Presentation is loading. Please wait.

Presentation is loading. Please wait.

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,

Published byPercival Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,"— Presentation transcript:

1 2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom, Board member of OWASP London, Project Lead of the OWASP CISO Survey & Report

2 About Me About Marco Morana Hosted by OWASP & the NYC Chapter I am currently risk and control manager (SVP) and head of the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. I am also technical advisory for security technology start up and contributor of EU projects for cyber security. During my 15+ years of distinguished career in security, he specialized in application and software security consulting services for major Fortune 500 companies and contributed to the secure design of business critical applications and security tools. Among the notable contributions in application security, are the development of first secure email with S-MIME (1996) and the first Intrusion Detection System (IDS) tool (1998). My current interests are in the research of cyber threat analysis and attack modeling processes and processes to better manage the risk of emerging cyber threats. My academic credentials include a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padova, Italy. I am also a Certified Software Security Lifecycle Professional (CSSLP).

3 About Me Tobias Gondrom – 15 years information security experience (Global Head of Security, CISO, CTO) CISSP, CSSLP, CCISO – 12 years management of application development – Sloan Fellow M.Sc. London Business School – Thames Stanley: Managing Director, CISO Advisory, Information Security & Risk Management, Research and Advisory – Author of Internet Standards on Secure Archiving, CISO training and co-author of the OWASP CISO guide – Chair of IETF Web Security Working Group Member of the IETF Security Directorate Cloud Security Alliance, Hong Kong chapter board – London OWASP chapter board member OWASP Project Leader for the CISO Survey & Report

4 Application Security Guide For CISOs Developer – CISO – gap Initial Goals Development Plan CISO Survey & Report 2013 Methodology First results Application Security Guide For CISOs Does the CISO need Guidance? The OWASP release Hosted by OWASP & the NYC Chapter Agenda

5 Application Security: What Software Developers and Information Security (IS) Managers Say ? Hosted by OWASP & the NYC Chapter Application Security Views: Developer - Managers 1.Are applications secure ? : Developers largely say applications are not secure, while security professionals are much more optimistic 2.Do we have an S-SDLC ? : 80 % of developers vs. 64 % of IS managers say there is NO build security in process S-SDLC 3.Are applications compliant ? : 15 % of developers vs. 12 % of IS managers say their applications MEET security regulations 4.Have application been breached in the past ? : 68 % of developers vs. 47 % of IS managers say their applications HAD a security breach in the last two years 5.Did you receive application security training ? : 50 % of developers and IS managers say that did NOT have application security training Source: http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALyhttp://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy

6 How We Can Bridge The Software Developer- IS Managers Application Awareness Security Gaps? Hosted by OWASP & the NYC Chapter Bridging the gap Software Developers Information Security Managers Application Security Guide for CISO 1.Increase Visibility: to application security stakeholders and IS managers in particular 2.Provide Guidance: for adopting application security programs and S-SDLC 3.Meet Compliance Requirements: with IS policies, standards, privacy laws and regulations 4.Focus on Risk : Awareness of security incidents, threats targeting application and the business impacts 5.Measure & Report : Management of application security programs & risks 6.Roll out Security Training: for S/W developers & managers

7 How we Develop the App. Sec. Guide for CISOs Hosted by OWASP & the NYC Chapter Development Plan STAGE I: Presented OWASP Application Security GUIDE Draft and Survey draft socialized to OWASP chapters in Atlanta, London, New York (Nov 2012) STAGE II: Initiated a campaign targeting CISOs to participate to a CISO survey (Jan-July 2013) STAGE III: Analyzed data from survey and complied preliminary results presented at Appsec EU (August 2013) STAGE IV: Final results of the survey incorporated with the CISO guide, tailored and reformatted content (Sept-Oct-2013) STAGE V: Presenting first release of CISO guide and survey at AppSec USA (Nov-2013)

8 Application Security Guide For CISOs Developer – CISO – gap Initial Goals Development Plan CISO Survey & Report 2013 Methodology First results Application Security Guide For CISOs Does the CISO need Guidance? The OWASP release Hosted by OWASP & the NYC Chapter Agenda CISO Survey & Report

9 Methodology Phase 1: Online Survey sent to CISOs and Information Security Managers Phase 2: Followed by selective personal interviews More than 100 replies from CISOs from various industries… First Results: Sneak Preview of the results today… Hosted by OWASP & the NYC Chapter CISO Survey

10 Hosted by OWASP & the NYC Chapter CISO Survey: External threats are on the rise! External attacks or fraud (e.g., phishing, website attacks) Internal attacks or fraud (e.g., abuse of privileges, theft of information)

11 Hosted by OWASP & the NYC Chapter CISO Survey: Main areas of risk

12 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Change in the threats

13 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Top five sources of application security risk within your organization? Lack of awareness of application security issues within the organization Insecure source code development Poor/inadequate testing methodologies Lack of budget to support application security initiatives Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance)

14 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Investments in Security

15 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Top application security priorities for the coming 12 months. Security awareness and training for developers Security testing of applications (penetration testing) Secure development lifecycle processes (e.g., secure coding, QA process)

16 Security Strategy: Only 27% believe their current application security strategy adequately addresses the risks associated with the increased use of social networking, personal devices, or cloud Most organisations define the strategy for 1 or 2 years: Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Security Strategy Time HorizonPercent 3 months9.3% 6 months9.3% 1 year37.0% 2 years27.8% 3 years11.1% 5 years+5.6%

17 Benefits of a security strategy for application security investments: Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Security Strategy Analysis for correlations with: -Recent security breach -Has a ASMS -Company size -Role (i.e. CISO) -Has a Security Strategy -Time horizon of security strategy (2 years)

18 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 ASMS

19 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 Top five challenges related to effectively delivering your organization's application security initiatives Availability of skilled resources Level of security awareness by the developers Management awareness and sponsorship Adequate budget Organizational change

20 Hosted by OWASP & the NYC Chapter CISO Survey & Report 2013 CISOs found the following OWASP projects most useful for their organizations (note: we did not have a full list of all 160 active projects) OWASP Top-10 Cheatsheets Development Guide Secure Coding Practices Quick Reference Application Security FAQ

21 Application Security Guide For CISOs Developer – CISO – gap Initial Goals Development Plan CISO Survey & Report 2013 Methodology First results Application Security Guide For CISOs Does the CISO need Guidance? The OWASP release Hosted by OWASP & the NYC Chapter Agenda : Where We Are And What Comes Next

22 Hosted by OWASP & the NYC Chapter Does the CISO Need Guidance? CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC for 2014 Business Executive : can determine how much we need to invest in this program? Do you have a plan and a documented proposal/business case? Engineering Manager: can we budget for secure coding training and security tools for S/W developers as well? Risk Manager : Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past? Security Testing Manager: Can we include budget for security testing tools and training for security testers

23 PART I – Reasons For Investing in Application Security Meeting Compliance; Risk Reduction Strategies; Minimize Risk of Incidents; Costs & Benefits of Security Measures PART IV - Metrics For Managing Risks & Application Security Investments Application Security Process Metrics; Vulnerability Metrics; Security Incident Metrics & Threat Intelligence Reporting; S-SDLC Metrics PART III-Application Security Program CISO Functions & Application Security; S-SDLC; Maturity Models; Security Strategy; OWASP Projects PART II – Criteria For Managing Security Risks Technical Risks & Business Risks; Emerging Threats ; Handling New Technology (Web 2.0, Mobile, Cloud Services) Hosted by OWASP & the NYC Chapter Application Security Guide for CISOs

24 Hosted by OWASP & the NYC Chapter Final Thanks & Further References Acknowledgements: OWASP CISO Guide authors, contributors and reviewers: Tobias Gondrom Eoin Keary Any Lewis Marco Morana Stephanie Tan Colin Watson Further References: OWASP CISO Guide: https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf OWASP CISO Survey (to be released in December): https://www.owasp.org/index.php/OWASP_CISO_Surveyhttps://www.owasp.org/index.php/OWASP_CISO_Survey

25 Hosted by OWASP & the NYC Chapter Q&A Q & Q U E S T I O N S A N S W E R S

Download ppt "2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,"

Similar presentations

Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
The Technology Tool Kit version 2.0 August 2014 Presenter: Deborah Watson InfraGard Houston Chapter - SIG Security Guide & Tool Development Manager.

The Technology Tool Kit version 2.0 August 2014 Presenter: Deborah Watson InfraGard Houston Chapter - SIG Security Guide & Tool Development Manager.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
Conference – 7-8 August, 2013 Presented by David Melnick | pg 1 Employee Privacy and Organizational Security: August 8th, 2013 Addressing.

Conference – 7-8 August, 2013 Presented by David Melnick | pg 1 Employee Privacy and Organizational Security: August 8th, 2013 Addressing.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP London 18 th September 2014. Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.

OWASP London 18 th September Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

Similar presentations

Ads by Google