The topic of prioritizing applications in terms of risk is an important one to us and our clients, so I wanted to share one potential approach that has worked for us in the past.
Consider the following scenario: You are an information security practitioner who finds yourself responsible for the security of your organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget?
I dug up a copy of a presentation that our Founder and CEO Nish Bhalla and I delivered at SecTor 2010. We present a real-world case study where the requirement is simple: Reduce the risk to an organization from all external-facing applications. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.
- Grab a copy of the presentation here: Bhalla_Kazerooni_400_Apps_in_40_Days.pdf
- SecTor has an audio recording of the presentation here: http://www.sector.ca/presentations10/video/SecTor 2010 — Sahba Kazerooni and Nish Bhalla — 400 Apps in 40 Days.wmv
What we presented is only one possible approach to this complex problem. Look out for more posts on this topic from me in the near future.