1. Your Application Security Initiative – Beyond Finding Vulnerabilities Jeff Williams CEO, Aspect Security Chair, OWASP Foundation [email_address] 410-707-1487
8. The Future Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Software Facts Modules 155 Modules from Libraries 120 % Vulnerability* * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Cross Site Scripting 22 65 % SQL Injection 2 Buffer Overflow 5 Total Security Mechanisms 3 Encryption 3 Authentication 15 95 % Modularity .035 Cyclomatic Complexity 323 Access Control 3 Input Validation 233 Logging 33 Expected Number of Users 15 Typical Roles per Instance 4 Reflected 12 Stored 10 Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms 10 14 Encryption 3 15 Usage Intranet Internet
9.
10.
11. Targeting the Root Causes Process Goals Risk Understood Security activities driven by application security risk Security Considered Integrated into all the activities in the SDLC Security Open Information about security is available and verifiable Flaws Identified As quickly as possible after they are introduced Technology Goals Security Tracked Within projects and across the entire organization Best Tools For developing and testing the security of applications Standard Technology Common approach to the typical security areas Attacks Monitored Attacks on applications are identified and handled appropriately People Goals Shared Understanding Everyone in the organization shares an understanding of app security risk levels Responsibility Assigned Security assigned for each project and the organization as a whole Support Available For developers who need help with application security Developers Trained In application security and the organization’s approach
12.
13.
14.
15. Application Security Capacity Scorecard Level 5 Continuous Improvement Level 0 Ad Hoc Level 4 Metrics Level 3 Institutionalize Level 2 Fundamentals Level 1 Demonstrate Need Process Technology People AppSec Rqmts Process Coding Best Practices Global Risk Register Std. AppSec Mechanisms AppSec Testing Process Developer Training Assign Responsibility Secure Deployment AppSec Dev. Env. Security Architecture Risk Dashboard Contracting Process Form AppSec Group Analyze Critical Apps Evaluate Capabilities Certification Program Rely on Developers/Users Establish AppSec Brands AppSec Vuln. Analysis