Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability
  3. Biostatistics

OWASP_ISACA_Hartford_Secure_Coding_v2

advertisement 
Bridging the gap between software developers
and auditors
Qualitative versus
Quantitative
Risk Assessment
 It is impossible to conduct risk management that is
purely quantitative.
 Usually risk management includes both qualitative
and quantitative elements, requiring both analysis and
judgment or experience.
 It is possible to accomplish purely qualitative risk
management.
Qualitative risk
assessment
Impact
Med. risk
High risk
High risk
Low risk
Med. risk
High risk
Low risk
Low risk
Med. risk
Likelihood
Quantitative risk
assessment
 ALE = ARO x SLE
– SLE = AV x EF
•
•
•
•
•
ALE = Annualized loss expectancy
ARO = Annual rate of occurrence
SLE = Single loss expectancy
AV = Asset value
EF = Exposure factor
Is there something wrong with this approach?
Risks in software
development
 Buffer overflows
 Authentication
 Human intervention
 Code reuse
What is STRIDE
•
•
•
•
•
•
•
Microsoft’s approach to threat modeling
Spoofing Identity
Tampering with data
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege
• http://msdn.microsoft.com/en-us/library/ms954176.aspx
What is DREAD
 OWASP’s extension to STRIDE, providing some
quantifiable measure for vulnerabilities
 Damage Potential
 Reproducibility
 Exploitability
 Affected users
 Discoverability
 All scored on the scale 0-10
 DREAD = (D1 + R + E + A + D2)/5
 http://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD
Risks in audit
 Audit risk is a probability that the auditor will give an
inappropriate opinion on the financial statements: that
is, that the statements will contain materials
misstatement(s) which the auditor fails to find
 Composed of Inherent, Control, and Detection risks
Role of IT Controls
 Modern financial reporting is driven by information
technology
 IT initiates, authorizes, records, and reports the effects of
financial transactions.
 Financial reporting IC are inextricably integrated to IT.
 COSO identifies two groups of IT controls:
 application controls – apply to specific applications and programs, and
ensure data validity, completeness and accuracy
 general controls – apply to all systems and address IT governance and
infrastructure, security of operating systems and databases, and
application and program acquisition and development
Important types of IT
controls
 Input controls
 Processing controls
 Output Controls
What can a university
do?
 Teaching and training
 UConn started Advanced Business Certificate program in
IT Audit
• Aligned with ISACA CISA coverage
 Research
 UConn is now NSA Center of Excellence in Information
Assurance Research
Related documents
Matter Worksheet
Matter Worksheet
Communication Research Methods Worksheet COM/330 Version 2
Communication Research Methods Worksheet COM/330 Version 2
Physical Science Unit 1 Review Sheet
Physical Science Unit 1 Review Sheet
Quantitative vs. Qualitative Research
Quantitative vs. Qualitative Research
Synthesis of EDU 7900
Synthesis of EDU 7900
Quantitative and Qualitative Data Collection
Quantitative and Qualitative Data Collection
Research Methods in Education - ORB
Research Methods in Education - ORB
Lecture 1 Intro to Computer Security
Lecture 1 Intro to Computer Security
Chapter4-Quantitative analysis
Chapter4-Quantitative analysis
robbins.UHWO.ISA400.LECTURE.WEEK03.28FEB2015
robbins.UHWO.ISA400.LECTURE.WEEK03.28FEB2015
St. Louis Encephalitis Information Sheet What is St. Louis Encephalitis (SLE)?
St. Louis Encephalitis Information Sheet What is St. Louis Encephalitis (SLE)?
Ch9Risk
Ch9Risk
C I P N
C I P N
New York Journal of Mathematics SLE coordinate changes Oded Schramm
New York Journal of Mathematics SLE coordinate changes Oded Schramm
Download
advertisement