In the last year, multi-factor and risk-based authentication systems have hit the real world of Internet end-users, particularly for on-line banking and finance applications. Strong industry requirements and a recognition of the serious risk of user account compromise have rushed many organizations to implement these “strong authentication” systems for high-risk applications. Now that these are implemented, what’s the result?

In this podcast, I talk with fellow industry researcher and security consultant Bruce Marshall. We discuss our experiences helping companies roll out their multi-factor and risk-based authentication systems for security sensitive online applications. Gathering from many organization’s first attempts, there is plenty to be wary of when moving toward mulit-factor authentication to ensure that you get the expected reduction in risk. Without careful planning, it is entirely possible that the result could be higher risk due to implementation flaws. We discuss what pitfalls and principles companies should be aware of before jumping on the multi-factor or risk-based authentication bandwagon.

Kris Drent

 

 Multi-Factor Authentication and App Security Reality [32:20m]: Play Now | Play in Popup

Last May, I was asked to speak at particular national Financial Services roundtable on the topic of application security. While I knew that these CSO’s and Security Directors were no newcomers to the concept of application security, I also knew that they were wanting to know what I’ve been seeing in the industry. So this time, instead of speaking on current attacks and risks, I took a step back and discussed the solution with regard to maturity. The talk focused on how mature organizations are in their approach to managing application security, and how this maturity directly affects their ability to keep up with the evolving application security threatscape.

Today’s podcast provides a brief summary of this talk by running through the three general stages of maturity that organizations can roughly be grouped into:

• Stage 1: Doing Nothing
• Stage 2: Reactive and Tactical
• Stage 3: Proactive and Strategic

Today, it seems that many organizations fit into the Stage 2 group. Some are at this stage because there just learning about how important application security is. Others are quite knowledgeable about the topic, have conducted numerous assessments, and continue to stay on top of the major risks — but they’re still stuck at stage 2.

In this podcast, I’ll summarize these three stages, discuss the difficulties and pitfalls of operating like a stage 2 organization, and end with some pointers on what it takes to get ahead of the game and operate as a stage 3 organization. During the discussion, I’ll also talk about building security into the development process (SDLC), and mention how important developer education, threat modeling, and documented best practices are to achieving truly effective application security.

Also, if you’re interested in seeing the full version of the App Sec Maturity Continuum presentation, it is available on-line as an on-demand Webcast from the Security PS website.

Kris Drent

 

 The AppSec Maturity Continuum (Summary) [27:00m]: Play Now | Play in Popup