Security Risk Management Part-II
Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. Applications only control the use of resources granted to them, and not which resources are granted to them. The real protection happens at the core of the problem i.e. by implementing proper application software development and coding practices.
Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web Applications.
Access control is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization. Access is the flow of information between a subject and an object. A subject is an active entity and an object is a passive entity.
Authentication is to verify identity of a subject that is requesting the use of a system. The authentication process involves confirming the identity of a person or software program, tracing the origins of an artifact, or ensuring that a product is what its packaging and labeling claims to be. This process often involves verifying the validity of at least one form of identification.
Cryptography is the science and practice of secret writing and study of techniques for secure communication in the presence of adversaries. This practice is about constructing and analyzing protocols that overcome the influence of adversaries and which are related to various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering.
Cyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.
Risk in the context of security is the possibility of damage happening and ramifications of such damage if it occurs. IT risk or IT-related risk can be considered as any risk in the IT or related industry. The term IT risk is comparatively new term and this owes to an increasing awareness that information security is simply one facet of a large amount of risks that are relevant to IT industry and the IT processes it supports. We can say that risk is the product of the likelihood of an event occurring and the impact that event would have on an IT asset, i.e. Risk = Likelihood * Impact.
Further, the impact of an event on an information asset is usually taken to be the product of a vulnerability in the asset and the asset's value to its stakeholders. Thus, IT risk can be expanded to:
Total Risk = Threat * Vulnerability * Asset Value
Further this can be defined as the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.