Upload
percival-jordan
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP , CISO Guide
Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report
• Application Security Guide For CISOs• Developer – CISO – gap• Initial Goals• Development Plan
• CISO Survey & Report 2013• Methodology• First results
• Application Security Guide For CISOs• Does the CISO need Guidance?• The OWASP release
Hosted by OWASP & the NYC Chapter
Agenda
• Application Security: What Software Developers and Information Security (IS) Managers Say ?
Hosted by OWASP & the NYC Chapter
Application Security Views: Developer - Managers
1. Are applications secure ? : Developers largely say applications are not secure, while security professionals are much more optimistic
2. Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say there is NO build security in process S-SDLC
3. Are applications compliant ? : 15 % of developers vs. 12 % of IS managers say their applications MEET security regulations
4. Have application been breached in the past ? : 68 % of developers vs. 47 % of IS managers say their applications HAD a security breach in the last two years
5. Did you receive application security training ? : 50 % of developers and IS managers say that did NOT have application security training
Source: http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy
• How We Can Bridge The Software Developer- IS Managers Application Awareness Security Gaps?
Hosted by OWASP & the NYC Chapter
Bridging the gap
Software Developers
Information Security Managers
Application Security
Guide for CISO
1. Increase Visibility: to application security stakeholders and IS managers in particular
2. Provide Guidance: for adopting application security programs and S-SDLC
3. Meet Compliance Requirements: with IS policies, standards, privacy laws and regulations
4. Focus on Risk : Awareness of security incidents , threats targeting application and the business impacts
5. Measure & Report : Management of application security programs & risks
6. Roll out Security Training: for S/W developers &
managers
How we Develop the App. Sec. Guide for CISOs
Hosted by OWASP & the NYC Chapter
Development Plan
STAGE I: Presented OWASP ApplicationSecurity GUIDE Draft and Survey draft socialized to OWASP chapters inAtlanta, London, New York (Nov 2012)
STAGE II: Initiated a campaign targeting CISOs to participate to a CISO survey (Jan-July 2013)
STAGE III: Analyzed data from survey and complied preliminary results presented at Appsec EU (August 2013)
STAGE IV: Final results of the survey incorporated with the CISO guide, tailored and reformatted content (Sept-Oct-2013)
STAGE V: Presenting first release of CISO guide and survey at AppSec USA (Nov-2013)
• Application Security Guide For CISOs• Developer – CISO – gap• Initial Goals• Development Plan
• CISO Survey & Report 2013• Methodology• First results
• Application Security Guide For CISOs• Does the CISO need Guidance?• The OWASP release
Hosted by OWASP & the NYC Chapter
AgendaCISO Survey & Report
• Methodology• Phase 1: Online Survey sent to CISOs and
Information Security Managers• Phase 2: Followed by selective personal
interviews• More than 100 replies from CISOs from
various industries…• First Results: Sneak Preview of the results
today…
Hosted by OWASP & the NYC Chapter
CISO Survey
Hosted by OWASP & the NYC Chapter
CISO Survey:External threats are on the rise!
External attacks or fraud (e.g., phishing, website
attacks)
Internal attacks or fraud (e.g., abuse of privileges,
theft of information)
Increase; 85%
Same; 13%
Decrease; 2%
Increase; 17%
Same; 71%
Decrease; 12%
Hosted by OWASP & the NYC Chapter
CISO Survey: Main areas of risk
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%0
5
10
15
20
25
30
What are the main areas of risk for your organ-isation in % out of 100%?
Infrastructure Application Other
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013Change in the threats
Infrastructure
Application
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
39%
67%
52%
33%
9%
0%
Compared to 12 months ago, do you see a change in these areas
Increase Same Decrease
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
Top five sources of application security risk within your organization?
Lack of awareness of application security issues within the organization
Insecure source code development
Poor/inadequate testing methodologies
Lack of budget to support application security initiatives
Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance)
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013Investments in Security
App
Infra
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
47%
38%
40%
52%
13%
10%
Aspects of organization's annual investment in se-curity?
Increase Same Decrease
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
Top application security priorities for the coming 12 months.
Security awareness and training for developers
Security testing of applications (penetration testing)
Secure development lifecycle processes (e.g., secure coding, QA process)
• Security Strategy: • Only 27% believe their current application security
strategy adequately addresses the risks associated with the increased use of social networking, personal devices, or cloud
• Most organisations define the strategy for 1 or 2 years:
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013Security Strategy
Time Horizon Percent3 months 9.3%
6 months 9.3%1 year 37.0%2 years 27.8%3 years 11.1%
5 years+ 5.6%
Benefits of a security strategy for application security investments:
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013Security Strategy
Increase Same Decrease0%
10%
20%
30%
40%
50%
60%
70%
Correlation between investments in Application Security and a 2year Application Security Strategy
App App (2y) App (not 2y)
Analysis for correlations with: - Recent security
breach- Has a ASMS- Company size- Role (i.e. CISO)- Has a Security
Strategy- Time horizon of
security strategy(2 years)
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013 ASMS
0.00%
10.00%
20.00%
30.00%
40.00%
4.00% 6.70%13.30%
41.30%34.70%
Application Security Management System (ASMS) or Maturity Model (e.g., OWASP SAMM)
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
Top five challenges related to effectively delivering your organization's application
security initiativesAvailability of skilled resources
Level of security awareness by the developers
Management awareness and sponsorship
Adequate budget
Organizational change
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
CISOs found the following OWASP projects most useful for their organizations (note: we did not
have a full list of all 160 active projects)
OWASP Top-10
Cheatsheets
Development Guide
Secure Coding Practices Quick Reference
Application Security FAQ
• Application Security Guide For CISOs• Developer – CISO – gap• Initial Goals• Development Plan
• CISO Survey & Report 2013• Methodology• First results
• Application Security Guide For CISOs• Does the CISO need Guidance?• The OWASP release
Hosted by OWASP & the NYC Chapter
Agenda : Where We Are And What Comes Next
Hosted by OWASP & the NYC Chapter
Does the CISO Need Guidance?
CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC for 2014
Business Executive: can determine how much we need to invest in this program? Do you have a plan and a documented proposal/business case?
EngineeringManager: can we budget for secure coding training and security tools for S/W developers as well?
Risk Manager: Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past?
Security Testing Manager: Can we include budget for security testing tools and training for security testers
PART I – Reasons For Investing in
Application SecurityMeeting Compliance;
Risk Reduction Strategies;Minimize Risk of Incidents;
Costs & Benefits of Security Measures
PART IV - Metrics For Managing Risks &
Application Security Investments
ApplicationSecurity Process Metrics;
Vulnerability Metrics;Security Incident Metrics &
Threat Intelligence Reporting;S-SDLC Metrics
PART III-Application Security Program
CISO Functions & Application Security;
S-SDLC;Maturity Models;Security Strategy;OWASP Projects
PART II – Criteria For Managing Security
RisksTechnical Risks & Business Risks;
Emerging Threats ; Handling New Technology(Web 2.0, Mobile, Cloud
Services)
Hosted by OWASP & the NYC Chapter
Application Security Guide for CISOs
Hosted by OWASP & the NYC Chapter
Final Thanks & Further References
Acknowledgements:OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom• Eoin Keary• Any Lewis• Marco Morana• Stephanie Tan• Colin Watson
Further References:• OWASP CISO Guide:
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf• OWASP CISO Survey (to be released in December):
https://www.owasp.org/index.php/OWASP_CISO_Survey
Hosted by OWASP & the NYC Chapter
Q&A
Q&Q U E S T I O N SA N S W E R S