Criteria for Managing Application Security Risks

CISOs must prioritize security issues in order to identify areas needing attention first. To make informed decisions on how to manage application security risks, CISOs often need to assess the costs of fixing known vulnerabilities and adoption of new countermeasures and to consider the risk mitigation benefits of doing so. Costs vs. benefits tradeoffs are critical to decide on which application security measures and security controls to invest in to reduce the level of risk. Often CISOs need to explain to executive management the risks to applications and to articulate the potential business impacts for the organization in case applications are attacked and confidential data is breached. Security risks are business risks only when all three risk characteristics exist:

  • Viable threat
  • Vulnerability that may be exposed
  • Asset of value

To systematically prioritize risks for investment, CISOs should consider a risk scoring methodology known as the Common Vulnerability Scoring System Version 2.0 (CVSSv2). To help regularly communicate application risk to the business executives, CISOs may consider providing “emerging cyber-threat awareness” reports to executive management.
Communicating to business executives:
CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economic impact of security incidents compared with the costs of unlawful non-compliance. Today’s costs to the business due to the economic impacts of security incidents are much higher than the costs of non-compliance and failing audits. Often the severity of the impact of security incidents might cost CISOs their jobs and the company losing reputation and revenues.
Communicating to business executives:
CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economic impact of security incidents compared with the costs of unlawful non-compliance. Today’s costs to the business due to the economic impacts of security incidents are much higher than the costs of non-compliance and failing audits. Often the severity of the impact of security incidents might cost CISOs their jobs and the company losing reputation and revenues.
Threat modeling:
A top-down approach to identifying threats and countermeasures, CISOs should consider a threat modeling technique. This technique allows the target application to be decomposed to reveal its attack surface and subsequently its relevant threats, associated countermeasures, and finally, its gaps and weaknesses.
Handling new technology:
New application technologies and platforms such as mobile applications, Web 2.0, and cloud computing services offer different threats and countermeasure techniques. Changes to applications are also a source of potential risks, especially when new or different technologies are integrated within applications. As applications evolve by offering new services to citizens, clients, customers and employees, it is also necessary to plan for mitigation of new vulnerabilities introduced by the adoption and implementation of new technologies such as mobile devices, web 2.0 and new services such as cloud computing. Adopting a risk framework to evaluate the risks introduced by new technologies is essential to determine which countermeasures to adopt to mitigate these new risks.
This guide will provide guidance for CISOs on how to mitigate risks of new threats against applications, as well as of vulnerabilities that might be introduced by the implementation of new technologies.

  • Mobile applications
  • Example concerns: Lost or stolen devices, malware, multi-communication channel exposure, weak authentication.
    Example CISO actions: Meeting mobile security standards, tailoring security audits to assess mobile application vulnerabilities, secure provisioning, and application data on personal devices.

  • Web 2.0
  • Example concerns: Securing social media, content management, security of third party technologies and services
    Example CISO actions: Security API, CAPTCHA, unique security tokens in form posts, and transaction approval workflows.

  • Cloud computing services
  • Example concerns: Multi-tenant deployments, security of cloud computing deployments, third party risk, data breaches, denial of service malicious insiders.
    Example CISO actions: Cloud computing security assessment, compliance-audit assessment on cloud computing providers, due diligence, encryption in transit and at rest, and monitoring.

Today’s threat agents seek financial gain such as by attacking applications to compromise user’s sensitive data and company’s proprietary information for financial gain, fraud as well as for competitive advantage (e.g. through cyber espionage). To mitigate the risks posed by these threat agents, it is necessary to determine the risk exposure and factor the probability and the impact of these threats as well as to identify the type of application vulnerabilities that can be exploited by these threat agents. The exploit of some of these application vulnerabilities might severely and negatively impact the organization and jeopardize the business.
Source :
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf