2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP , CISO Guide

Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report

• Application Security Guide For CISOs• Developer – CISO – gap• Initial Goals• Development Plan

• CISO Survey & Report 2013• Methodology• First results

• Application Security Guide For CISOs• Does the CISO need Guidance?• The OWASP release

Hosted by OWASP & the NYC Chapter

Agenda

• Application Security: What Software Developers and Information Security (IS) Managers Say ?


Application Security Views: Developer - Managers

1. Are applications secure ? : Developers largely say applications are not secure, while security professionals are much more optimistic

2. Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say there is NO build security in process S-SDLC

3. Are applications compliant ? : 15 % of developers vs. 12 % of IS managers say their applications MEET security regulations

4. Have application been breached in the past ? : 68 % of developers vs. 47 % of IS managers say their applications HAD a security breach in the last two years

5. Did you receive application security training ? : 50 % of developers and IS managers say that did NOT have application security training

Source: http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy

http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/

• How We Can Bridge The Software Developer- IS Managers Application Awareness Security Gaps?


Bridging the gap

Software Developers

Information Security Managers

Application Security

Guide for CISO

1. Increase Visibility: to application security stakeholders and IS managers in particular

2. Provide Guidance: for adopting application security programs and S-SDLC

3. Meet Compliance Requirements: with IS policies, standards, privacy laws and regulations

4. Focus on Risk : Awareness of security incidents , threats targeting application and the business impacts

5. Measure & Report : Management of application security programs & risks

6. Roll out Security Training: for S/W developers &

managers

How we Develop the App. Sec. Guide for CISOs


Development Plan

STAGE I: Presented OWASP ApplicationSecurity GUIDE Draft and Survey draft socialized to OWASP chapters inAtlanta, London, New York (Nov 2012)

STAGE II: Initiated a campaign targeting CISOs to participate to a CISO survey (Jan-July 2013)

STAGE III: Analyzed data from survey and complied preliminary results presented at Appsec EU (August 2013)

STAGE IV: Final results of the survey incorporated with the CISO guide, tailored and reformatted content (Sept-Oct-2013)

STAGE V: Presenting first release of CISO guide and survey at AppSec USA (Nov-2013)





AgendaCISO Survey & Report

• Methodology• Phase 1: Online Survey sent to CISOs and

Information Security Managers• Phase 2: Followed by selective personal

interviews• More than 100 replies from CISOs from

various industries…• First Results: Sneak Preview of the results

today…


CISO Survey


CISO Survey:External threats are on the rise!

External attacks or fraud (e.g., phishing, website

attacks)

Internal attacks or fraud (e.g., abuse of privileges,

theft of information)

Increase; 85%

Same; 13%

Decrease; 2%

Increase; 17%

Same; 71%

Decrease; 12%


CISO Survey: Main areas of risk

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%0

5

10

15

20

25

30

What are the main areas of risk for your organ-isation in % out of 100%?

Infrastructure Application Other


CISO Survey & Report 2013Change in the threats

Infrastructure

Application

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

39%

67%

52%

33%

9%

0%

Compared to 12 months ago, do you see a change in these areas

Increase Same Decrease


CISO Survey & Report 2013

Top five sources of application security risk within your organization?

Lack of awareness of application security issues within the organization

Insecure source code development

Poor/inadequate testing methodologies

Lack of budget to support application security initiatives

Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance)


CISO Survey & Report 2013Investments in Security

App

Infra

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

47%

38%

40%

52%

13%

10%

Aspects of organization's annual investment in se-curity?

Increase Same Decrease



Top application security priorities for the coming 12 months.

Security awareness and training for developers

Security testing of applications (penetration testing)

Secure development lifecycle processes (e.g., secure coding, QA process)

• Security Strategy: • Only 27% believe their current application security

strategy adequately addresses the risks associated with the increased use of social networking, personal devices, or cloud

• Most organisations define the strategy for 1 or 2 years:


CISO Survey & Report 2013Security Strategy

Time Horizon Percent3 months 9.3%

6 months 9.3%1 year 37.0%2 years 27.8%3 years 11.1%

5 years+ 5.6%

Benefits of a security strategy for application security investments:


CISO Survey & Report 2013Security Strategy

Increase Same Decrease0%

10%

20%

30%

40%

50%

60%

70%

Correlation between investments in Application Security and a 2year Application Security Strategy

App App (2y) App (not 2y)

Analysis for correlations with: - Recent security

breach- Has a ASMS- Company size- Role (i.e. CISO)- Has a Security

Strategy- Time horizon of

security strategy(2 years)


CISO Survey & Report 2013 ASMS

0.00%

10.00%

20.00%

30.00%

40.00%

4.00% 6.70%13.30%

41.30%34.70%

Application Security Management System (ASMS) or Maturity Model (e.g., OWASP SAMM)



Top five challenges related to effectively delivering your organization's application

security initiativesAvailability of skilled resources

Level of security awareness by the developers

Management awareness and sponsorship

Adequate budget

Organizational change



CISOs found the following OWASP projects most useful for their organizations (note: we did not

have a full list of all 160 active projects)

OWASP Top-10

Cheatsheets

Development Guide

Secure Coding Practices Quick Reference

Application Security FAQ





Agenda : Where We Are And What Comes Next


Does the CISO Need Guidance?

CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC for 2014

Business Executive: can determine how much we need to invest in this program? Do you have a plan and a documented proposal/business case?

EngineeringManager: can we budget for secure coding training and security tools for S/W developers as well?

Risk Manager: Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past?

Security Testing Manager: Can we include budget for security testing tools and training for security testers

PART I – Reasons For Investing in

Application SecurityMeeting Compliance;

Risk Reduction Strategies;Minimize Risk of Incidents;

Costs & Benefits of Security Measures

PART IV - Metrics For Managing Risks &

Application Security Investments

ApplicationSecurity Process Metrics;

Vulnerability Metrics;Security Incident Metrics &

Threat Intelligence Reporting;S-SDLC Metrics

PART III-Application Security Program

CISO Functions & Application Security;

S-SDLC;Maturity Models;Security Strategy;OWASP Projects

PART II – Criteria For Managing Security

RisksTechnical Risks & Business Risks;

Emerging Threats ; Handling New Technology(Web 2.0, Mobile, Cloud

Services)


Application Security Guide for CISOs


Final Thanks & Further References

Acknowledgements:OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom• Eoin Keary• Any Lewis• Marco Morana• Stephanie Tan• Colin Watson

Further References:• OWASP CISO Guide:

https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf• OWASP CISO Survey (to be released in December):

https://www.owasp.org/index.php/OWASP_CISO_Survey

https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf

https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf





Q&A

Q&Q U E S T I O N SA N S W E R S

Documents

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,