Day 2

Key Activities

 * Become intimately familiar with what you are meant to protect and at what level.
 * Define processes, procedures, and checklists to align assessment strategies to business needs.
 * Effectively communicate the introduction and goals of the Application Security assessment program.
 * Provide a single point of contact for the program.

Asset Discovery

 * Gather Internal, External and Hosted IP ranges.
 * Catalogue known domains and subdomains.
 * Identify asset meta-data locations. (CMDBs, GRCs, etc.).
 * Identify site owners, where those are not already known.
 * Gather assessment credentials, including multiple roles for horizontal and vertical testing.
 * Identify the rate of application change (e.g. monthly, weekly, etc.…)

Asset Risk Prioritization
impact to confidentiality, integrity and availability (C.I.A.). (See: )
 * Develop or leverage existing methodology for stack ranking the value of your assets to the business based on

POTENTIAL IMPACT


 * Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool

For example:
 * 1) Tier 1 = Targeted Govt./State sponsor.
 * 2) Tier 2 = Hactivism
 * 3) Tier 3 = Random Opportunistic


 * Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.

Communication Plan

 * Set expectations of assessment program for all interested parties.
 * Alert Operations team of upcoming activities.
 * Gather written buy-in from application stakeholders for the assessment activities.
 * Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
 * Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)