Application Security Risk Rating

Vaibhav GuptaSecurity Researcher – Adobe

in.linkedin.com/in/vaibhav0@VaibhavGupta_1

2

$ whoami

Current Security Researcher - Adobe

Previous Sr. Information Security Engg. – Fortune 500 company

Before that.. InfoSec consultant at various companies

3

Problem Statement

1. Limited resources to security test large threat landscape of web applications within enterprise

2. Assigning risk levels to vulnerabilities found in manual assessments

in.linkedin.com/in/vaibhav0

4

Lets first deal with “1”

1. Limited resources to security test large threat landscape of web applications within enterprise

Increasing threat landscape

Slow pace of organizations to adopt secure coding practices

Does not make sense to address all issues simultaneouslyin.linkedin.com/in/vaibhav0

5

Solution ?

Prioritization

Focus on categorizing into high, medium and low risk applications

in.linkedin.com/in/vaibhav0

6

Approach – Risk Assessment of Applications

Analyze Business criticality of Applications

Analyze Risk Posture of Application

Categorize Applications based on Risk

Security Assessment Project Planning

in.linkedin.com/in/vaibhav0

7

Analyze Business criticality of Application

Critical

Important

Strategic

Internal

in.linkedin.com/in/vaibhav0

8Sr.# Questions Response

(Yes/No)1 Is the application facing the internet?2 Is this application dealing with credit card data?3 Is this application dealing with SSN or any other PII data?4 Does application host any classified or patented data?

5 If the application goes down, can it create threat to human life?

6 Will this application be subject to any compliance audits?

7 Is this application designed to aid Top Management or Board Members in decision making?

8 Does application implement any kind of authentication? If yes, please give additional details

9 Does application implement any kind of authorization? If yes, provide additional details

10Is this application developed as a plug-in or extension for other application? If yes, please provide additional details on what all applications it will be working with

Analyze Risk Posture of Application

9

Categorize Applications based on Risk

Inventory

Business Criticalit

y

Risk Posture

Categorized

Inventory

Low

Medium

High

in.linkedin.com/in/vaibhav0

10

Test Case - Categorize Applications based on Risk

in.linkedin.com/in/vaibhav0

Payroll application

11

Lets deal with next problem statement: “2”

2. Assigning risk levels to vulnerabilities found in manual assessments

????Why are we

even considering this problem

statement

in.linkedin.com/in/vaibhav0

12

OWASP: Risk Rating Methodology

There are many different approaches to risk analysis. The OWASP approach is based on standard methodologies and is customized for application security.

Standard risk model :

Risk = Likelihood * Impact

in.linkedin.com/in/vaibhav0

13

OWASP: Risk Rating Methodology - Steps

Step 1

• Identifying a Risk

Step 2

• Estimating Likelihood

Step 3

• Estimating Impact

Step 4

• Determining Severity of the Risk

Step 5

• Deciding What to Fix

Step 6

• Customizing Your Risk Rating Model

in.linkedin.com/in/vaibhav0

14

Step 1: Identifying a Risk

What needs to be rated? XSS ? SQLi ?

Threat agents ?

Impact ?

in.linkedin.com/in/vaibhav0

15

Step 2: Estimating Likelihood

Threat Agent Factors Skill level Motive Opportunity Size

Vulnerability Factors Ease of discovery Ease of exploit Awareness Intrusion detection

in.linkedin.com/in/vaibhav0

16

Step 3: Estimating Impact

Technical Impact Factors Loss of confidentiality Loss of integrity Loss of availability Loss of accountability

Business Impact Factors Financial damage Reputation damage Non-compliance Privacy violation

in.linkedin.com/in/vaibhav0

17

Step 4: Determining Severity of the Risk

Likelihood and Impact Levels0 to <3 LOW3 to <6 MEDUIM6 to 9 HIGH

in.linkedin.com/in/vaibhav0

h𝐿𝑖𝑘𝑒𝑙𝑖 𝑜𝑜𝑑𝑂𝑅 𝐼𝑚𝑝𝑎𝑐𝑡 𝑙𝑒𝑣𝑒𝑙=𝑇𝑜𝑡𝑎𝑙 𝑠𝑢𝑚𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠𝑇𝑜𝑡𝑎𝑙 𝑛𝑜𝑜𝑓 𝑣𝑎𝑙𝑢𝑒𝑠

18

Step 4: Determining Severity of the Risk (Cont..)

19

Test Case - OWASP Risk Rating

in.linkedin.com/in/vaibhav0

20

Step 5: Deciding What to Fix

in.linkedin.com/in/vaibhav0

PRIORITIZE

CriticalHigh

Medium

LowNote

Note: As a general rule, you should fix the most severe risks first

21

Step 6: Customizing Your Risk Rating Model

“A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk” - OWASP

Adding factorsCustomizing optionsWeighting factors

in.linkedin.com/in/vaibhav0

?? Questions ??

Vaibhav GuptaSecurity Researcher – Adobe

in.linkedin.com/in/vaibhav0@VaibhavGupta_1

23

References:

http://owasp.org/index.php/OWASP_Risk_Rating_Methodology

http://owasp.org