Hackers of India

Application Security Strategies

By  K K Mookhey  on 06 Sep 2011 @ Securitybyte

Abstract

For medium to large organizations, managing the business pressures to release applications in double-quick time, coupled with the regulatory pressures from RBI, IRDA, Department of Telecom, IT Act and others creates a conflict which seems difficult to resolve. How does a CISO manage to get the enterprise web application universe covered as comprehensively as possible from a security perspective, without becoming a bottleneck in business priorities? Which security testing methodologies should be chosen at what stage in order to be most effective – secure design, secure code reviews, black-box testing, application control reviews? Can applications be prioritized in terms of their assessment? How do we deal with vendors who are not too keen to spend additional developer time in fixing security issues?

This talk presents some concrete ideas to help development teams, CISOs, and security managers implement certain strategies to help bring some method to the madness that currently prevails in a any fast-growing enterprise. It also looks at areas where goof-ups have happened, and lessons learnt to help ensure that high-risk issues do not get missed out. Finally, it also presents our suggested approach to testing web applications and ideas towards prioritizing the activities that would constitute an effective and efficient application security framework.

About Kanwal K. Mookhey, NII Consulting

Kanwal K. Mookhey (CISA, CISSP, CISM) is the Principal Consultant and Founder at Network Intelligence as well as the Founder of The Institute of Information Security. He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients such as the The Indian Navy, The United Nations, Abu Dhabi & Dubai Stock Exchanges, State Bank of India, Saudi Telecom, Capgemini, BNP Paribas, the Mumbai Crime Branch and manyothers.

His skills and know-how encompass risk management, compliance, business continuity, application security, computer forensics, and penetration testing. He is well-versed with international standards such as COBIT, ISO 27001, PCI DSS, BS 25999, and ITIL / ISO 20000.

He is the author of two books (Linux Security And Controls by ISACA, and Metasploit Framework, by Syngress Publishing), and of numerous articles on information security. He has also presented at conferences such as OWASP, Blackhat, Interop, IT Underground and others.