OWASP Presentation Template
advertisement
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP , CISO Guide Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report Agenda • Application Security Guide For CISOs • Developer – CISO – gap • Initial Goals • Development Plan • CISO Survey & Report 2013 • Methodology • First results • Application Security Guide For CISOs • Does the CISO need Guidance? • The OWASP release Hosted by OWASP & the NYC Chapter Application Security Views: Developer - Managers • Application Security: What Software Developers and Information Security (IS) Managers Say ? 1. Are applications secure ? : Developers largely say applications are not secure, while security professionals are much more optimistic 2. Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say there is NO build security in process S-SDLC 3. Are applications compliant ? : 15 % of developers vs. 12 % of IS managers say their applications MEET security regulations 4. Have application been breached in the past ? : 68 % of developers vs. 47 % of IS managers say their applications HAD a security breach in the last two years 5. Did you receive application security training ? : 50 % of developers and IS managers say that did NOT have application security training Source: http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Hosted by OWASP & the NYC Chapter Bridging the gap • How We Can Bridge The Software Developer- IS Managers Application Awareness Security Gaps? 6. Roll out Security Training: for S/W developers & managers 1. Increase Visibility: to application security stakeholders and IS managers in particular 2. Provide Guidance: for adopting application security programs and S-SDLC 3. 5. 4. Measure & Report : Management of application security programs & risks Focus on Risk : Awareness of security incidents , threats targeting application and the business impacts Hosted by OWASP & the NYC Chapter Meet Compliance Requirements: with IS policies, standards, privacy laws and regulations Development Plan How we Develop the App. Sec. Guide for CISOs STAGE I: Presented OWASP Application Security GUIDE Draft and Survey draft socialized to OWASP chapters in Atlanta, London, New York (Nov 2012) STAGE V: Presenting first release of CISO guide and survey at AppSec USA (Nov-2013) Hosted by OWASP & the NYC Chapter STAGE II: Initiated a campaign targeting CISOs to participate to a CISO survey (Jan-July 2013) STAGE III: Analyzed data from survey and complied preliminary results presented at Appsec EU (August 2013) STAGE IV: Final results of the survey incorporated with the CISO guide, tailored and reformatted content (Sept-Oct-2013) Agenda CISO Survey & Report • Application Security Guide For CISOs • Developer – CISO – gap • Initial Goals • Development Plan • CISO Survey & Report 2013 • Methodology • First results • Application Security Guide For CISOs • Does the CISO need Guidance? • The OWASP release Hosted by OWASP & the NYC Chapter CISO Survey • Methodology • Phase 1: Online Survey sent to CISOs and Information Security Managers • Phase 2: Followed by selective personal interviews • More than 100 replies from CISOs from various industries… • First Results: Sneak Preview of the results today… Hosted by OWASP & the NYC Chapter CISO Survey: External threats are on the rise! External attacks or fraud (e.g., phishing, website attacks) Internal attacks or fraud (e.g., abuse of privileges, theft of information) Decrease, 2% Decrease, 12% Same, 13% Increase, 85% Hosted by OWASP & the NYC Chapter Same, 71% Increase, 17% CISO Survey: Main areas of risk What are the main areas of risk for your organisation in % out of 100%? 30 25 20 15 10 5 0 0% 10% 20% 30% 40% Infrastructure Hosted by OWASP & the NYC Chapter 50% 60% Application 70% Other 80% 90% 100% CISO Survey & Report 2013 Change in the threats Compared to 12 months ago, do you see a change in these areas Application 67% Infrastructure 33% 39% 0% 10% 20% 52% 30% 40% Increase Hosted by OWASP & the NYC Chapter 0% 50% Same 60% Decrease 9% 70% 80% 90% 100% CISO Survey & Report 2013 Top five sources of application security risk within your organization? Lack of awareness of application security issues within the organization Insecure source code development Poor/inadequate testing methodologies Lack of budget to support application security initiatives Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance) Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Investments in Security Aspects of organization's annual investment in security? Infra 38% App 52% 47% 0% 10% 20% Hosted by OWASP & the NYC Chapter 10% 40% 30% 40% 50% Increase Same 60% Decrease 70% 13% 80% 90% 100% CISO Survey & Report 2013 Top application security priorities for the coming 12 months. Security awareness and training for developers Security testing of applications (penetration testing) Secure development lifecycle processes (e.g., secure coding, QA process) Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Security Strategy • Security Strategy: • Only 27% believe their current application security strategy adequately addresses the risks associated with the increased use of social networking, personal devices, or cloud • Most organisations define the strategy for 1 or 2 years: Time Horizon 3 months 6 months 1 year 2 years 3 years 5 years+ Hosted by OWASP & the NYC Chapter Percent 9.3% 9.3% 37.0% 27.8% 11.1% 5.6% CISO Survey & Report 2013 Security Strategy Benefits of a security strategy for application security investments: Correlation between investments in Application Security and a 2year Application Security Strategy 70% 60% 50% 40% 30% 20% 10% 0% Increase Same App Hosted by OWASP & the NYC Chapter App (2y) Decrease App (not 2y) Analysis for correlations with: - Recent security breach - Has a ASMS - Company size - Role (i.e. CISO) - Has a Security Strategy - Time horizon of security strategy (2 years) CISO Survey & Report 2013 ASMS Application Security Management System (ASMS) or Maturity Model (e.g., OWASP SAMM) 45.00% 40.00% 41.30% 35.00% 34.70% 30.00% 25.00% 20.00% 15.00% 13.30% 10.00% 5.00% 0.00% 6.70% 4.00% Yes, implemented and formally certified/verified by a third party Hosted by OWASP & the NYC Chapter Yes, without verification Yes, currently in the process of implementing No, but considering it No, and not considering it CISO Survey & Report 2013 Top five challenges related to effectively delivering your organization's application security initiatives Availability of skilled resources Level of security awareness by the developers Management awareness and sponsorship Adequate budget Organizational change Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 CISOs found the following OWASP projects most useful for their organizations (note: we did not have a full list of all 160 active projects) OWASP Top-10 Cheatsheets Development Guide Secure Coding Practices Quick Reference Application Security FAQ Hosted by OWASP & the NYC Chapter Agenda : Where We Are And What Comes Next • Application Security Guide For CISOs • Developer – CISO – gap • Initial Goals • Development Plan • CISO Survey & Report 2013 • Methodology • First results • Application Security Guide For CISOs • Does the CISO need Guidance? • The OWASP release Hosted by OWASP & the NYC Chapter Does the CISO Need Guidance? Security Testing Manager: Can we CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC for 2014 include budget for security testing tools and training for security testers Engineering Manager: can we budget for secure coding training and security tools for S/W developers as well? Hosted by OWASP & the NYC Chapter Risk Manager: Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past? Business Executive: can determine how much we need to invest in this program? Do you have a plan and a documented proposal/business case? Application Security Guide for CISOs PART I – Reasons For Investing in Application Security Meeting Compliance; Risk Reduction Strategies; Minimize Risk of Incidents; Costs & Benefits of Security Measures PART IV - Metrics For Managing Risks & Application Security Investments Application Security Process Metrics; Vulnerability Metrics; Security Incident Metrics & Threat Intelligence Reporting; S-SDLC Metrics Hosted by OWASP & the NYC Chapter PART II – Criteria For Managing Security Risks Technical Risks & Business Risks; Emerging Threats ; Handling New Technology (Web 2.0, Mobile, Cloud Services) PART III-Application Security Program CISO Functions & Application Security; S-SDLC; Maturity Models; Security Strategy; OWASP Projects Final Thanks & Further References Acknowledgements: OWASP CISO Guide authors, contributors and reviewers: • Tobias Gondrom • Eoin Keary • Any Lewis • Marco Morana • Stephanie Tan • Colin Watson Further References: • OWASP CISO Guide: https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf • OWASP CISO Survey (to be released in December): https://www.owasp.org/index.php/OWASP_CISO_Survey Hosted by OWASP & the NYC Chapter Q&A QUESTIONS ANSWERS Hosted by OWASP & the NYC Chapter
