Security Testing | Security 4 No0bs - Posture Assessment For An Application

Continuing our "Security 4 No0bs" series, I want to discuss what exactly is this thing called a "Posture Assessment" and how it applies to information security

 

Source: Secure Force - Security Posture Assessment

What is a Security Posture Assessment?

In a way, the Security Posture Assessment (SPA) is kind of like a S.M.A.R.T goal for an organization, as it relates to cyber readiness. The text definition is, "an organization needs to be able to assess their cyber-readiness holistically."

How does it work?

Applying the S.M.A.R.T principle, we can say that an organization can determine their cyber-readiness by setting forth an assessment based on the following (simplified) list:

1. Specific

An assessment of the current state of the security posture is conducted by way of an audit, be it internally or externally; an assessment of the security posture at both a micro and macro level. Based on the results, potential solutions are presented.

2. Measurable

The impact of what was discovered during the audit needs to have some weight (value) associated with it. This can be in the form of a Severity "1-to-5" or "Critical > High > Medium > Low" scale. Whatever is used, the point is to assign a value to the issue so as to take the appropriate response.

3. Achievable

Once solutions are provided, the tactical feasibility is taken in to account. These solutions can become part of an overall program, be it Disaster Planning & Response (DRP) or Continuity of Operations Planning Program (COOP). The solutions outlined must be able to be accomplished within a reasonable time frame and within a budget of some kind.

4. Relevant

The combined results (a Vulnerability Scan performed + Audit + Security Assessment) should be modeled against the security architecture in place. The end result is a concise list of actionable items carrying a point-value and criticality metric relevant to the application or business function.

5. Time-Based

As stated before, the SPA ought to have some degree of efficiency as it pertains to INPUT -> PROCESS -> OUTPUT.

• INPUT

  Initiation of a SPA ought to begin based on a request (trigger) or response to perceived issue, in a timely manner

• PROCESS

  The scope of the SPA can be achieved when all the necessary information is acquired on time. Same goes for completion of any vulnerability scans, security audits, and other such assessments.

• OUTPUT

  The overall conclusion of the SPA has an expressed date and time, but by no means is to be regarded as finished. One can define "Done" as: submitted comprehensive list of recommendations via report, waiting on response and follow-through.

Why bother with this?

In this day-and-age, cyber security is paramount to business continuity as well as web and mobile application security. A SPA, taken as part of a larger comprehensive cyber readiness initiative, adds an immense value to the overall constitution of an organization. It is imperative to the integrity and reputation of a company of any size to get "cyber ready" post haste.