My article, “Maddening Methods: Fundamentals of Risk Assessment and Analysis,” was published in the July 2010 edition of The ISSA Journal. It covers some of the key concerns around risk assessment today, including addressing common arguments posited against risk assessments and risk management. From the abstract:

Considerable confusion exists in the security industry around the effectiveness of risk assessment and analysis methodologies. Points of contention often focus on specific attributes of a given method, such as data quality, statistical analysis, or a qualitative versus quantitative approach. There are reasonable, viable answers to these points of contention that resolve most of these concerns.

I hope that you’ll find this piece informative and enjoyable.

There’s no need to go and reinvent the wheel when coding. Many good developers will have a plethora of custom or public libraries of code to do all the functions they need. One area where this type of stockpiling code really shines is in security APIs. For the longest time I’d followed Microsoft’s Enterprise Library, specifically for its security namespace. Being a .NET developer primarily this was all good.

But lately I’ve been branching out my coding endeavors, as well as watching the Microsoft Enterprise Library continue to grow; A little too large for my taste as of lately. This is where the OWASP ESAPI (Enterprise Security API) comes into play.

It’s fairly lightweight, supports many languages, and is a set of foundational security controls that developers don’t have to keep remaking over and over.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

• There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.

• There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

• There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

I’ve just recently started using the ESAPI, but do have a history with some of OWASP’s other projects. I’d advise anyone looking to lock down some of their controls and ensure they have the proper guidelines in place to take a look at the ESAPI from OWASP.