applica:on security guide for ciso and survey reboot ... · 5. in synch, create a 2018 ciso survey...
TRANSCRIPT
![Page 1: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/1.jpg)
MarcoM.Morana,CISOGuideProjectLead
Applica:onSecurityGuideforCISOandSurveyRebootProjectSummitSession(s)
![Page 2: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/2.jpg)
2
Agenda
2013 OWASP CISO GUIDE • Why we developed version 1 • Roadmap for version 1 • Main Themes
2013 OWASP CISO SURVEY • What matters to CISO • OWASP CISO Survey 2013-2014
2018 OWASP CISO GUIDE VERSION 2 • Discussions at OWASP Summit in London • Outcomes of Discussion • Roadmap for development of vs 2 of GUIDE + survey
![Page 3: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/3.jpg)
3
CISOGuideVersion1(2013)
OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom • Eoin Keary • Any Lewis • Marco Morana • Stephanie Tan • Colin Watson
• OWASP CISO Guide:
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf • OWASP CISO Survey:
https://www.surveymonkey.com/s/CISO2013Survey
![Page 4: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/4.jpg)
4
Pen-Testing Team Manager: Can we include budget for security testing tools and training for security testers ?
CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC
Engineering Manager: can we budget for secure coding training and security tools for S/W developers as well?
BusinessManager:Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past?
WhyWeDevelopedtheCISOGuideVersion1(2013)
![Page 5: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/5.jpg)
5
STEP1:DiscussOWASPApplica7onSecurityGuideGoals&Ques7onsforSurvey
STEP2:EnrollCISOstopar7cipatetoaCISOsurvey
STEP3:GathertheAnswersandanalyzethesurvey
STEP4:Changetheguidetoaligntotheresultsofthesurvey
STEP4:Presentreleases
Applica:onSecurityGuideForCISOandSurveyRoadmapforVersion1(2013)
![Page 6: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/6.jpg)
6
MainThemesForVersion1
PART I – Reasons For Investing in
Application Security Meeting Compliance;
Risk Reduction Strategies; Minimize Risk of Incidents;
Costs & Benefits of Security Measures
PART IV - Metrics For
Managing Risks & Application Security
Investments Application
Security Process Metrics; Vulnerability Metrics;
Security Incident Metrics & Threat Intelligence Reporting;
S-SDLC Metrics
PART II – Criteria For
Managing Security Risks
Technical Risks & Business Risks;
Emerging Threats ; Handling New Technology (Web 2.0, Mobile, Cloud
Services)
PART III-Application Security Program
CISO Functions & Application Security;
S-SDLC; Maturity Models;
Security Strategy; OWASP Projects
![Page 7: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/7.jpg)
7WhatCanSecurityProfessionalsLearnFromWebApplica7onDevelopers?
WhatMaQertoCISOs?..CISOSurvey(s)
Sources:DeloiQeandtheNa7onalAssocia7onofStateCIOs(NASCIO)aresharingtheresultsofajointCyberSecuritySurvey,findingthatStateChiefInforma7onSecurityOfficers(CISOs)in2010
![Page 8: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/8.jpg)
8
0
10
20
30
40
50
60
70
80
90
Increase Same Decrease Don'tKnow
Changeinthethreatsfacingyourorganiza:on
ExternalaQacksorfraud(e.g.,phishing,websiteaQacks)
InternalaQacksorfraud(e.g.,abuseofprivileges,theaofinforma7on)
OWASP2013CISOSurvey1/7
![Page 9: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/9.jpg)
9
2013OWASPCISOSurvey2/7
0
5
10
15
20
25
30
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
whatarethemainareasofriskforyourorganisa:onin%outof100%?
Infrastructure Applica7on Other
![Page 10: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/10.jpg)
10
2013OWASPCISOSurvey3/7
020406080
Increase Same Decrease Don'tKnow
Changecomparedto12monthsago
Infrastructure Applica7on Other
![Page 11: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/11.jpg)
11
2013OWASPCISOSurvey4/7
0
10
20
30
40
50
Applica7onSecurityis InfrastructureSecurityis
Other
company'sannualinvestmentinsecurity
Decreasing
Rela7velyconstant
Increasingasapercentageoftotalexpenditures
![Page 12: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/12.jpg)
12
2013OWASPCISOSurvey5/7
0.00%5.00%
10.00%15.00%20.00%25.00%30.00%35.00%40.00%45.00%
Applica:onSecurityManagementSystem(ASMS)orMaturityModel(e.g.,OWASP
SAMM)
![Page 13: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/13.jpg)
13
2013OWASPCISOSurvey6/7
SecurityStrategy:• Only27%believetheircurrentapplica7onsecurity
strategyadequatelyaddressestherisksassociatedwiththeincreaseduseofsocialnetworking,personaldevices,orcloud
• Mostorganisa7onsdefinethestrategyfor1or2years:
TimeHorizon Percent3months 9.3%6months 9.3%1year 37.0%2years 27.8%3years 11.1%5years+ 5.6%
![Page 14: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/14.jpg)
14
2017OWASPSummitLondonUK
![Page 15: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/15.jpg)
15
Vs.2GuideContents:WhatWasDiscussed
Couldbe:1. Incorporatereferenceto
outcomesof2017SummitCISOtrack
2. Expandtoincludenewtools/technologiessuchasRASP
3. ExpandtoincludecompliancewithGDPR
4. ExpandonnewemergingtechnologyrisksandprovideriskMi7ga7onGuidance(e.g.APIsandMicro-services,Biometrics)
5. ExpandonRiskMgmt.StrategiesForVendors,Provisioning,Supply-ChainRisks
6. ExpandonnewevolvingthreatsfacingwebApplica:ons(e.g.0-dayexploits)
7. AddreferencetohandbooksandplaybooksforCISO’smanagedprocess
Itwas..1. MakeOWASPResourcesMore
VisibletoCISOs2. Prac:cesforBuilt-InSocware
SecurityintoProcesses,Tes7ngToolsandTraining
3. HowtoderivesecurityrequirementsforcompliancewithStandardsandPolicies
4. HowtoPriori:zeVulnerabilityManagementBasedUponRisksofThreats,Vulnerabili:esandAQacks/Exploits
5. GuidanceonHowtoAlignApplica:onSecurityStrategywithITStrategy
6. Howtofactoremergingtechnologyrisks
7. HowtoCommunicateRiskstoBusinessIncludingThreats,Vulnerabili7es(OWASPT10)andImpacts
![Page 16: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/16.jpg)
16
Itwas..1. Doyouworrymoreof
ExternalThreats(e.g.,phishing,websiteaQacks)orInternalThreats(e.g.,abuseofprivileges,theaofinforma7on)?
2. Whatareyourthemainareasofriskforyourorganisa7onin%outof100%?
3. Comparedto12monthsago,doyouseeachangeinapplica7onsecurityvsI/Fthreats?
4. Doyouhaveacyber-securitystrategy?IfYEShowmanyyearsdoesthisstrategycover?
5. HaveyouimplementedaMaturityModel(e.g.,OWASPSAMM)?
Itcouldbe(assugges:ons):1. Whichamongtheorganiza:on
ITassets,networksorapplica:onsareconsideredmoreatriskofcyber-aQacks?
2. Doesyourorganiza:onhaveacyber-threatintelligenceprogramandaQackmonitoring/alertprocess?
3. Doesyourorganiza:onhasadoptedS-SDLC?Ifyeswhichone.Doesitincludethreatmodeling?
4. Isapplica:onsecurityseenasaninvestmentorasacostbyyourorganiza7on?
5. Doesyourplanningofapplica:onsecurityfollowalongtermstrategy(atleasttwoyears)?
PLEASEWRITEDOWNYOURS
Vs.2SurveyContents:WhatWasDiscussed
![Page 17: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/17.jpg)
17
2017OWASPSummit:CISOGuideOutcomes
![Page 18: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/18.jpg)
18
2017OWASPSummit:CISOGuideOutcomes
![Page 19: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/19.jpg)
19
2017OWASPSummit:CISOSurveyOutcomes
![Page 20: Applica:on Security Guide for CISO and Survey Reboot ... · 5. In synch, create a 2018 CISO survey in Q4 to be used in 2018 Q1 to gather answers from CISOs at chapter mee7ngs, CISO](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb7ea824857c747ba55172e/html5/thumbnails/20.jpg)
20
2018OWASPCISOGuide&Survey:NextStepsRoadmap,StatusandGoals/Objec7ves:1. Reboottheproject(atAppSecUSA2017Project
Summit)2. Reac7vateOWASPCISOmailinglist(done)3. Createnewversion2,wiki,GitHubrepository(in
progress)4. DevelopthecontentsinQ4asbeingdiscussedat
OWASPSummitinLondonbackinJune(inprogress)5. Insynch,createa2018CISOsurveyinQ4tobeusedin
2018Q1togatheranswersfromCISOsatchaptermee7ngs,CISOsummitsusingSurveyMonkeylists(notstartedyet)
6. Maingoalistodevelopthefirstdracofversion1byQ12018andareviewedversionbyQ22018