Embed Size (px)
Citation preview
MarcoM.Morana,OWASPCISOGuideProjectLead
Applica;onSecurityGuideforCISO&SurveyVersion2,2018Edi;on
ProjectUpdates
2
Agenda
2013 OWASP CISO GUIDE VERSION 1 • Why we developed • Main Themes • Lesson learned from OWASP CISO Survey 2013-2014 Planned 2018 OWASP CISO GUIDE VERSION 2 • CISO discussions at 2017 OWASP Summit in London • Outcomes of CISO track discussions • Roadmap for updated to vs. 2 + (mini CISO survey)
3
CISOGuideVersion1(2013)
OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom • Eoin Keary • Any Lewis • Marco Morana • Stephanie Tan • Colin Watson
• OWASP CISO Guide:
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf • OWASP CISO Survey:
https://www.surveymonkey.com/s/CISO2013Survey
4
CISOs: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I need to initiate a Security in SDLC program and activities such as threat modeling and secure code reviews
DevOps Manager: can we include secure coding training for S/W developers ?
Business-ProductManager:Can we align this with our project cycle? What will be the impact on releases?
WhyWeDevelopedtheCISOGuideVersion1(2013)
5
MainThemesForCISOGuideVersion1
PART I – Application
Security Triggers e.g. Meeting Compliance
Requirements; Testing and fixing
vulnerabilities;
PART IV – Managing Application Security Risks & Investments
Application Security Process Metrics;
Vulnerability Metrics; Security Incident Metrics &
Threat Intelligence Reporting; S-SDLC Metrics
PART II – Creating AppSec Program e.g. Scope Based Upon
Risks; Factor Emerging Threats & Emerging Technologies
PART III-Managing Application Security
Program CISO Functions &
Application Security; S-SDLC;
Maturity Models; Security Strategy; OWASP Projects
6
0
10
20
30
40
50
60
70
80
90
Increase Same Decrease Don'tKnow
Changeinthethreatsfacingyourorganiza;on
Externala>acksorfraud(e.g.,phishing,websitea>acks)
Internala>acksorfraud(e.g.,abuseofprivileges,theMofinformaNon)
LessonLearnedFromOWASP2013CISOSurvey1/7
7
CISOGuideReboot@2017OWASPSummitLondonUK
8
Vs.2GuideContents:WhatWasDiscussed
Couldbe:1. Incorporatereferenceto
outcomesof2017SummitCISOtrack
2. Expandtoincludenewtools/technologiessuchasRASP
3. ExpandtoincludecompliancewithGDPR
4. ExpandonnewemergingtechnologyrisksandprovideriskMiNgaNonGuidance(e.g.APIsandMicro-services,Biometrics)
5. ExpandonRiskMgmt.StrategiesForVendors,Provisioning,Supply-ChainRisks
6. ExpandonnewevolvingthreatsfacingwebApplica;ons(e.g.0-dayexploits)
7. AddreferencetohandbooksandplaybooksforCISO’smanagedprocess
Itwas..1. MakeOWASPResourcesMore
VisibletoCISOs2. Prac;cesforBuilt-InSoaware
SecurityintoProcesses,TesNngToolsandTraining
3. HowtoderivesecurityrequirementsforcompliancewithStandardsandPolicies
4. HowtoPriori;zeVulnerabilityManagementBasedUponRisksofThreats,Vulnerabili;esandAdacks/Exploits
5. GuidanceonHowtoAlignApplica;onSecurityStrategywithITStrategy
6. Howtofactoremergingtechnologyrisks
7. HowtoCommunicateRiskstoBusinessIncludingThreats,VulnerabiliNes(OWASPT10)andImpacts
9
2017OWASPSummit:CISODiscussionOutcomes(1/2)
10
2017OWASPSummit:CISODiscussionOutcomes(2/2)
11
2017OWASPSummit:CISOSurveyOutcomes
12
OWASPCISOGuideVs22018Edi;onPlanRoadmapand(Status):1. Reboottheproject(atAppSecUSA2017Project
Summit)createnewversion2,wiki,GitHubrepository(done)
2. Reac;vateOWASPCISOmailinglist(done)3. Callforcontribu;ons,sponsorsandrevisions(in
progress)4. Developthecontents:(inprogress)asbeingdiscussed
atOWASPSummitinLondonbackinJune(inprogress)5. Createamini2018CISO:tosocializewithCISOsatCISO
summitsusingSurveyMonkeylists(notstarted)6. Createcontentsforthefirstdraaofversion2:(in
progress)Goalisproduceadraaby30/3/2018andareviewedversionbyendofJune2018
