6

I have been asked to perform risk assessment for a company. The scope covers about 100 applications and in various business units. Major task is to assess currently implemented security controls and provided recommendations after the assessment. Also provide recommendation around data leakage prevention of source code and other sensitive information.

I am approaching it as an organizational level security risk assessment using framework such as NIST CSF while my colleague is thinking more along the lines of conducting risk assessment of SDLC/agile/devops process risk assessment, which in my opinion is not security risk assessment but a process risk assessment at project level. I have not yet seen any security risk assessment of development methodologies in terms of security.

I want to ask what is the right way to approach this risk assessment?

Posse
  • 1,781
  • 2
  • 6
  • 15
ray bash
  • 61
  • 1
  • Sounds like the Development process is only a small part (But of course has large implications so it should not be neglected. Sounds good if someone looks into it while the rest of the team looks at organisation) - of course this should be agreed upon (we don’t know what your orders are) – eckes Dec 24 '18 at 12:38
  • I posted multiple things in my answer below that could be useful. If you can edit the question or respond @bashcypher with more information on the scope of testing I can hone the answer to be more specific to your needs. Thanks. – bashCypher Jan 23 '19 at 22:25

3 Answers3

1

You can use OpenSAMM or BSIMM frameworks to benchmark your development process in terms of security. After that you can calculate the risks for unimplemented/incomplete security practices to include in your main CSF-based risk assessment.

odo
  • 692
  • 4
  • 6
  • I agree, and OpenSAMM can be adapted or customized to provide checks for these CSF elements (i.e., principles and controls). – atdre Jan 24 '19 at 21:44
0

This question is a little confusing. Are you only reviewing the security of the applications? Or is it the environments they are included in also? To answer the question of

How do I do a risk assessment at an enterprise level?

Defense in Depth is an understanding that there are multiple layers of security that need to be addressed in a wholistic approach. See this picture

https://blog.knowbe4.com/hubfs/Defense_in_Depth.jpg

and wiki: https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

There are multiple ways to go about this but first you must define the scope, which seems missing in your question. Is network security included? Is "endpoint" included? Does phishing fall into your scope. Is it just application security? What about physical security? When you say Data Loss Prevention are you talking about information leakage from a database or restricting corp laptops from sending company files outbound? You have to clarify the scope before you can come up with a clear plan. Once you have done that:

https://en.wikipedia.org/wiki/Cyber_security_standards#ANSI/ISA_62443_(Formerly_ISA-99)

The 62443 family of standards covers most of the ground you mention above, including SDLC. It is "bulky" and doesn't mandate specific testing in many of the certs but is also robust and gives a great "envelope" of testing to start from.

OWASP has a framework for developing secure code and secure coding practices and they have assessment templates:

https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

https://www.owasp.org/index.php/OWASP_ASVS_Assessment_tool

For a more classic approach use Microsoft's baseline framework:

https://en.wikipedia.org/wiki/Microsoft_Baseline_Security_Analyzer

This will cover most levels of security for a Windows based environment.

US-Cert has frameworks:

https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/commercial-facilities-framework-implementation-guide-2015-508.pdf

https://www.us-cert.gov/sites/default/files/resources/ncats/VADR%20Sample%20Report_508C.pdf

https://www.us-cert.gov/resources/ncats

And SANS has BASE which covers a lot of ground also:

https://www.sans.org/reading-room/whitepapers/auditing/base-security-assessment-methodology-1587

Don't forget about compliance also. Hippa, PCI, SOX and etc. all information available you can easily find with an internet search.

bashCypher
  • 1,839
  • 11
  • 21
0

My preferred go-to platform for this activity is Atomic Red Team, which shares your goals. However, there is a lot to know underneath that layer -- most of these are covered well in the book, Hands-On Security in DevOps. There's a lot of personnel and managerial forensics that exist far beyond the technology layers, as well.

There is even more to know about Cyber risk, put best in terms of SimpleRisk. If you want to speak to business owners, know that there is plenty to correct (in terms of ROI and productivity) at the efficiency layers, but that Cyber risk is ultimately about preventing loss through the lens of uncertainty.

The book, Developing Cybersecurity Programs and Policies, 3rd Edition, covers this best when it says that the business may only tolerate a minimum return on capital of 3% across a 15% cybersecurity budget. If you want to show how controls measure up, be sure to check out the book, How to Measure Anything in Cybersecurity Risk.

atdre
  • 18,885
  • 6
  • 58
  • 107