Академический Документы
Профессиональный Документы
Культура Документы
Would be nice.
Maybe.
Definitely.
Could be a near miss Or an unfortunate impact Thats fine, well pull out our trusty
dusty (network) response plan...
FAIL
Root cause is one or more of the Theres an app for that. And a process template. And an audit guideline. Whew... All Done! Usually one neck to choke.
Application Anarchy!
Could be one of many root causes. Could be the fault of the developer, the
framework author, third-party plug-ins, application operations, poor requirement definition, client-side security, etc etc. youre going to need some process for it too... practice?
Theres probably an app for some of that. But Quick - how do you audit a secure coding How many necks can you choke?
Internal Auditors (grr!) External Auditors (eep!) Executives (*cringe*) Development Managers (hey, you!) Network Security People (...) Application Security Salesmen in your
C[X]Os office (WTF!)
appsec program. Congratulations! OR show that youre going to do something meaningful with it. OR trenches until the next one.
You may be getting funding... IF you can You may have to go back into the
But then...
AppSec Stallout!
Management priority shift. Fatigue, fear, and loathing. Bought the $PRODUCT, the problem is solved. Right? Right? Got the Pentest, all clean! Right? X days without a workplace incident, all good! Analysis Paralysis Auditor Pile-On The LCD of Compliance
Existing inventories are usually Dont fight against intuition Get it over with
Scoping is Critical
Scoping is Collaborative
Get everyone to the table, including: Application Owner Development Guy Information Security Guy The Tester Ambiguity at the beginning is okay, but not
at the end. Respect the fact that this make some people uncomfortable.
Pick friendly application teams to start. Bring in external teams at the beginning to
crib off of their approach and delivery.
app: a pre-approved not-to-exceed amount and a separate budget request for larger initiatives.
Assign Specialists
Understand the business unit Maintain a watchlist of applications Scope and schedule assessments Assist in Incident Response
Process Change
SDL improvements Small steps with pilot groups Leverage specialists Vendor management Give them a risk assessment that
they can self-operate to start
audit trails that you didnt have preincident that would have helped you respond faster and with less legwork.
Metrics
KRIs KPIs
# high-risk applications # of assessments performed Code/component coverage for each assessment Assessment coverage per business unit # of vulnerabilities opened for each application # of vulnerabilities addressed with a plan # of vulnerabilities closed or remediated
Vulnerabilities still open for each application Applications within open vulnerabilities that have suffered a successful attack within the last year Applications with open vulnerabilities with no clear path towards remediation or where the risk has been accepted by the business unit