Java Reference
In-Depth Information
•
Identifying Critical Information Assets
•
Application Users and Roles
•
Understanding basic Application Architecture
•
Developing Security Objectives for Application
System
Characterization
•
Creating hreat Profiles
•
Detailed hreat Modeling for Application
hreat Analysis
Risk Evaluation and
Control Selection
•
Prioritizing Protection Strategies based on Risk
•
Detailed Risk Mitigation Strategies
Figure 5.3
Web application risk assessment overview.
the impacts of threats exploiting those vulnerabilities. Although there are several standards and
methodologies to assess enterprise or organizational risk, there are no speciic methodologies to
assess Web application risks. he objective of this chapter is to introduce a structured methodol-
ogy for assessing Web application risks, by imbibing some of the best concepts from several struc-
tured risk assessment methodologies like the
OCTAVE
(Operationally Critical hreat, Asset, and
Vulnerability Evaluation), the NIST SP800-30, a methodology for performing risk assessments
for the system during the Software Development Life Cycle, and the DREAD methodology used
for threat modeling Web application security attacks. A brief overview of Web application security
risk assessment is as follows:
◾
System characterization
◾
hreat proiling and threat modeling
◾
Risk mitigation strategy—formulation of detailed security requirements for the Web
application
he processes of the risk assessment phase are highlighted in Figure 5.3.
5.2 System Characterization Process—Risk Assessment
5.2.1 An Overview of the System Characterization Process
he irst step in a Web application risk assessment is to characterize the system being designed
and developed. he system characterization process includes the subprocesses of identifying criti-
cal information assets that need to be protected. Critical information assets are those without
Search WWH ::
Custom Search