OWASP_ISACA_Hartford_Secure_Coding_v2

advertisement
Bridging the gap between software developers
and auditors
Qualitative versus
Quantitative
Risk Assessment
 It is impossible to conduct risk management that is
purely quantitative.
 Usually risk management includes both qualitative
and quantitative elements, requiring both analysis and
judgment or experience.
 It is possible to accomplish purely qualitative risk
management.
Qualitative risk
assessment
Impact
Med. risk
High risk
High risk
Low risk
Med. risk
High risk
Low risk
Low risk
Med. risk
Likelihood
Quantitative risk
assessment
 ALE = ARO x SLE
– SLE = AV x EF
•
•
•
•
•
ALE = Annualized loss expectancy
ARO = Annual rate of occurrence
SLE = Single loss expectancy
AV = Asset value
EF = Exposure factor
Is there something wrong with this approach?
Risks in software
development
 Buffer overflows
 Authentication
 Human intervention
 Code reuse
What is STRIDE
•
•
•
•
•
•
•
Microsoft’s approach to threat modeling
Spoofing Identity
Tampering with data
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege
• http://msdn.microsoft.com/en-us/library/ms954176.aspx
What is DREAD
 OWASP’s extension to STRIDE, providing some
quantifiable measure for vulnerabilities
 Damage Potential
 Reproducibility
 Exploitability
 Affected users
 Discoverability
 All scored on the scale 0-10
 DREAD = (D1 + R + E + A + D2)/5
 http://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD
Risks in audit
 Audit risk is a probability that the auditor will give an
inappropriate opinion on the financial statements: that
is, that the statements will contain materials
misstatement(s) which the auditor fails to find
 Composed of Inherent, Control, and Detection risks
Role of IT Controls
 Modern financial reporting is driven by information
technology
 IT initiates, authorizes, records, and reports the effects of
financial transactions.
 Financial reporting IC are inextricably integrated to IT.
 COSO identifies two groups of IT controls:
 application controls – apply to specific applications and programs, and
ensure data validity, completeness and accuracy
 general controls – apply to all systems and address IT governance and
infrastructure, security of operating systems and databases, and
application and program acquisition and development
Important types of IT
controls
 Input controls
 Processing controls
 Output Controls
What can a university
do?
 Teaching and training
 UConn started Advanced Business Certificate program in
IT Audit
• Aligned with ISACA CISA coverage
 Research
 UConn is now NSA Center of Excellence in Information
Assurance Research
Download