+ Reply to Thread
Results 1 to 4 of 4
  1. Member Big-JJ's Avatar
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    36

    Certifications
    MBA (WIP), CIA, CFSA, CRMA, CFE, CISA, CISM, CRISC
    #1

    Default To be better at my job (application risk assessment)

    I am having hard time finding what I need to do to get better at my job. Part of my job is to assess application risks based on various information gathered for applications.

    I have a pretty concrete idea of what to study for information security in general...but don't know what to study for assessing/evaulating application risks.

    GIAC...GPEN or GWAPT would be the closest but I am planning to go for GSNA (with my own money) so can't really afford 2 GIACs in a row. Besides, they seem to be quite advanced requiring deep knowledge in networking & programming.

    Therea are some penetration online courses such as Elearnsecurity & Dojo which seem to have introductory part and affordable...however, they seem to be for network penetration?

    Does anyone assess application risks for their job? Any suggestions on where to get started?
    Or am I poking wrong trees by looking at penetration testing certs/courses?

    Thanks in advance.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #2
    If yor job ia focused on the application instead of the infrastructure - GWAPT is probably more appropriate. Are you more of an auditor or a infosec analyst supporting a application sdlc?
    Reply With Quote Quote  

  4. Member Big-JJ's Avatar
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    36

    Certifications
    MBA (WIP), CIA, CFSA, CRMA, CFE, CISA, CISM, CRISC
    #3
    The other part of my job is auditing, which is going well.
    I do not support application SDLC and I don't deal with infrastructure side at all.
    So, ya...auditing & application risk assessment would be the biggest chunks of my job.
    I need to collaborate with developers but...none of the developers have specizlied knowledge in application risks or hecking etc or interests in addressing application risks. And most of all they don't give a **** and I always get push-back mainly because I do not know what I am doing. So I need to be that person...who knows about application risks but do not have programming knowledge..which sounds a bit odd. (my backgroudn is not computer science)
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #4
    If you dont have an app programming background, perhaps you could start with CISA training which could hone your audit skills and provide a basis for your discussions on risk with the dev teams.

    Understanding how apps get penetrated is also a good idea based on your description. Assuming these are web based apps, GWAPT would be applicable training. But there is an assumption of basic web skills. For example, if you can read rfc2616 and understand it, then you would be all set for GWAPT. Since you are funding the training, you may want to read the articles on the SANS web site.That may be all you need to start. Also I recommend you go through the OWASP web site. Good luck.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks