In the last year, multi-factor and risk-based authentication systems have hit the real world of Internet end-users, particularly for on-line banking and finance applications. Strong industry requirements and a recognition of the serious risk of user account compromise have rushed many organizations to implement these “strong authentication” systems for high-risk applications. Now that these are implemented, what’s the result?

In this podcast, I talk with fellow industry researcher and security consultant Bruce Marshall. We discuss our experiences helping companies roll out their multi-factor and risk-based authentication systems for security sensitive online applications. Gathering from many organization’s first attempts, there is plenty to be wary of when moving toward mulit-factor authentication to ensure that you get the expected reduction in risk. Without careful planning, it is entirely possible that the result could be higher risk due to implementation flaws. We discuss what pitfalls and principles companies should be aware of before jumping on the multi-factor or risk-based authentication bandwagon.

Kris Drent

 

 Multi-Factor Authentication and App Security Reality [32:20m]: Play Now | Play in Popup

Last May, I was asked to speak at particular national Financial Services roundtable on the topic of application security. While I knew that these CSO’s and Security Directors were no newcomers to the concept of application security, I also knew that they were wanting to know what I’ve been seeing in the industry. So this time, instead of speaking on current attacks and risks, I took a step back and discussed the solution with regard to maturity. The talk focused on how mature organizations are in their approach to managing application security, and how this maturity directly affects their ability to keep up with the evolving application security threatscape.

Today’s podcast provides a brief summary of this talk by running through the three general stages of maturity that organizations can roughly be grouped into:

• Stage 1: Doing Nothing
• Stage 2: Reactive and Tactical
• Stage 3: Proactive and Strategic

Today, it seems that many organizations fit into the Stage 2 group. Some are at this stage because there just learning about how important application security is. Others are quite knowledgeable about the topic, have conducted numerous assessments, and continue to stay on top of the major risks — but they’re still stuck at stage 2.

In this podcast, I’ll summarize these three stages, discuss the difficulties and pitfalls of operating like a stage 2 organization, and end with some pointers on what it takes to get ahead of the game and operate as a stage 3 organization. During the discussion, I’ll also talk about building security into the development process (SDLC), and mention how important developer education, threat modeling, and documented best practices are to achieving truly effective application security.

Also, if you’re interested in seeing the full version of the App Sec Maturity Continuum presentation, it is available on-line as an on-demand Webcast from the Security PS website.

Kris Drent

 

 The AppSec Maturity Continuum (Summary) [27:00m]: Play Now | Play in Popup

My name is Kris Drent. I’m an application security consultant, researcher and the CTO of a specialized security consulting firm, Security PS. I’ve started this website to share my experiences and lessons learned from the field. If you’re

• Wanting learn about hot topics in the application security industry
• Looking for approaches and strategies to manage application security risk
• Needing insights to bolster your defenses with best practices

…then you’ll want to visit this site often. Drawing from my experience, as well as many other seasoned security experts in the industry, this site will host the “App Security Advisor” podcast and also point out articles, webcasts, and other resources to help you keep up-to-date on topics ranging from technical attacks and best practices to management approaches for low risk development.

This website and podcast is meant to provide a resource to the community, so drop me an e-mail or leave some comments if you would like to give your feedback or provide input on topics you’d like to hear about. Looking forward to getting this moving,

Kris Drent

 

 The App Security Advisor Introduction [8:20m]: Play Now | Play in Popup