2013 AppSec Guide and CISO
Survey: Making OWASP Visible to
CISOs
Marco Morana, Member of OWASP London, Project Lead of the OWASP , CISO Guide
Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO
Survey & Report
Agenda
• Application Security Guide For CISOs
• Developer – CISO – gap
• Initial Goals
• Development Plan
• CISO Survey & Report 2013
• Methodology
• First results
• Application Security Guide For CISOs
• Does the CISO need Guidance?
• The OWASP release
Hosted by OWASP & the NYC Chapter
Application Security Views:
Developer - Managers
• Application Security: What Software Developers and
Information Security (IS) Managers Say ?
1.
Are applications secure ? : Developers largely say applications are not
secure, while security professionals are much more optimistic
2.
Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say
there is NO build security in process S-SDLC
3.
Are applications compliant ? : 15 % of developers vs. 12 % of IS
managers say their applications MEET security regulations
4.
Have application been breached in the past ? : 68 % of developers vs.
47 % of IS managers say their applications HAD a security breach in the
last two years
5.
Did you receive application security training ? : 50 % of developers and
IS managers say that did NOT have application security training
Source: http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy
Hosted by OWASP & the NYC Chapter
Bridging the gap
• How We Can Bridge The Software Developer- IS
Managers Application Awareness Security Gaps?
6.
Roll out Security Training: for
S/W developers &
managers
1.
Increase Visibility: to
application security
stakeholders and IS
managers in particular
2.
Provide Guidance: for
adopting application
security programs and
S-SDLC
3.
5.
4.
Measure & Report :
Management of
application security
programs & risks
Focus on Risk : Awareness of security
incidents , threats targeting application and
the business impacts
Hosted by OWASP & the NYC Chapter
Meet
Compliance
Requirements:
with IS policies,
standards,
privacy laws
and
regulations
Development Plan
How we Develop the App. Sec. Guide for CISOs
STAGE I: Presented
OWASP Application
Security GUIDE Draft
and Survey draft
socialized to
OWASP chapters in
Atlanta, London, New
York (Nov 2012)
STAGE V:
Presenting first
release of CISO
guide and
survey at
AppSec USA
(Nov-2013)
Hosted by OWASP & the NYC Chapter
STAGE II: Initiated a campaign targeting CISOs
to participate to a CISO survey (Jan-July 2013)
STAGE III:
Analyzed data
from survey and
complied
preliminary results
presented at
Appsec EU (August
2013)
STAGE IV: Final results of the survey incorporated with the
CISO guide, tailored and reformatted content (Sept-Oct-2013)
Agenda
CISO Survey & Report
• Application Security Guide For CISOs
• Developer – CISO – gap
• Initial Goals
• Development Plan
• CISO Survey & Report 2013
• Methodology
• First results
• Application Security Guide For CISOs
• Does the CISO need Guidance?
• The OWASP release
Hosted by OWASP & the NYC Chapter
CISO Survey
• Methodology
• Phase 1: Online Survey sent to CISOs and
Information Security Managers
• Phase 2: Followed by selective personal
interviews
• More than 100 replies from CISOs from
various industries…
• First Results: Sneak Preview of the results
today…
Hosted by OWASP & the NYC Chapter
CISO Survey:
External threats are on the rise!
External attacks or fraud
(e.g., phishing, website
attacks)
Internal attacks or fraud
(e.g., abuse of privileges,
theft of information)
Decrease,
2%
Decrease,
12%
Same, 13%
Increase,
85%
Hosted by OWASP & the NYC Chapter
Same, 71%
Increase,
17%
CISO Survey:
Main areas of risk
What are the main areas of risk for your
organisation in % out of 100%?
30
25
20
15
10
5
0
0%
10%
20%
30%
40%
Infrastructure
Hosted by OWASP & the NYC Chapter
50%
60%
Application
70%
Other
80%
90%
100%
CISO Survey & Report 2013
Change in the threats
Compared to 12 months ago, do you see a change in
these areas
Application
67%
Infrastructure
33%
39%
0%
10%
20%
52%
30%
40%
Increase
Hosted by OWASP & the NYC Chapter
0%
50%
Same
60%
Decrease
9%
70%
80%
90%
100%
CISO Survey & Report 2013
Top five sources of application security risk
within your organization?
Lack of awareness of application security issues within the organization
Insecure source code development
Poor/inadequate testing methodologies
Lack of budget to support application security initiatives
Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance)
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
Investments in Security
Aspects of organization's annual investment in
security?
Infra
38%
App
52%
47%
0%
10%
20%
Hosted by OWASP & the NYC Chapter
10%
40%
30%
40%
50%
Increase
Same
60%
Decrease
70%
13%
80%
90%
100%
CISO Survey & Report 2013
Top application security priorities for the coming
12 months.
Security awareness and training for developers
Security testing of applications (penetration testing)
Secure development lifecycle processes (e.g., secure coding,
QA process)
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
Security Strategy
• Security Strategy:
• Only 27% believe their current application security
strategy adequately addresses the risks associated with the
increased use of social networking, personal devices, or
cloud
• Most organisations define the strategy for 1 or 2 years:
Time Horizon
3 months
6 months
1 year
2 years
3 years
5 years+
Hosted by OWASP & the NYC Chapter
Percent
9.3%
9.3%
37.0%
27.8%
11.1%
5.6%
CISO Survey & Report 2013
Security Strategy
Benefits of a security strategy for application security
investments:
Correlation between investments in Application Security and a 2year
Application Security Strategy
70%
60%
50%
40%
30%
20%
10%
0%
Increase
Same
App
Hosted by OWASP & the NYC Chapter
App (2y)
Decrease
App (not 2y)
Analysis for
correlations with:
- Recent security
breach
- Has a ASMS
- Company size
- Role (i.e. CISO)
- Has a Security
Strategy
- Time horizon of
security strategy
(2 years)
CISO Survey & Report 2013
ASMS
Application Security Management System (ASMS)
or Maturity Model (e.g., OWASP SAMM)
45.00%
40.00%
41.30%
35.00%
34.70%
30.00%
25.00%
20.00%
15.00%
13.30%
10.00%
5.00%
0.00%
6.70%
4.00%
Yes, implemented and
formally
certified/verified by a
third party
Hosted by OWASP & the NYC Chapter
Yes, without
verification
Yes, currently in the
process of
implementing
No, but considering it No, and not considering
it
CISO Survey & Report 2013
Top five challenges related to effectively
delivering your organization's application
security initiatives
Availability of skilled resources
Level of security awareness by the developers
Management awareness and sponsorship
Adequate budget
Organizational change
Hosted by OWASP & the NYC Chapter
CISO Survey & Report 2013
CISOs found the following OWASP projects most
useful for their organizations (note: we did not
have a full list of all 160 active projects)
OWASP Top-10
Cheatsheets
Development Guide
Secure Coding Practices Quick Reference
Application Security FAQ
Hosted by OWASP & the NYC Chapter
Agenda : Where We Are And
What Comes Next
• Application Security Guide For CISOs
• Developer – CISO – gap
• Initial Goals
• Development Plan
• CISO Survey & Report 2013
• Methodology
• First results
• Application Security Guide For CISOs
• Does the CISO need Guidance?
• The OWASP release
Hosted by OWASP & the NYC Chapter
Does the CISO
Need Guidance?
Security Testing
Manager: Can we
CISO: I need to
make sure our
apps comply with
PCI-DSS and
OWASP Top Ten. I
am asking the
business to
budget a
application
security program
and S-SDLC for
2014
include budget for
security testing tools
and training for
security testers
Engineering
Manager: can
we budget for
secure coding
training and
security tools for
S/W developers
as well?
Hosted by OWASP & the NYC Chapter
Risk Manager:
Can you justify this
budget from risk
management
perspective ? How
this program help
reduce risks of
security breaches
we had in the past?
Business
Executive:
can
determine how much
we need to invest in
this program?
Do you have a plan and
a documented
proposal/business
case?
Application Security Guide for
CISOs
PART I – Reasons For
Investing in
Application Security
Meeting Compliance;
Risk Reduction Strategies;
Minimize Risk of Incidents;
Costs & Benefits of Security
Measures
PART IV - Metrics For
Managing Risks &
Application Security
Investments
Application
Security Process Metrics;
Vulnerability Metrics;
Security Incident Metrics &
Threat Intelligence Reporting;
S-SDLC Metrics
Hosted by OWASP & the NYC Chapter
PART II – Criteria For
Managing Security
Risks
Technical Risks &
Business Risks;
Emerging Threats ;
Handling New Technology
(Web 2.0, Mobile, Cloud
Services)
PART III-Application
Security Program
CISO Functions &
Application Security;
S-SDLC;
Maturity Models;
Security Strategy;
OWASP Projects
Final Thanks &
Further References
Acknowledgements:
OWASP CISO Guide authors,
contributors and reviewers:
• Tobias Gondrom
• Eoin Keary
• Any Lewis
• Marco Morana
• Stephanie Tan
• Colin Watson
Further References:
• OWASP CISO Guide:
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf
• OWASP CISO Survey (to be released in December):
https://www.owasp.org/index.php/OWASP_CISO_Survey
Hosted by OWASP & the NYC Chapter
Q&A
QUESTIONS
ANSWERS
Hosted by OWASP & the NYC Chapter
Download

OWASP Presentation Template