SlideShare a Scribd company logo

Assessing System Risk the Smart Way

Download as PPTX, PDF
Security Innovation
Security Innovation

Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever. There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements. These slides are from our webinar covering topics like: · Threats, vulnerabilities, weaknesses – why their difference matters · How vulnerability scanning can help (and hinder) your efforts · Security engineering and the system development lifecycle · High impact activities - application risk rating and threat modeling

1 of 35
Download to read offline
Assessing IT System Risk the Smart Way
About Security Innovation • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ
A little about me… • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Distinguished Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • 2018 & 2019 Influencer Award, SC Magazine • In younger days, built non-lethal weapons systems for Federal Government
Agenda Threats, vulnerabilities, and weaknesses – oh my! • Vulnerability scanning: how it helps (and hinders) efforts • Security engineering and the SDLC • Application risk rating and threat modeling
Vernacular Calibration • Threat • Undesired event or potential occurrence • May or may not be malicious in nature • Might damage or compromise an asset • Vulnerability • Weakness in some system aspect or feature that makes an exploit possible • Can exist in network, application, infrastructure, 3rd-party, etc. • Attack/Exploit • An action taken against a weakness/vulnerability to realize a threat • Could be someone following through on a threat or exploiting a vulnerability • Countermeasure • Defenses that reduce probability or impacts of attacks • Improvements to system design, code, operational practices
Assessing Risk • Take into account threats, vulnerabilities, likelihood, and impact • Include external parties: • Service providers • Contractors • Individuals • Outsourcing entities • Public users • Conduct at: • Organization level • Business process level • Information system level • Any phase of the SDLC
Assessing Risk • Risk assessed at various steps in risk management framework • Categorization • Control selection • Control implementation • Control assessment • System authorization • Control monitoring • Risk assessments play an important role • In the control selection processes • During application of tailoring guidance • During vulnerability scanning process security control: defense tactic to protect individuals, operations, and assets
Agenda • Threats, vulnerabilities, and weaknesses – oh my! Vulnerability scanning: how it helps (and hinders) efforts • Security engineering and the SDLC • Application risk rating and threat modeling
Vulnerability Scanning • Scanning is just that: Scanning (it isn’t even testing) • Network infrastructure and endpoint scanning most common • Detection phase of “detect & respond” • Many tools for this, e.g., AlienVault  • Software requires additional approaches • Static analysis (source code) • Dynamic analysis (compiled/deployed app) • Binary analysis (reverse engineering) • Complement with risk-based approaches • Threat modeling • Application risk rating • Attack surface reduction
What to Scan for • Common vulnerable areas: • Patch levels • Open ports • Active protocols & services • Improper configurations • Incorrectly operating flow control • OWASP Top 10 (for Web, Mobile, IoT) • Common naming/scoring conventions: • CVE • OVAL • CVSS Key question: What services/features should not be accessible to users or other devices?
• Adopt when you have baseline skills to: • Interpret false positives • Fix problems found • Augment with manual test efforts • Complement with sound process & training • “When?” is just as important as “Which?” • Tools don’t make your organization more mature • Ensure tool matches your expected operational environment • Can’t validate a stop light controller as if it’s a web application DAST and SAST Tools
Polling Question • Which of the following do you use (check all that apply): • Network vulnerability scanning • Endpoint detection and response (EDR) scanning • DAST scanning for web applications • SAST scanning for software applications
Risk Assessment Program Goals • Improve Vulnerability Management • Regular, iterative testing ensures continually-improving test results • Reduce vulnerabilities over time by learning from past mistakes • Focus on the find AND fix • Optimize Frequency and Depth of Testing • Let tools and humans do what they do best • Match level of testing and analysis to application criticality • Optimize Costs • Predictability • Investment matched to level of risk
Agenda • Threats, vulnerabilities, and weaknesses – oh my! • Vulnerability scanning: how it helps (and hinders) efforts Security engineering and the SDLC • Application risk rating and threat modeling
System Development Lifecycle (SDLC) • System Development Life Cycle (SDLC): • Development • Implementation • Operation • Applying security controls w/in SDLC requires basic understanding of: • Information security threats • Vulnerabilities • Potential adverse impacts • Risks to critical missions/business functions
SDLC Skills • Individuals that design, code, test, and operate IT systems should understand security • Business Analysts • Developers • Software Engineers • Information Security • System Architects • Network Engineers • IT Operations • Database Administrators • Security awareness and training ensures personnel have appropriate expertise to conduct assigned activities • With line between build and maintain forever blurred, shared knowledge of attack and defend within team is critical
Security Requirements • Define early in SDLC • Support mission/business process • Integrate into security architecture • Use cases & Abuse cases • Align with risk management goals and information security strategies
Security Engineering Principles • Develop layered protections to reduce risk • Minimize attack surface • Fail securely • Define physical/logical security boundaries • Secure default settings and access • Train IT system team members on security • By job function • By technology stack • Tailor security controls to business needs • Least privilege • Perform Threat Modeling
System Developers • Follow a documented development process that • Explicitly addresses security requirements • Identifies standards & tools used in development • Documents specific tool options and configurations • Documents, manages, and ensures integrity of changes • Reviews the development process, standards, tools, and options/configurations regularly
Security Testing and Evaluation • Validates that required security controls implemented correctly • Operates as intended • Enforces the desired security policy • Meets established security requirements • Security properties may be affected by: • Interconnection of system components • Changes to system components • Previously implemented security controls.
Development Process, Standards, & Tools • Maintaining the integrity of changes to tools and processes includes: • Supply chain risk mitigation • 3rd-party vulnerability assessments • Acceptance testing criteria in SLAs • Robust configuration control • Tracking of authorized changes • Logging and Monitoring • Anti-tampering measures • Logical and physical • Prevention of unauthorized changes • Sign-off procedures
Agenda • Threats, vulnerabilities, and weaknesses – oh my! • Vulnerability scanning: how it helps (and hinders) efforts • Security engineering and the SDLC Application risk rating and threat modeling
Enterprise Application Risk Rating • Helps ensure • Assessment and mitigation activities are done cost effectively • Prioritization is based on real business risk • The business doesn't get distracted by minor risks while ignoring more serious risks that are less well understood • Inappropriate security assessments are costly • Deep inspection on all applications is neither feasible nor necessary • Running just an automated scan on critical application will lead to trouble • Allows you to understand risk-based options • Remove, replace, take off-line, or implement compensating controls Business Criticality is driving factor when determining which applications to secure and level of regular assessment needed
Risk Rating Framework • Risk = Likelihood * Impact • Remember: threats can be inherited from dependencies and connectivity • Attackers leverage non-critical apps to get to critical apps • Identify and prioritize application risk based on • Business impact: data criticality, compliance mandates, operational risk • Security threats: attack surface, exposure (e.g. internet vs. intranet) • There is no standard formula • Risk tolerance and data classification are contextual to each organization • Make sure risk-rating framework is: • Transparent so decisions and calculations can be easily explained • Adaptable so each group can apply unique drivers, goals, resources • Practical so you end up with something that works
Risk Rating Tiers • Tier 1 (critical) application • Highly sensitive data and/or compliance requirements • Internet facing • Business critical functionality • Long lifespan • Tier 2 (medium risk) application • Medium sensitivity data, no compliance requirements • Intranet facing • Business important functionality • Mid-to-long lifespan • Tier 3 (low risk) application • Low sensitivity data • Short lifespan with low importance functionality • No authentication or authorization required Tier 1 Tier 2 Tier 3
Risk Rating in Practice Application is an operational e-commerce application. It was built by a 3rd party. Data has been collected and stored in an encrypted cloud database. Data collected is sensitive. Choose scale, e.g., 0-10 (low to high) and 4 rating criteria, e.g., 0-3 x 3 and 0-1 x 1 • Data Sensitivity (3) – Full names, addresses, account numbers, credit card information • Lifespan (3) – This application does not have an EOL set • Compliance (2) – PCI, PII, GDPR • Customer or Internet Facing (1) – This application is hosted on a dedicated Virtual Server within the DMZ, is Internet-facing, and accesses a database in a co-located data center Risk Rating 9/10  Tier 1
Risk Rating in Practice Application is a cash back marketing website. Data collected consists of only order number and product serial. Data collected is not sensitive. Choose scale, e.g., 0-10 (low to high) and 4 rating criteria, e.g., 0-3 x 3 and 0-1 x 1 • Data Sensitivity (1) – No names, addresses, account numbers, or credit card information • Lifespan (1) – This application will only exist for a one month promotion • Compliance (0) – no PCI or PII data collected • Customer or Internet Facing (1) – This application is hosted on a shared cloud-based web server in a virtual data center with other LOB applications Risk Rating 3/10  Tier 3
Resulting Risk-Based Test Matrix Threat Rating Static Analysis (Source Code) Dynamic Analysis (Web App Scanning) Manual (Penetration Testing) Threat Modeling Complete Frequency Complete Frequency Complete Frequency Complete Frequency Tier 1 (Critical) Required Major Code Changes Required Major Code Changes Required Per-Milestone Required Per-Release Tier 2 (High) Suggested Monthly Required Quarterly Required Per-Release Suggested Per-Release Tier 3 (Low) Optional Quarterly Required Annually Optional As needed Optional As needed
Polling Question • Do you currently use a risk-based testing matrix similar to what was shown on the last slide? • Yes • No • I was sleeping and missed it
Threat Modeling –Simplified Identify/quantify weaknesses; devise defenses • Sound familiar? • Most people threat model every day but don’t realize it • If I asked you to threat model my house, you could; even if you have never been Courtesy: Sean Gallagher “Nearly 50% of security flaws will be discovered from Threat Modeling because it finds different threats than those found through code review” -Michael Howard, Security Program Manager, Microsoft
Threat Profiles are Never the Same Is this a threat in Nebraska?
Threat Mitigation Vulnerability Attacker Threat Modeling Vulnerabilities are unmitigated threats Here’s our opportunity! • Threats are not vulnerabilities; they are attack vectors and live forever • Should include use cases, threat agents, attack vectors, compensating controls and design patterns • If done right and at every phase, provides more leverage than any other security activity • 12 Methods: https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
Polling Question • Do you have an active Threat Modeling practice at your organization? • Yes • No
Summary • Learn and adopt a simple RMF, e.g., • https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview • Use vulnerability scanning tools, BUT • Do so after role- and technology-based training • Be sure to configure properly and expect many false positives • Consider risk-based application security testing framework • Data and application risk categorization • Calibrate depth and frequency of testing to risk tiers • Deploy threat modeling for streamline assessments
Questions?
Ad

Recommended

Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
Security Innovation
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Giovanni Mazzeo
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud security comparisons between aws and azure
Cloud security comparisons between aws and azureCloud security comparisons between aws and azure
Cloud security comparisons between aws and azure
Abdul Khan
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
Abdul Khan
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
Himani Singh
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
Nirosh Jayaratnam
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
ssuser66c4d5
 
Ad

More Related Content

What's hot (18)

CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud security comparisons between aws and azure
Cloud security comparisons between aws and azureCloud security comparisons between aws and azure
Cloud security comparisons between aws and azure
Abdul Khan
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
Abdul Khan
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
Himani Singh
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud security comparisons between aws and azure
Cloud security comparisons between aws and azureCloud security comparisons between aws and azure
Cloud security comparisons between aws and azure
Abdul Khan
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
Abdul Khan
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
Himani Singh
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

Similar to Assessing System Risk the Smart Way (20)

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
Nirosh Jayaratnam
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
ssuser66c4d5
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
Deep Shankar Yadav
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
Nirosh Jayaratnam
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
ssuser66c4d5
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
Deep Shankar Yadav
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
Ad

More from Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
Security Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
Security Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Security Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
Security Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
Security Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
Security Innovation
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
Security Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
Security Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Security Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
Security Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
Security Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
Security Innovation
 
Ad

Recently uploaded (20)

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 

Assessing System Risk the Smart Way

  • 1. Assessing IT System Risk the Smart Way
  • 2. About Security Innovation • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ
  • 3. A little about me… • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Distinguished Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • 2018 & 2019 Influencer Award, SC Magazine • In younger days, built non-lethal weapons systems for Federal Government
  • 4. Agenda Threats, vulnerabilities, and weaknesses – oh my! • Vulnerability scanning: how it helps (and hinders) efforts • Security engineering and the SDLC • Application risk rating and threat modeling
  • 5. Vernacular Calibration • Threat • Undesired event or potential occurrence • May or may not be malicious in nature • Might damage or compromise an asset • Vulnerability • Weakness in some system aspect or feature that makes an exploit possible • Can exist in network, application, infrastructure, 3rd-party, etc. • Attack/Exploit • An action taken against a weakness/vulnerability to realize a threat • Could be someone following through on a threat or exploiting a vulnerability • Countermeasure • Defenses that reduce probability or impacts of attacks • Improvements to system design, code, operational practices
  • 6. Assessing Risk • Take into account threats, vulnerabilities, likelihood, and impact • Include external parties: • Service providers • Contractors • Individuals • Outsourcing entities • Public users • Conduct at: • Organization level • Business process level • Information system level • Any phase of the SDLC
  • 7. Assessing Risk • Risk assessed at various steps in risk management framework • Categorization • Control selection • Control implementation • Control assessment • System authorization • Control monitoring • Risk assessments play an important role • In the control selection processes • During application of tailoring guidance • During vulnerability scanning process security control: defense tactic to protect individuals, operations, and assets
  • 8. Agenda • Threats, vulnerabilities, and weaknesses – oh my! Vulnerability scanning: how it helps (and hinders) efforts • Security engineering and the SDLC • Application risk rating and threat modeling
  • 9. Vulnerability Scanning • Scanning is just that: Scanning (it isn’t even testing) • Network infrastructure and endpoint scanning most common • Detection phase of “detect & respond” • Many tools for this, e.g., AlienVault  • Software requires additional approaches • Static analysis (source code) • Dynamic analysis (compiled/deployed app) • Binary analysis (reverse engineering) • Complement with risk-based approaches • Threat modeling • Application risk rating • Attack surface reduction
  • 10. What to Scan for • Common vulnerable areas: • Patch levels • Open ports • Active protocols & services • Improper configurations • Incorrectly operating flow control • OWASP Top 10 (for Web, Mobile, IoT) • Common naming/scoring conventions: • CVE • OVAL • CVSS Key question: What services/features should not be accessible to users or other devices?
  • 11. • Adopt when you have baseline skills to: • Interpret false positives • Fix problems found • Augment with manual test efforts • Complement with sound process & training • “When?” is just as important as “Which?” • Tools don’t make your organization more mature • Ensure tool matches your expected operational environment • Can’t validate a stop light controller as if it’s a web application DAST and SAST Tools
  • 12. Polling Question • Which of the following do you use (check all that apply): • Network vulnerability scanning • Endpoint detection and response (EDR) scanning • DAST scanning for web applications • SAST scanning for software applications
  • 13. Risk Assessment Program Goals • Improve Vulnerability Management • Regular, iterative testing ensures continually-improving test results • Reduce vulnerabilities over time by learning from past mistakes • Focus on the find AND fix • Optimize Frequency and Depth of Testing • Let tools and humans do what they do best • Match level of testing and analysis to application criticality • Optimize Costs • Predictability • Investment matched to level of risk
  • 14. Agenda • Threats, vulnerabilities, and weaknesses – oh my! • Vulnerability scanning: how it helps (and hinders) efforts Security engineering and the SDLC • Application risk rating and threat modeling
  • 15. System Development Lifecycle (SDLC) • System Development Life Cycle (SDLC): • Development • Implementation • Operation • Applying security controls w/in SDLC requires basic understanding of: • Information security threats • Vulnerabilities • Potential adverse impacts • Risks to critical missions/business functions
  • 16. SDLC Skills • Individuals that design, code, test, and operate IT systems should understand security • Business Analysts • Developers • Software Engineers • Information Security • System Architects • Network Engineers • IT Operations • Database Administrators • Security awareness and training ensures personnel have appropriate expertise to conduct assigned activities • With line between build and maintain forever blurred, shared knowledge of attack and defend within team is critical
  • 17. Security Requirements • Define early in SDLC • Support mission/business process • Integrate into security architecture • Use cases & Abuse cases • Align with risk management goals and information security strategies
  • 18. Security Engineering Principles • Develop layered protections to reduce risk • Minimize attack surface • Fail securely • Define physical/logical security boundaries • Secure default settings and access • Train IT system team members on security • By job function • By technology stack • Tailor security controls to business needs • Least privilege • Perform Threat Modeling
  • 19. System Developers • Follow a documented development process that • Explicitly addresses security requirements • Identifies standards & tools used in development • Documents specific tool options and configurations • Documents, manages, and ensures integrity of changes • Reviews the development process, standards, tools, and options/configurations regularly
  • 20. Security Testing and Evaluation • Validates that required security controls implemented correctly • Operates as intended • Enforces the desired security policy • Meets established security requirements • Security properties may be affected by: • Interconnection of system components • Changes to system components • Previously implemented security controls.
  • 21. Development Process, Standards, & Tools • Maintaining the integrity of changes to tools and processes includes: • Supply chain risk mitigation • 3rd-party vulnerability assessments • Acceptance testing criteria in SLAs • Robust configuration control • Tracking of authorized changes • Logging and Monitoring • Anti-tampering measures • Logical and physical • Prevention of unauthorized changes • Sign-off procedures
  • 22. Agenda • Threats, vulnerabilities, and weaknesses – oh my! • Vulnerability scanning: how it helps (and hinders) efforts • Security engineering and the SDLC Application risk rating and threat modeling
  • 23. Enterprise Application Risk Rating • Helps ensure • Assessment and mitigation activities are done cost effectively • Prioritization is based on real business risk • The business doesn't get distracted by minor risks while ignoring more serious risks that are less well understood • Inappropriate security assessments are costly • Deep inspection on all applications is neither feasible nor necessary • Running just an automated scan on critical application will lead to trouble • Allows you to understand risk-based options • Remove, replace, take off-line, or implement compensating controls Business Criticality is driving factor when determining which applications to secure and level of regular assessment needed
  • 24. Risk Rating Framework • Risk = Likelihood * Impact • Remember: threats can be inherited from dependencies and connectivity • Attackers leverage non-critical apps to get to critical apps • Identify and prioritize application risk based on • Business impact: data criticality, compliance mandates, operational risk • Security threats: attack surface, exposure (e.g. internet vs. intranet) • There is no standard formula • Risk tolerance and data classification are contextual to each organization • Make sure risk-rating framework is: • Transparent so decisions and calculations can be easily explained • Adaptable so each group can apply unique drivers, goals, resources • Practical so you end up with something that works
  • 25. Risk Rating Tiers • Tier 1 (critical) application • Highly sensitive data and/or compliance requirements • Internet facing • Business critical functionality • Long lifespan • Tier 2 (medium risk) application • Medium sensitivity data, no compliance requirements • Intranet facing • Business important functionality • Mid-to-long lifespan • Tier 3 (low risk) application • Low sensitivity data • Short lifespan with low importance functionality • No authentication or authorization required Tier 1 Tier 2 Tier 3
  • 26. Risk Rating in Practice Application is an operational e-commerce application. It was built by a 3rd party. Data has been collected and stored in an encrypted cloud database. Data collected is sensitive. Choose scale, e.g., 0-10 (low to high) and 4 rating criteria, e.g., 0-3 x 3 and 0-1 x 1 • Data Sensitivity (3) – Full names, addresses, account numbers, credit card information • Lifespan (3) – This application does not have an EOL set • Compliance (2) – PCI, PII, GDPR • Customer or Internet Facing (1) – This application is hosted on a dedicated Virtual Server within the DMZ, is Internet-facing, and accesses a database in a co-located data center Risk Rating 9/10  Tier 1
  • 27. Risk Rating in Practice Application is a cash back marketing website. Data collected consists of only order number and product serial. Data collected is not sensitive. Choose scale, e.g., 0-10 (low to high) and 4 rating criteria, e.g., 0-3 x 3 and 0-1 x 1 • Data Sensitivity (1) – No names, addresses, account numbers, or credit card information • Lifespan (1) – This application will only exist for a one month promotion • Compliance (0) – no PCI or PII data collected • Customer or Internet Facing (1) – This application is hosted on a shared cloud-based web server in a virtual data center with other LOB applications Risk Rating 3/10  Tier 3
  • 28. Resulting Risk-Based Test Matrix Threat Rating Static Analysis (Source Code) Dynamic Analysis (Web App Scanning) Manual (Penetration Testing) Threat Modeling Complete Frequency Complete Frequency Complete Frequency Complete Frequency Tier 1 (Critical) Required Major Code Changes Required Major Code Changes Required Per-Milestone Required Per-Release Tier 2 (High) Suggested Monthly Required Quarterly Required Per-Release Suggested Per-Release Tier 3 (Low) Optional Quarterly Required Annually Optional As needed Optional As needed
  • 29. Polling Question • Do you currently use a risk-based testing matrix similar to what was shown on the last slide? • Yes • No • I was sleeping and missed it
  • 30. Threat Modeling –Simplified Identify/quantify weaknesses; devise defenses • Sound familiar? • Most people threat model every day but don’t realize it • If I asked you to threat model my house, you could; even if you have never been Courtesy: Sean Gallagher “Nearly 50% of security flaws will be discovered from Threat Modeling because it finds different threats than those found through code review” -Michael Howard, Security Program Manager, Microsoft
  • 31. Threat Profiles are Never the Same Is this a threat in Nebraska?
  • 32. Threat Mitigation Vulnerability Attacker Threat Modeling Vulnerabilities are unmitigated threats Here’s our opportunity! • Threats are not vulnerabilities; they are attack vectors and live forever • Should include use cases, threat agents, attack vectors, compensating controls and design patterns • If done right and at every phase, provides more leverage than any other security activity • 12 Methods: https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
  • 33. Polling Question • Do you have an active Threat Modeling practice at your organization? • Yes • No
  • 34. Summary • Learn and adopt a simple RMF, e.g., • https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview • Use vulnerability scanning tools, BUT • Do so after role- and technology-based training • Be sure to configure properly and expect many false positives • Consider risk-based application security testing framework • Data and application risk categorization • Calibrate depth and frequency of testing to risk tiers • Deploy threat modeling for streamline assessments