Marco M. Morana, CISO Guide Project Lead Applica:on Security Guide for CISO and Survey Reboot Project Summit Session(s)
MarcoM.Morana,CISOGuideProjectLead
Applica:onSecurityGuideforCISOandSurveyRebootProjectSummitSession(s)
2
Agenda
2013 OWASP CISO GUIDE • Why we developed version 1 • Roadmap for version 1 • Main Themes
2013 OWASP CISO SURVEY • What matters to CISO • OWASP CISO Survey 2013-2014
2018 OWASP CISO GUIDE VERSION 2 • Discussions at OWASP Summit in London • Outcomes of Discussion • Roadmap for development of vs 2 of GUIDE + survey
3
CISOGuideVersion1(2013)
OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom • Eoin Keary • Any Lewis • Marco Morana • Stephanie Tan • Colin Watson
• OWASP CISO Guide:
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf • OWASP CISO Survey:
https://www.surveymonkey.com/s/CISO2013Survey
4
Pen-Testing Team Manager: Can we include budget for security testing tools and training for security testers ?
CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC
Engineering Manager: can we budget for secure coding training and security tools for S/W developers as well?
BusinessManager:Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past?
WhyWeDevelopedtheCISOGuideVersion1(2013)
5
STEP1:DiscussOWASPApplica7onSecurityGuideGoals&Ques7onsforSurvey
STEP2:EnrollCISOstopar7cipatetoaCISOsurvey
STEP3:GathertheAnswersandanalyzethesurvey
STEP4:Changetheguidetoaligntotheresultsofthesurvey
STEP4:Presentreleases
Applica:onSecurityGuideForCISOandSurveyRoadmapforVersion1(2013)
6
MainThemesForVersion1
PART I – Reasons For Investing in
Application Security Meeting Compliance;
Risk Reduction Strategies; Minimize Risk of Incidents;
Costs & Benefits of Security Measures
PART IV - Metrics For
Managing Risks & Application Security
Investments Application
Security Process Metrics; Vulnerability Metrics;
Security Incident Metrics & Threat Intelligence Reporting;
S-SDLC Metrics
PART II – Criteria For
Managing Security Risks
Technical Risks & Business Risks;
Emerging Threats ; Handling New Technology (Web 2.0, Mobile, Cloud
Services)
PART III-Application Security Program
CISO Functions & Application Security;
S-SDLC; Maturity Models;
Security Strategy; OWASP Projects
7WhatCanSecurityProfessionalsLearnFromWebApplica7onDevelopers?
WhatMaQertoCISOs?..CISOSurvey(s)
Sources:DeloiQeandtheNa7onalAssocia7onofStateCIOs(NASCIO)aresharingtheresultsofajointCyberSecuritySurvey,findingthatStateChiefInforma7onSecurityOfficers(CISOs)in2010
8
0
10
20
30
40
50
60
70
80
90
Increase Same Decrease Don'tKnow
Changeinthethreatsfacingyourorganiza:on
ExternalaQacksorfraud(e.g.,phishing,websiteaQacks)
InternalaQacksorfraud(e.g.,abuseofprivileges,theaofinforma7on)
OWASP2013CISOSurvey1/7
9
2013OWASPCISOSurvey2/7
0
5
10
15
20
25
30
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
whatarethemainareasofriskforyourorganisa:onin%outof100%?
Infrastructure Applica7on Other
10
2013OWASPCISOSurvey3/7
020406080
Increase Same Decrease Don'tKnow
Changecomparedto12monthsago
Infrastructure Applica7on Other
11
2013OWASPCISOSurvey4/7
0
10
20
30
40
50
Applica7onSecurityis InfrastructureSecurityis
Other
company'sannualinvestmentinsecurity
Decreasing
Rela7velyconstant
Increasingasapercentageoftotalexpenditures
12
2013OWASPCISOSurvey5/7
0.00%5.00%
10.00%15.00%20.00%25.00%30.00%35.00%40.00%45.00%
Applica:onSecurityManagementSystem(ASMS)orMaturityModel(e.g.,OWASP
SAMM)
13
2013OWASPCISOSurvey6/7
SecurityStrategy:• Only27%believetheircurrentapplica7onsecurity
strategyadequatelyaddressestherisksassociatedwiththeincreaseduseofsocialnetworking,personaldevices,orcloud
• Mostorganisa7onsdefinethestrategyfor1or2years:
TimeHorizon Percent3months 9.3%6months 9.3%1year 37.0%2years 27.8%3years 11.1%5years+ 5.6%
14
2017OWASPSummitLondonUK
15
Vs.2GuideContents:WhatWasDiscussed
Couldbe:1. Incorporatereferenceto
outcomesof2017SummitCISOtrack
2. Expandtoincludenewtools/technologiessuchasRASP
3. ExpandtoincludecompliancewithGDPR
4. ExpandonnewemergingtechnologyrisksandprovideriskMi7ga7onGuidance(e.g.APIsandMicro-services,Biometrics)
5. ExpandonRiskMgmt.StrategiesForVendors,Provisioning,Supply-ChainRisks
6. ExpandonnewevolvingthreatsfacingwebApplica:ons(e.g.0-dayexploits)
7. AddreferencetohandbooksandplaybooksforCISO’smanagedprocess
Itwas..1. MakeOWASPResourcesMore
VisibletoCISOs2. Prac:cesforBuilt-InSocware
SecurityintoProcesses,Tes7ngToolsandTraining
3. HowtoderivesecurityrequirementsforcompliancewithStandardsandPolicies
4. HowtoPriori:zeVulnerabilityManagementBasedUponRisksofThreats,Vulnerabili:esandAQacks/Exploits
5. GuidanceonHowtoAlignApplica:onSecurityStrategywithITStrategy
6. Howtofactoremergingtechnologyrisks
7. HowtoCommunicateRiskstoBusinessIncludingThreats,Vulnerabili7es(OWASPT10)andImpacts
16
Itwas..1. Doyouworrymoreof
ExternalThreats(e.g.,phishing,websiteaQacks)orInternalThreats(e.g.,abuseofprivileges,theaofinforma7on)?
2. Whatareyourthemainareasofriskforyourorganisa7onin%outof100%?
3. Comparedto12monthsago,doyouseeachangeinapplica7onsecurityvsI/Fthreats?
4. Doyouhaveacyber-securitystrategy?IfYEShowmanyyearsdoesthisstrategycover?
5. HaveyouimplementedaMaturityModel(e.g.,OWASPSAMM)?
Itcouldbe(assugges:ons):1. Whichamongtheorganiza:on
ITassets,networksorapplica:onsareconsideredmoreatriskofcyber-aQacks?
2. Doesyourorganiza:onhaveacyber-threatintelligenceprogramandaQackmonitoring/alertprocess?
3. Doesyourorganiza:onhasadoptedS-SDLC?Ifyeswhichone.Doesitincludethreatmodeling?
4. Isapplica:onsecurityseenasaninvestmentorasacostbyyourorganiza7on?
5. Doesyourplanningofapplica:onsecurityfollowalongtermstrategy(atleasttwoyears)?
PLEASEWRITEDOWNYOURS
Vs.2SurveyContents:WhatWasDiscussed
17
2017OWASPSummit:CISOGuideOutcomes
18
2017OWASPSummit:CISOGuideOutcomes
19
2017OWASPSummit:CISOSurveyOutcomes
20
2018OWASPCISOGuide&Survey:NextStepsRoadmap,StatusandGoals/Objec7ves:1. Reboottheproject(atAppSecUSA2017Project
Summit)2. Reac7vateOWASPCISOmailinglist(done)3. Createnewversion2,wiki,GitHubrepository(in
progress)4. DevelopthecontentsinQ4asbeingdiscussedat
OWASPSummitinLondonbackinJune(inprogress)5. Insynch,createa2018CISOsurveyinQ4tobeusedin
2018Q1togatheranswersfromCISOsatchaptermee7ngs,CISOsummitsusingSurveyMonkeylists(notstartedyet)
6. Maingoalistodevelopthefirstdracofversion1byQ12018andareviewedversionbyQ22018