MarcoM.Morana,CISOGuideProjectLead

Applica:onSecurityGuideforCISOandSurveyRebootProjectSummitSession(s)

2

Agenda

2013 OWASP CISO GUIDE •  Why we developed version 1 •  Roadmap for version 1 •  Main Themes

2013 OWASP CISO SURVEY •  What matters to CISO •  OWASP CISO Survey 2013-2014

2018 OWASP CISO GUIDE VERSION 2 •  Discussions at OWASP Summit in London •  Outcomes of Discussion •  Roadmap for development of vs 2 of GUIDE + survey

3

CISOGuideVersion1(2013)

OWASP CISO Guide authors, contributors and reviewers: •  Tobias Gondrom •  Eoin Keary •  Any Lewis •  Marco Morana •  Stephanie Tan •  Colin Watson

•  OWASP CISO Guide:

https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf •  OWASP CISO Survey:

https://www.surveymonkey.com/s/CISO2013Survey

4

Pen-Testing Team Manager: Can we include budget for security testing tools and training for security testers ?

CISO: I need to make sure our apps comply with PCI-DSS and OWASP Top Ten. I am asking the business to budget a application security program and S-SDLC

Engineering Manager: can we budget for secure coding training and security tools for S/W developers as well?

BusinessManager:Can you justify this budget from risk management perspective ? How this program help reduce risks of security breaches we had in the past?

WhyWeDevelopedtheCISOGuideVersion1(2013)

5

STEP1:DiscussOWASPApplica7onSecurityGuideGoals&Ques7onsforSurvey

STEP2:EnrollCISOstopar7cipatetoaCISOsurvey

STEP3:GathertheAnswersandanalyzethesurvey

STEP4:Changetheguidetoaligntotheresultsofthesurvey

STEP4:Presentreleases

Applica:onSecurityGuideForCISOandSurveyRoadmapforVersion1(2013)

6

MainThemesForVersion1

PART I – Reasons For Investing in

Application Security Meeting Compliance;

Risk Reduction Strategies; Minimize Risk of Incidents;

Costs & Benefits of Security Measures

PART IV - Metrics For

Managing Risks & Application Security

Investments Application

Security Process Metrics; Vulnerability Metrics;

Security Incident Metrics & Threat Intelligence Reporting;

S-SDLC Metrics

PART II – Criteria For

Managing Security Risks

Technical Risks & Business Risks;

Emerging Threats ; Handling New Technology (Web 2.0, Mobile, Cloud

Services)

PART III-Application Security Program

CISO Functions & Application Security;

S-SDLC; Maturity Models;

Security Strategy; OWASP Projects

7WhatCanSecurityProfessionalsLearnFromWebApplica7onDevelopers?

WhatMaQertoCISOs?..CISOSurvey(s)

Sources:DeloiQeandtheNa7onalAssocia7onofStateCIOs(NASCIO)aresharingtheresultsofajointCyberSecuritySurvey,findingthatStateChiefInforma7onSecurityOfficers(CISOs)in2010

8

0

10

20

30

40

50

60

70

80

90

Increase Same Decrease Don'tKnow

Changeinthethreatsfacingyourorganiza:on

ExternalaQacksorfraud(e.g.,phishing,websiteaQacks)

InternalaQacksorfraud(e.g.,abuseofprivileges,theaofinforma7on)

OWASP2013CISOSurvey1/7

9

2013OWASPCISOSurvey2/7

0

5

10

15

20

25

30

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

whatarethemainareasofriskforyourorganisa:onin%outof100%?

Infrastructure Applica7on Other

10

2013OWASPCISOSurvey3/7

020406080

Increase Same Decrease Don'tKnow

Changecomparedto12monthsago

Infrastructure Applica7on Other

11

2013OWASPCISOSurvey4/7

0

10

20

30

40

50

Applica7onSecurityis InfrastructureSecurityis

Other

company'sannualinvestmentinsecurity

Decreasing

Rela7velyconstant

Increasingasapercentageoftotalexpenditures

12

2013OWASPCISOSurvey5/7

0.00%5.00%

10.00%15.00%20.00%25.00%30.00%35.00%40.00%45.00%

Applica:onSecurityManagementSystem(ASMS)orMaturityModel(e.g.,OWASP

SAMM)

13

2013OWASPCISOSurvey6/7

SecurityStrategy:•  Only27%believetheircurrentapplica7onsecurity

strategyadequatelyaddressestherisksassociatedwiththeincreaseduseofsocialnetworking,personaldevices,orcloud

•  Mostorganisa7onsdefinethestrategyfor1or2years:

TimeHorizon Percent3months 9.3%6months 9.3%1year 37.0%2years 27.8%3years 11.1%5years+ 5.6%

14

2017OWASPSummitLondonUK

15

Vs.2GuideContents:WhatWasDiscussed

Couldbe:1.   Incorporatereferenceto

outcomesof2017SummitCISOtrack

2.   Expandtoincludenewtools/technologiessuchasRASP

3.   ExpandtoincludecompliancewithGDPR

4.   ExpandonnewemergingtechnologyrisksandprovideriskMi7ga7onGuidance(e.g.APIsandMicro-services,Biometrics)

5.   ExpandonRiskMgmt.StrategiesForVendors,Provisioning,Supply-ChainRisks

6.   ExpandonnewevolvingthreatsfacingwebApplica:ons(e.g.0-dayexploits)

7.   AddreferencetohandbooksandplaybooksforCISO’smanagedprocess

Itwas..1.   MakeOWASPResourcesMore

VisibletoCISOs2.   Prac:cesforBuilt-InSocware

SecurityintoProcesses,Tes7ngToolsandTraining

3.   HowtoderivesecurityrequirementsforcompliancewithStandardsandPolicies

4.   HowtoPriori:zeVulnerabilityManagementBasedUponRisksofThreats,Vulnerabili:esandAQacks/Exploits

5.   GuidanceonHowtoAlignApplica:onSecurityStrategywithITStrategy

6.   Howtofactoremergingtechnologyrisks

7.   HowtoCommunicateRiskstoBusinessIncludingThreats,Vulnerabili7es(OWASPT10)andImpacts

16

Itwas..1.   Doyouworrymoreof

ExternalThreats(e.g.,phishing,websiteaQacks)orInternalThreats(e.g.,abuseofprivileges,theaofinforma7on)?

2.   Whatareyourthemainareasofriskforyourorganisa7onin%outof100%?

3.   Comparedto12monthsago,doyouseeachangeinapplica7onsecurityvsI/Fthreats?

4.   Doyouhaveacyber-securitystrategy?IfYEShowmanyyearsdoesthisstrategycover?

5.   HaveyouimplementedaMaturityModel(e.g.,OWASPSAMM)?

Itcouldbe(assugges:ons):1.   Whichamongtheorganiza:on

ITassets,networksorapplica:onsareconsideredmoreatriskofcyber-aQacks?

2.   Doesyourorganiza:onhaveacyber-threatintelligenceprogramandaQackmonitoring/alertprocess?

3.   Doesyourorganiza:onhasadoptedS-SDLC?Ifyeswhichone.Doesitincludethreatmodeling?

4.   Isapplica:onsecurityseenasaninvestmentorasacostbyyourorganiza7on?

5.   Doesyourplanningofapplica:onsecurityfollowalongtermstrategy(atleasttwoyears)?

PLEASEWRITEDOWNYOURS

Vs.2SurveyContents:WhatWasDiscussed

17

2017OWASPSummit:CISOGuideOutcomes

18

2017OWASPSummit:CISOGuideOutcomes

19

2017OWASPSummit:CISOSurveyOutcomes

20

2018OWASPCISOGuide&Survey:NextStepsRoadmap,StatusandGoals/Objec7ves:1.  Reboottheproject(atAppSecUSA2017Project

Summit)2.  Reac7vateOWASPCISOmailinglist(done)3.  Createnewversion2,wiki,GitHubrepository(in

progress)4.  DevelopthecontentsinQ4asbeingdiscussedat

OWASPSummitinLondonbackinJune(inprogress)5.  Insynch,createa2018CISOsurveyinQ4tobeusedin

2018Q1togatheranswersfromCISOsatchaptermee7ngs,CISOsummitsusingSurveyMonkeylists(notstartedyet)

6.   Maingoalistodevelopthefirstdracofversion1byQ12018andareviewedversionbyQ22018