Risk assessment applied to web security presented at 44Con 2011

by Florencio Cano Gabarda,

Summary : MAGERIT is a risk assessment methodology focused in information technologies. As other risk assessment methodologies, MAGERIT uses the general formula of PROBABILITY x IMPACT. MAGERIT includes a catalogue in order to evaluate easily risk in common assets. In this presentation Florencio Cano Gabarda will propose using MAGERIT in order to evaluate risk in a web application. Evaluating risk in a web application could help companies in order to choose adequate controls for protecting it as WAFs, code auditing, IDS, honeypots, etc…
First he will explain MAGERIT as is and will present its catalogue in order to be known for the audience. Then he will explain the differences that should be considered when we evaluate risk in a web application. He will explain the necessary subjectivity problems when doing risk assessments. He will propose a threat and vulnerability catalogue for web applications that he will share with the audience. This catalogue will be based on already known methodologies.
HE will present a new open source tool based on this methodology in order to evaluate web application risks.