Day 2

Key Activities

 * Become intimately familiar with what you are meant to protect and at what level.
 * Define processes, procedures, and checklists to align assessment strategies to business needs.
 * Effectively communicate the introduction and goals of the Application Security assessment program.
 * Provide a single point of contact for the program.

Asset Discovery

 * Gather Internal, External and Hosted IP ranges.
 * Catalogue known domains and subdomains.
 * Identify asset meta-data locations. (CMDBs, GRCs, etc.).
 * Identify site owners, where those are not already known.
 * Gather assessment credentials, including multiple roles for horizontal and vertical testing.
 * Identify the rate of application change (e.g. monthly, weekly, etc.…)

Asset Risk Prioritization
impact to confidentiality, integrity and availability (C.I.A.). (See: )
 * Develop or leverage existing methodology for stack ranking the value of your assets to the business based on

POTENTIAL IMPACT

tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool
 * Map asset criticality against attacker profiles with use of a GRC* (Governance Risk Management and Compliance)

For example:
 * Tier 1 = Targeted Govt./State sponsor.
 * Tier 2 = Hactivism
 * Tier 3 = Random Opportunistic


 * Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.

Communication Plan
guidelines and enforce these in compliance with relevant global regulations and standards.
 * Set expectations of assessment program for all interested parties.
 * Alert Operations team of upcoming activities.
 * Gather written buy-in from application stakeholders for the assessment activities.
 * Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and
 * Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)