Thursday, May 8, 2008

A Risk Management-Based Approach to Web Application Security

At the end of the day, it all comes down to the Software Development Life Cycle (SDLC).  All vulnerabilities, big or small, can be traced back to a few lines of code written by a Developer who was hoping to achieve a bit of functionality.  According to Gartner, “By 2009, 80 percent of companies will have suffered an application security incident”.  The significance of this statement is astounding, due to the fact that most organizations rely heavily on their web presence for daily e-survival. 

While the majority of organizations have yet to merge their development and security processes, the move towards producing secure Web Applications is absolutely critical.  Unfortunately, most Development, Quality Assurance and Information Security teams operate in isolated communities and are rarely driven by the sentiment that security is fundamental for all parties involved.  Ultimately, the goal for any organization is to exist with a strong, well-defined process to the SDLC; however, development of such a program can be quite overwhelming - even for the most mature organizations.

Risk Management provides a structured process for identifying, assessing and quantifying risk for an environment.  By applying a Risk Management-based approach, your organization will be able to kick-start its program and achieve success through a more palatable set of goals.

Through this approach, several significant variables are quantified in an effort to understand the threat against your Web Application infrastructure.  These variables include:

  1. Asset Value (AV)
  2. Vulnerability Severity (VS)
  3. Likelihood of Threat (TH)
  4. Applied Countermeasures (CM)
  5.  Weighted Value for severity of vulnerabilities (WV)

The end-result of this program is to achieve an overall Risk Score (RS), which will aid in measuring compliance for your security policy and posture.