1 / 20

OWASP Application Security Guide for Chief Information Security Officers (CISOs)

OWASP Application Security Guide for Chief Information Security Officers (CISOs). Marco Morana Global Industry Committee OWASP Foundation. CISO Breakfast Meeting, Atlanta November 1 6 th 2012 . About myself and the life journey that brought me to OWASP. Why an OWASP Guide For CISOs?.

maura
Download Presentation

OWASP Application Security Guide for Chief Information Security Officers (CISOs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Application Security Guide for Chief Information Security Officers (CISOs) Marco Morana Global Industry Committee OWASP Foundation CISO Breakfast Meeting, Atlanta November 16th 2012

  2. About myself and the life journey that brought me to OWASP

  3. Why an OWASP Guide For CISOs?

  4. Today’s CISOs are like four star generals

  5. What CISO care for today?

  6. CISOs Surveys Sources: Deloitte and the National Association of State CIOs (NASCIO) are sharing the results of a joint Cyber Security Survey, finding that State Chief Information Security Officers (CISOs) in 2010

  7. What CISOs will care of in the future?

  8. Compliance lags behind threats

  9. The Escalation of Cyber Threats

  10. How a CISO Guide Can Help?

  11. OWASP Appsec CISO GUIDE PART I: Guidance Criteria for Application Security Investments Compliance-Legal Governance Audits Risk Quantification, Costs vs. Benefits of Measures, ROSI 11

  12. OWASP Appsec CISO GUIDE PART II: Selection of Application Security Measures Prioritization of Vulnerabilities by Business Impacts Threat Agent Specific Countermeasures Measures for Securing New Technologies 12

  13. PART III: Strategic Guidance for the Selection of Application Security Processes Alignment with CISO Role & Functions Maturity Models and S-SDLC Processes Guidance for choosing OWASP Projects 13

  14. PART IV: Guidance on metrics for managing application security programs Application Security Processes Metrics Application Security Issues Risk Metrics Security in SDLC Issue Management Metrics 14

  15. How we are creating the guide

  16. The OWASP Application Security Guide For CISOs Four Step Project Plan STEP 2: Enroll CISOs to participate to a CISO survey STEP 1: Present OWASP Application Security GUIDE Draft to IS Community STEP 3: Gather and analyze the survey STEP 4: Tailor the guide to the results of the survey and final release status STEP 4: Present final release

  17. Thank You For Listening Thank you for listening

  18. Q & Q U E S T I O N S A N S W E R S

  19. Appendix: Mapping CISO’s Responsibilities

  20. Appendix: Business Cases Cheat Sheet-Data Breach Incidents 2011-2012 Statistics Threats Agents: Majority are hacking and malware Targets: 54% of incidents target web applications Likelihood: 90% of organizations had at least one data breach over the period of 12 months Attacks-Vulnerabilities: SQL injection reigning as the top attack technique, 51% of all vulnerabilities are XSS Data Breach Impact: Majority of data lost are user’s credentials, emails and personal identifiable information Business Breach Impact: The average cost of a data record breached is estimated as $ 222 per record Incident Response: Majority of incidents is discovered after weeks/months from the time of initial data compromise Sources: OSF, DataLossDb.org PonemonInstitute and Symantec, Research March 2012 Verizon’s Investigative data Breach Report 2012 IBM X-Force 2012 Mid Year Trend & Risk Report

More Related