Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec June 2004 NYC ISO Project Review Stan Guzik, CISSP, MCP Chief Technology Officer Immediatech Corp. ISO Project Lead

OWASP AppSec What Will Be Covered?  Background On The ISO Project  What Is Information Security?  Information Security Threats  Developing Security Management Policies/Procedures  What Is The ISO 17799?  ISO OWASP Project Details  Implementation Example  Critical Success Factors  OWASP Needs Your Feedback  References

OWASP AppSec Background On The ISO Project  OWASP Holistic Approach To Security  Top Ten  Guide  Testing  WebGoat  ISO  Challenges Of Today’s Web Applications  Security - CIA  24x7x365 uptime  Fast and easy to use  Integration with external systems  Fast SDLC due to market pressures  Bug free  Customers expect it at no/low cost

OWASP AppSec Background On The ISO Project  Management Of Web Applications In Production  Traditional IT organizations are not familiar with web app security management  Auditors as head of IT (EDP)  Internet applications  20 Year old policy/procedures do not apply  Benefits Of Applying ISO  Increased security  Increased uptime  ROI – Fighting Fires  Keep your job

OWASP AppSec What Is Information Security?  Information Is An Asset – Value  Information Protection – Ensure Business Continuity, minimize damage, legal requirements  Information Forms – Electronic, Paper, Spoken, and etc…  Information Preservation  Confidentiality – Information is not disclosed to unauthorized subjects  Integrity – Accuracy and completeness of information and only modified by authorized subjects  Availability – Authorized subjects are granted assess to information. (SLA)  Information Security Controls – Policies, procedures, practices, organizational structure, and HW/SW.

OWASP AppSec Information Security Threats  Viruses  Hackers  Espionage  Sabotage  Vandalism  Fire  Flood  Employee With A Big Mouth (HR Info)

OWASP AppSec Information Security Threats  Today Organizations Are More Vulnerable  Interconnected public and private networks  System complexities in achieving access controls  Lack of security conscious developers – focus on functionality & performance.  Shorter Time To Market  Supplement Secure Applications With Appropriate Security Management Policies/Procedures  Secure applications running in an unsecured environments  Secure applications and a secured environment running with insecure operations  Etc…

OWASP AppSec Develop Security Management Policies/Procedures  Legal, Regulatory, Contractual Requirements, Due Diligence  Risk Assessment – Threats to Assets  The likelihood a threat will occur and evaluate its impact on an asset  Quantitative Risk Assessment –Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific realized threat against a specific asset: »ALE = ARO * SLE –Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat or risk will occur (probability determination) –Single Loss Expectancy (SLE) –- Cost associated with a single realized risk against a specific asset. »SLE = Asset Value * EF –Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk –Example – DOS Web Application (Input Validation) »Asset Values = $2,000,000 »EF = 20% »SLE =$2,000,000 * 20% = $400,000 »ARO = 10% »ALE = 10% * $400,000 = $40,000

OWASP AppSec  Qualitative Risk Assessment –Scenario/Judgment Based –Experience Based …  Risk Assessment Results  Determine the appropriate management actions  Set priorities for managing information security risk  Implement controls to protect against realized risk Develop Security Management Policies/Procedures

OWASP AppSec  Select Appropriate Security Controls  Implement controls to ensure risks are reduced to an acceptable level.  Controls should be selected based on the cost of implementation in relation to the risk being reduced and the potential losses if a security breach occurs. Develop Security Management Policies/Procedures

OWASP AppSec What Is The ISO Standard?  ISO – International Organization for Standardization  Complete Set Of Controls To Ensure The Best Practices For Information Security  The Major Standard - Internationally Recognized Information Security Standard  Guideline - Guiding principle providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practices for information security.  Legislative Controls  – Data Protection and Privacy of Personal Information  – Safeguarding of Organizational Records  – Intellectual Property Rights  Best Practices  3.1 – Information Security Policy Document  – Allocation of Information Security Responsibilities  – Information Security Education and Training  – Reporting Security Incidents  11.1 Business Continuity Management

OWASP AppSec What Is The ISO Standard?  10 Sections  Security Policy – To provide management direction & support for information security  Organizational Security – Manage information security within the organization  Asset Classification and Control – To maintain appropriate protection of organizational assets  Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities  Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information  Communications and Operations Management – To ensure the correct and secure operations of information processing facilities  Access Control – Control access to information  System Development and Maintenance – To ensure security is built into information systems  Business Continuity Management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters  Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual

OWASP AppSec ISO OWASP Project Details  Documentation Project  Toolbox Of Sample Templates Of ISO Policies & Procedures  What Exists Today  ISO Is A Standard Not a tool  Not Many Publicly Available Templates  Commercial Licensed Templates Are Poor Quality

OWASP AppSec Implementation Example  Operational Change Control  Inadequate control may cause system or security failures  Formal management responsibilities and procedures should be in place  Operational programs subject to strict change control  Current State Of Project  Many templates  Todo: Pull all templates together into a consistent format and publish

OWASP AppSec Critical Success Factors  Targeted Risk Assessment  Implement Good Controls  Use Already Proven Policies & Procedures  Training & Awareness  Get Some More Sleep At Night!!!

OWASP AppSec OWASP Needs Your Feedback!  Send Us Your Templates  Modifications To Existing Templates  Can you get involved?

OWASP AppSec References  ISO/IEC 17799:2000(E)  CISSP:Certified Information Systems Security Professional Study Guide, Ed Tittel  OWASP ISO Project