1 / 23

2013   AppSec Guide and CISO Survey: Making OWASP Visible to CISOs

2013   AppSec Guide and CISO Survey: Making OWASP Visible to CISOs . Marco Morana , Member of OWASP London, Project Lead of the OWASP , CISO Guide Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report. Agenda.

ugo
Télécharger la présentation

2013   AppSec Guide and CISO Survey: Making OWASP Visible to CISOs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2013  AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP , CISO Guide Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report

  2. Agenda • Application Security Guide For CISOs • Developer – CISO – gap • Initial Goals • Development Plan • CISO Survey & Report 2013 • Methodology • First results • Application Security Guide For CISOs • Does the CISO need Guidance? • The OWASP release Hosted by OWASP & the NYC Chapter

  3. Application Security Views: Developer - Managers • Application Security: What Software Developers and Information Security (IS) Managers Say ? Are applications secure ? : Developers largely say applications are not secure, while security professionals are much more optimistic Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say there is NO build security in process S-SDLC Are applications compliant ? : 15 % of developers vs. 12 % of IS managers say their applications MEET security regulations Have application been breached in the past ? : 68 % of developers vs. 47 % of IS managers say their applications HAD a security breach in the last two years Did you receive application security training ? : 50 % of developers and IS managers say that did NOT have application security training Source: http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Hosted by OWASP & the NYC Chapter

  4. Bridging the gap • How We Can Bridge The Software Developer- IS Managers Application Awareness Security Gaps? • Roll out Security Training: for S/W developers & • managers Increase Visibility: to application security stakeholders and IS managers in particular Provide Guidance: for adopting application security programs and S-SDLC Information Security Managers Application Security Guide for CISO Meet Compliance Requirements: with IS policies, standards, privacy lawsand regulations Measure & Report : Management of application security programs & risks Software Developers Focus on Risk : Awareness of security incidents , threats targeting application and the business impacts Hosted by OWASP & the NYC Chapter

  5. Development Plan STAGE II: Initiated a campaign targeting CISOs to participate to a CISO survey (Jan-July 2013) STAGE I: Presented OWASP Application Security GUIDE Draft and Survey draft socialized to OWASP chapters in Atlanta, London, New York (Nov 2012) How we Develop the App. Sec. Guide for CISOs STAGE III: Analyzed data from survey and complied preliminary results presented at Appsec EU (August 2013) STAGE V: Presenting first release of CISO guide and survey at AppSecUSA (Nov-2013) STAGE IV: Final results of the survey incorporated with the CISO guide, tailored and reformatted content (Sept-Oct-2013) Hosted by OWASP & the NYC Chapter

  6. AgendaCISO Survey & Report • Application Security Guide For CISOs • Developer – CISO – gap • Initial Goals • Development Plan • CISO Survey & Report 2013 • Methodology • First results • Application Security Guide For CISOs • Does the CISO need Guidance? • The OWASP release Hosted by OWASP & the NYC Chapter

  7. CISO Survey • Methodology • Phase 1: Online Survey sent to CISOs and Information Security Managers • Phase 2: Followed by selective personal interviews • More than 100 replies from CISOs from various industries… • First Results: Sneak Preview of the results today… Hosted by OWASP & the NYC Chapter

  8. CISO Survey:External threats are on the rise! Internal attacks or fraud (e.g., abuse of privileges, theft of information) External attacks or fraud (e.g., phishing, website attacks) Hosted by OWASP & the NYC Chapter

  9. CISO Survey: Main areas of risk Hosted by OWASP & the NYC Chapter

  10. CISO Survey & Report 2013Change in the threats Hosted by OWASP & the NYC Chapter

  11. CISO Survey & Report 2013 Top five sources of application security risk within your organization? Hosted by OWASP & the NYC Chapter

  12. CISO Survey & Report 2013Investments in Security Hosted by OWASP & the NYC Chapter

  13. CISO Survey & Report 2013 Top application security priorities for the coming 12 months. Hosted by OWASP & the NYC Chapter

  14. CISO Survey & Report 2013Security Strategy • Security Strategy: • Only 27% believe their current application security strategy adequately addresses the risks associated with the increased use of social networking, personal devices, or cloud • Most organisations define the strategy for 1 or 2 years: Hosted by OWASP & the NYC Chapter

  15. CISO Survey & Report 2013Security Strategy Benefits of a security strategy for application security investments: • Analysis for correlations with: • Recent security breach • Has a ASMS • Company size • Role (i.e. CISO) • Has a Security Strategy • Time horizon of security strategy(2 years) Hosted by OWASP & the NYC Chapter

  16. CISO Survey & Report 2013ASMS Hosted by OWASP & the NYC Chapter

  17. CISO Survey & Report 2013 Top five challenges related to effectively delivering your organization's application security initiatives Hosted by OWASP & the NYC Chapter

  18. CISO Survey & Report 2013 CISOs found the following OWASP projects most useful for their organizations (note: we did not have a full list of all 160 active projects) Hosted by OWASP & the NYC Chapter

  19. Agenda : Where We Are And What Comes Next • Application Security Guide For CISOs • Developer – CISO – gap • Initial Goals • Development Plan • CISO Survey & Report 2013 • Methodology • First results • Application Security Guide For CISOs • Does the CISO need Guidance? • The OWASP release Hosted by OWASP & the NYC Chapter

  20. Does the CISO Need Guidance? Security Testing Manager: Can we include budget for security testing tools and training for security testers CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC for 2014 Engineering Manager:can we budget for secure coding training and security tools for S/W developers as well? Risk Manager: Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past? Business Executive: can determine how much we need to invest in this program? Do you have a plan and a documented proposal/business case? Hosted by OWASP & the NYC Chapter

  21. Application Security Guide for CISOs PART I – Reasons For Investing in Application Security • Meeting Compliance; • Risk Reduction Strategies; • Minimize Risk of Incidents; • Costs & Benefits of Security Measures PART II – Criteria For Managing Security Risks • Technical Risks & • Business Risks; • Emerging Threats ; • Handling New Technology • (Web 2.0, Mobile, Cloud Services) PART IV - Metrics For Managing Risks & Application Security Investments • Application • Security Process Metrics; • Vulnerability Metrics; • Security Incident Metrics & Threat Intelligence Reporting; • S-SDLC Metrics PART III-Application Security Program • CISO Functions & • Application Security; • S-SDLC; • Maturity Models; • Security Strategy; • OWASP Projects Hosted by OWASP & the NYC Chapter

  22. Final Thanks & Further References Acknowledgements: • OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom • Eoin Keary • Any Lewis • Marco Morana • Stephanie Tan • Colin Watson • Further References: • OWASP CISO Guide: • https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf • OWASP CISO Survey (to be released in December):https://www.owasp.org/index.php/OWASP_CISO_Survey Hosted by OWASP & the NYC Chapter

  23. Q&A Q & Q U E S T I O N S A N S W E R S Hosted by OWASP & the NYC Chapter

More Related