requirements in contracts with your service provider  Ensure compliance with Security Requirements 25

26 OWASP Contract Security Requirements  Compliance with organisation’s security policy (for handling, storing and processing data etc) including security throughout development  Security requirements based on legal, regulatory and other compliance considerations  Segregation from other hosted applications / organisations 26

27 OWASP Contract Security Requirements – Cont…  Mechanism to ensure compliance with contract, for example, to perform audits and testing with access to premises, resources and all records  Mechanism to address any shortfalls in security by the outsourced service provider  Mechanism for notification by the outsourced service provider of any security incidents  Mechanism for transferring data etc. at the end of a contract 27

28 OWASP Root Cause  Inadequate risk management processes Resolution  Security requirements should incorporate risk and compliance obligations 28

29 OWASP Summary of Key Points Application Security Requirements and Controls are driven by:  Business Risk  Compliance Considerations Common Problems - b-sec Consulting observations 29

30 OWASP Questions? 30

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist.

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Similar presentations

Ads by Google