2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report
About Me About Marco Morana Hosted by OWASP & the NYC Chapter I am currently risk and control manager (SVP) and head of the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. I am also technical advisory for security technology start up and contributor of EU projects for cyber security. During my 15+ years of distinguished career in security, he specialized in application and software security consulting services for major Fortune 500 companies and contributed to the secure design of business critical applications and security tools. Among the notable contributions in application security, are the development of first secure with S-MIME (1996) and the first Intrusion Detection System (IDS) tool (1998). My current interests are in the research of cyber threat analysis and attack modeling processes and processes to better manage the risk of emerging cyber threats. My academic credentials include a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padova, Italy. I am also a Certified Software Security Lifecycle Professional (CSSLP).
About Me Tobias Gondrom – 15 years information security experience (Global Head of Security, CISO, CTO) CISSP, CSSLP, CCISO – 12 years management of application development – Sloan Fellow M.Sc. London Business School – Thames Stanley: Managing Director, CISO Advisory, Information Security & Risk Management, Research and Advisory – Author of Internet Standards on Secure Archiving, CISO training and co-author of the OWASP CISO guide – Chair of IETF Web Security Working Group Member of the IETF Security Directorate Cloud Security Alliance, Hong Kong chapter board – London OWASP chapter board member OWASP Project Leader for the CISO Survey & Report
Application Security Guide For CISOs Developer – CISO – gap Initial Goals Development Plan CISO Survey & Report 2013 Methodology First results Application Security Guide For CISOs Does the CISO need Guidance? The OWASP release Hosted by OWASP & the NYC Chapter Agenda
Application Security: What Software Developers and Information Security (IS) Managers Say ? Hosted by OWASP & the NYC Chapter Application Security Views: Developer - Managers 1.Are applications secure ? : Developers largely say applications are not secure, while security professionals are much more optimistic 2.Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say there is NO build security in process S-SDLC 3.Are applications compliant ? : 15 % of developers vs. 12 % of IS managers say their applications MEET security regulations 4.Have application been breached in the past ? : 68 % of developers vs. 47 % of IS managers say their applications HAD a security breach in the last two years 5.Did you receive application security training ? : 50 % of developers and IS managers say that did NOT have application security training Source:
How We Can Bridge The Software Developer- IS Managers Application Awareness Security Gaps? Hosted by OWASP & the NYC Chapter Bridging the gap Software Developers Information Security Managers Application Security Guide for CISO 1.Increase Visibility: to application security stakeholders and IS managers in particular 2.Provide Guidance: for adopting application security programs and S-SDLC 3.Meet Compliance Requirements: with IS policies, standards, privacy laws and regulations 4.Focus on Risk : Awareness of security incidents, threats targeting application and the business impacts 5.Measure & Report : Management of application security programs & risks 6.Roll out Security Training: for S/W developers & managers
How we Develop the App. Sec. Guide for CISOs Hosted by OWASP & the NYC Chapter Development Plan STAGE I: Presented OWASP Application Security GUIDE Draft and Survey draft socialized to OWASP chapters in Atlanta, London, New York (Nov 2012) STAGE II: Initiated a campaign targeting CISOs to participate to a CISO survey (Jan-July 2013) STAGE III: Analyzed data from survey and complied preliminary results presented at Appsec EU (August 2013) STAGE IV: Final results of the survey incorporated with the CISO guide, tailored and reformatted content (Sept-Oct-2013) STAGE V: Presenting first release of CISO guide and survey at AppSec USA (Nov-2013)
Application Security Guide For CISOs Developer – CISO – gap Initial Goals Development Plan CISO Survey & Report 2013 Methodology First results Application Security Guide For CISOs Does the CISO need Guidance? The OWASP release Hosted by OWASP & the NYC Chapter Agenda CISO Survey & Report
Methodology Phase 1: Online Survey sent to CISOs and Information Security Managers Phase 2: Followed by selective personal interviews More than 100 replies from CISOs from various industries… First Results: Sneak Preview of the results today… Hosted by OWASP & the NYC Chapter CISO Survey
Hosted by OWASP & the NYC Chapter CISO Survey: External threats are on the rise! External attacks or fraud (e.g., phishing, website attacks) Internal attacks or fraud (e.g., abuse of privileges, theft of information)
Hosted by OWASP & the NYC Chapter CISO Survey: Main areas of risk
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Change in the threats
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Top five sources of application security risk within your organization? Lack of awareness of application security issues within the organization Insecure source code development Poor/inadequate testing methodologies Lack of budget to support application security initiatives Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance)
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Investments in Security
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Top application security priorities for the coming 12 months. Security awareness and training for developers Security testing of applications (penetration testing) Secure development lifecycle processes (e.g., secure coding, QA process)
Security Strategy: Only 27% believe their current application security strategy adequately addresses the risks associated with the increased use of social networking, personal devices, or cloud Most organisations define the strategy for 1 or 2 years: Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Security Strategy Time HorizonPercent 3 months9.3% 6 months9.3% 1 year37.0% 2 years27.8% 3 years11.1% 5 years+5.6%
Benefits of a security strategy for application security investments: Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Security Strategy Analysis for correlations with: -Recent security breach -Has a ASMS -Company size -Role (i.e. CISO) -Has a Security Strategy -Time horizon of security strategy (2 years)
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 ASMS
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Top five challenges related to effectively delivering your organization's application security initiatives Availability of skilled resources Level of security awareness by the developers Management awareness and sponsorship Adequate budget Organizational change
Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 CISOs found the following OWASP projects most useful for their organizations (note: we did not have a full list of all 160 active projects) OWASP Top-10 Cheatsheets Development Guide Secure Coding Practices Quick Reference Application Security FAQ
Application Security Guide For CISOs Developer – CISO – gap Initial Goals Development Plan CISO Survey & Report 2013 Methodology First results Application Security Guide For CISOs Does the CISO need Guidance? The OWASP release Hosted by OWASP & the NYC Chapter Agenda : Where We Are And What Comes Next
Hosted by OWASP & the NYC Chapter Does the CISO Need Guidance? CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC for 2014 Business Executive : can determine how much we need to invest in this program? Do you have a plan and a documented proposal/business case? Engineering Manager: can we budget for secure coding training and security tools for S/W developers as well? Risk Manager : Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past? Security Testing Manager: Can we include budget for security testing tools and training for security testers
PART I – Reasons For Investing in Application Security Meeting Compliance; Risk Reduction Strategies; Minimize Risk of Incidents; Costs & Benefits of Security Measures PART IV - Metrics For Managing Risks & Application Security Investments Application Security Process Metrics; Vulnerability Metrics; Security Incident Metrics & Threat Intelligence Reporting; S-SDLC Metrics PART III-Application Security Program CISO Functions & Application Security; S-SDLC; Maturity Models; Security Strategy; OWASP Projects PART II – Criteria For Managing Security Risks Technical Risks & Business Risks; Emerging Threats ; Handling New Technology (Web 2.0, Mobile, Cloud Services) Hosted by OWASP & the NYC Chapter Application Security Guide for CISOs
Hosted by OWASP & the NYC Chapter Final Thanks & Further References Acknowledgements: OWASP CISO Guide authors, contributors and reviewers: Tobias Gondrom Eoin Keary Any Lewis Marco Morana Stephanie Tan Colin Watson Further References: OWASP CISO Guide: OWASP CISO Survey (to be released in December):
Hosted by OWASP & the NYC Chapter Q&A Q & Q U E S T I O N S A N S W E R S