400 Apps in 40 Days: the art of balancing time and budget in application security assessments

August 28, 2013

The topic of prioritizing applications in terms of risk is an important one to us and our clients, so I wanted to share one potential approach that has worked for us in the past.

Consider the following scenario: You are an information security practitioner who finds yourself responsible for the security of your organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget?

I dug up a copy of a presentation that our Founder and CEO Nish Bhalla and I delivered at SecTor 2010. We present a real-world case study where the requirement is simple: Reduce the risk to an organization from all external-facing applications. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.

What we presented is only one possible approach to this complex problem. Look out for more posts on this topic from me in the near future.

Previous Article
The Three Patterns of Software Development for SDLC Security
The Three Patterns of Software Development for SDLC Security

A one-sized fits all approach to Software Development Life Cycle (SDLC) security doesn’t work. Practitioner...

Next Article
Your Guide to Evaluation Criteria for a Secure Application Lifecycle Management Solution
Your Guide to Evaluation Criteria for a Secure Application Lifecycle Management Solution

To keep an unbiased perspective when evaluating a software or service, it is best to have the important cri...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!