Application Security Risk Rating
Download as PPTX, PDF2 likes2,466 views
The document discusses two problems related to application security risk rating: 1) limited resources to test a large number of applications, and 2) assigning risk levels to vulnerabilities found during manual assessments. For the first problem, the document proposes prioritizing applications by categorizing them into high, medium, and low risk based on a risk assessment analyzing business criticality and risk posture. For the second problem, the document outlines the OWASP risk rating methodology in six steps: identifying risks, estimating likelihood, estimating impact, determining severity, deciding what to fix, and customizing the risk rating model.
More Related Content
Viewers also liked (20)
Similar to Application Security Risk Rating (20)
Recently uploaded (20)
![Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]](https://cdn.slidesharecdn.com/ss_thumbnails/mf2025-250305164811-a0930761-thumbnail.jpg?width=560&fit=bounds)
Application Security Risk Rating
- 1. Application Security Risk Rating Vaibhav Gupta Security Researcher ¨C Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
- 2. $ whoami 2 ? Current ? Security Researcher - Adobe ? Previous ? Sr. Information Security Engg. ¨C Fortune 500 company ? Before that.. ? InfoSec consultant at various companies
- 3. Problem Statement 1. Limited resources to security test large threat landscape of web applications within enterprise 2. Assigning risk levels to vulnerabilities found in manual assessments 3 in.linkedin.com/in/vaibhav0
- 4. Lets first deal with ¡°1¡± 4 1. Limited resources to security test large threat landscape of web applications within enterprise ? Increasing threat landscape ? Slow pace of organizations to adopt secure coding practices ? Does not make sense to address all issues simultaneously in.linkedin.com/in/vaibhav0
- 5. Solution ? 5 ? Prioritization ? Focus on categorizing into high, medium and low risk applications in.linkedin.com/in/vaibhav0
- 6. Approach ¨C Risk Assessment of Applications 6 Analyze Business criticality of Applications Analyze Risk Posture of Application Categorize Applications based on Risk Security Assessment Project Planning in.linkedin.com/in/vaibhav0
- 7. Analyze Business criticality of Application 7 Critical Important Strategic Internal in.linkedin.com/in/vaibhav0
- 8. Sr. # Questions Response (Yes/No) 1 Is the application facing the internet? 2 Is this application dealing with credit card data? 3 Is this application dealing with SSN or any other PII data? 4 Does application host any classified or patented data? 5 If the application goes down, can it create threat to human life? 6 Will this application be subject to any compliance audits? 7 Is this application designed to aid Top Management or Board Members in decision making? 8 Does application implement any kind of authentication? If yes, please give additional details 9 Does application implement any kind of authorization? If yes, provide additional details 10 Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with Analyze Risk Posture of Application 8
- 9. Categorize Applications based on Risk 9 Inventory Business Criticality Risk Posture Categorized Inventory Low Medium High in.linkedin.com/in/vaibhav0
- 10. Test Case - Categorize Applications based on Risk 10 in.linkedin.com/in/vaibhav0 ? Payroll application
- 11. Lets deal with next problem statement: ¡°2¡± 11 2. Assigning risk levels to vulnerabilities found in manual assessments ???? Why are we even considering this problem statement in.linkedin.com/in/vaibhav0
- 12. OWASP: Risk Rating Methodology 12 ? There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security. ? Standard risk model : Risk = Likelihood * Impact in.linkedin.com/in/vaibhav0
- 13. OWASP: Risk Rating Methodology - Steps 13 Step 1 ? Identifying a Risk Step 2 ? Estimating Likelihood Step 3 ? Estimating Impact Step 4 ? Determining Severity of the Risk Step 5 ? Deciding What to Fix Step 6 ? Customizing Your Risk Rating Model in.linkedin.com/in/vaibhav0
- 14. Step 1: Identifying a Risk 14 ? What needs to be rated? ? XSS ? ? SQLi ? ? Threat agents ? ? Impact ? in.linkedin.com/in/vaibhav0
- 15. Step 2: Estimating Likelihood 15 ? Threat Agent Factors ? Skill level ? Motive ? Opportunity ? Size ? Vulnerability Factors ? Ease of discovery ? Ease of exploit ? Awareness ? Intrusion detection in.linkedin.com/in/vaibhav0
- 16. Step 3: Estimating Impact 16 ? Technical Impact Factors ? Loss of confidentiality ? Loss of integrity ? Loss of availability ? Loss of accountability ? Business Impact Factors ? Financial damage ? Reputation damage ? Non-compliance ? Privacy violation in.linkedin.com/in/vaibhav0
- 17. Step 4: Determining Severity of the Risk 17 Likelihood and Impact Levels 0 to <3 LOW 3 to <6 MEDUIM 6 to 9 HIGH in.linkedin.com/in/vaibhav0 ?????????? ?? ?????? ????? = ????? ??? ?? ?????? ????? ?? ?? ??????
- 18. Step 4: Determining Severity of the Risk (Cont..) 18
- 19. Test Case - OWASP Risk Rating 19 in.linkedin.com/in/vaibhav0
- 20. Step 5: Deciding What to Fix 20 in.linkedin.com/in/vaibhav0 PRIORITIZE Critical High Medium Low Note Note: As a general rule, you should fix the most severe risks first
- 21. Step 6: Customizing Your Risk Rating Model 21 ¡°A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk¡± - OWASP ? Adding factors ? Customizing options ? Weighting factors in.linkedin.com/in/vaibhav0
- 22. ?? Questions ?? Vaibhav Gupta Security Researcher ¨C Adobe in.linkedin.com/in/vaibhav0 @VaibhavGupta_1
Editor's Notes
- #8: Critical - > paypal.com for paypal Important -> Strategic - > company¡¯s main website Internal -> payroll app/AMS