Comments on: Application Security Risk Assessments

By: Patrick

Patrick — Wed, 08 Dec 2010 19:19:07 +0000

Chris, I stumbled upon your site while searching for an approach to application risk assessments. I am also a first time application risk assessment noob. I was tasked to put together an application risk assessment that is “simple” and “do-able” for a small e-commerce company. Most of the apps are home grown (about 16) that I would like to conduct an risk assessment on.
I have classified them and am trying to put together a questionnaire for the data owners. Not sure how granular I should get. Any assistance would be greatly appreciated.

Thanks!

By: Moloko Monyepao

Moloko Monyepao — Wed, 21 Oct 2009 10:03:34 +0000

This is good. I am a first time application security assesor. I have been doing normal Security and risk asssessment but never application security. Reading this blog gave me some ideas.

Thanks

By: Chris Hayes

Chris Hayes — Mon, 20 Apr 2009 14:00:39 +0000

Jason – You are absolutely right and I think this is adequately covered in paragraph 6. “The first three concepts are straightforward and usually give you 80% of the information you need to facilitate a risk assessment. The last three concepts usually require more time and understanding.” In my experience using the methodology I have outlined, the first three parts can usually be accomplished in an hour or so – depending on the amount of information available to the assessor. Think of it as a triage review. From there, we determine if we need to deep dive or not. We are on the same sheet of music.

By: Jason

Jason — Mon, 20 Apr 2009 11:14:01 +0000

Chris,
When referring to “quick”, I mean that an application should be easily profiled for risk. If there is low risk then the assessment should be minimal with very little time and money spent. If there is high risk (i.e. sensitive data, high exposure, etc.) then the assessment should scale based on those high risk factors. Therefore, in this fashion we will focus time and effort appropriately.

By: Chris Hayes

Chris Hayes — Sun, 19 Apr 2009 00:58:48 +0000

@Jason – Hi Jason. The application security post you are referencing is more of a methodology to assess applications. Towards the bottom of my post I state “Of course, once you flush out some risk issues, you can assess them for risk using your favorite risk assessment methodology.” In this case, the ‘favorite risk assessment methodology’ would be where the Cost vs. Risk answer would be questioned. Thanks for the pingback!

Also – in terms of an application risk assessment. I disagree. The speed of the assessment whether it is strictly a code review – or truly a holistic assessment will differ based on time, resources, skill of the assessor, sensitivity of the data at risk.

By: jtbevis

jtbevis — Fri, 17 Apr 2009 21:21:45 +0000

Chris,

Your approach covers many of the major items. I see a couple of major gaps that I would consider fundamental for any risk assessment, such as Cost and Metrics.

I wrote a blog post in response to yours which you can see at:
http://infosecalways.com/2009/04/17/application-risk-assessments/

As you will see I think your inline with Threat Modeling (it can be used for all applications not just web) but hopefully you can see there are already some pretty good models in use already. I would look to enhance or build off the existing work already done.

Another item to consider is time. Most applicaiton risk assessments need to be quick and ongoing as to not disrupt the SDLC.

Jason
http://infosecalways.com

By: Application Risk Assessments « InfoSecAlways.com

Application Risk Assessments « InfoSecAlways.com — Fri, 17 Apr 2009 21:13:33 +0000

[...] http://risktical.com/2009/03/16/application-security-risk-assessments/ [...]

By: links for 2009-03-20 • Bare Identity

links for 2009-03-20 • Bare Identity — Sat, 21 Mar 2009 00:01:19 +0000

[...] Application Security Risk Assessments « Risktical Ramblings A pragmatic approach to application security assessments. (tags: security infosec methodology assessment chrishayes) [...]

By: Interesting Information Security Bits for 03/16/2009 | Infosec Ramblings

Interesting Information Security Bits for 03/16/2009 | Infosec Ramblings — Mon, 16 Mar 2009 18:50:31 +0000

[...] application security risk assessment. Good stuff. I hope he gets permission to share more details. Application Security Risk Assessments << Risktical Ramblings Tags: ( risk assessment application [...]