To be better at my job (application risk assessment)
Big-JJ
Member Posts: 53 ■■■□□□□□□□
I am having hard time finding what I need to do to get better at my job. Part of my job is to assess application risks based on various information gathered for applications.
I have a pretty concrete idea of what to study for information security in general...but don't know what to study for assessing/evaulating application risks.
GIAC...GPEN or GWAPT would be the closest but I am planning to go for GSNA (with my own money) so can't really afford 2 GIACs in a row. Besides, they seem to be quite advanced requiring deep knowledge in networking & programming.
Therea are some penetration online courses such as Elearnsecurity & Dojo which seem to have introductory part and affordable...however, they seem to be for network penetration?
Does anyone assess application risks for their job? Any suggestions on where to get started?
Or am I poking wrong trees by looking at penetration testing certs/courses?
Thanks in advance.
I have a pretty concrete idea of what to study for information security in general...but don't know what to study for assessing/evaulating application risks.
GIAC...GPEN or GWAPT would be the closest but I am planning to go for GSNA (with my own money) so can't really afford 2 GIACs in a row. Besides, they seem to be quite advanced requiring deep knowledge in networking & programming.
Therea are some penetration online courses such as Elearnsecurity & Dojo which seem to have introductory part and affordable...however, they seem to be for network penetration?
Does anyone assess application risks for their job? Any suggestions on where to get started?
Or am I poking wrong trees by looking at penetration testing certs/courses?
Thanks in advance.
MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP
Comments
-
paul78 Member Posts: 3,016 ■■■■■■■■■■If yor job ia focused on the application instead of the infrastructure - GWAPT is probably more appropriate. Are you more of an auditor or a infosec analyst supporting a application sdlc?
-
Big-JJ Member Posts: 53 ■■■□□□□□□□The other part of my job is auditing, which is going well.
I do not support application SDLC and I don't deal with infrastructure side at all.
So, ya...auditing & application risk assessment would be the biggest chunks of my job.
I need to collaborate with developers but...none of the developers have specizlied knowledge in application risks or hecking etc or interests in addressing application risks. And most of all they don't give a **** and I always get push-back mainly because I do not know what I am doing. So I need to be that person...who knows about application risks but do not have programming knowledge..which sounds a bit odd. (my backgroudn is not computer science)MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP -
paul78 Member Posts: 3,016 ■■■■■■■■■■If you dont have an app programming background, perhaps you could start with CISA training which could hone your audit skills and provide a basis for your discussions on risk with the dev teams.
Understanding how apps get penetrated is also a good idea based on your description. Assuming these are web based apps, GWAPT would be applicable training. But there is an assumption of basic web skills. For example, if you can read rfc2616 and understand it, then you would be all set for GWAPT. Since you are funding the training, you may want to read the articles on the SANS web site.That may be all you need to start. Also I recommend you go through the OWASP web site. Good luck.