Talk:Application Security Guide For CISOs

Meeting Notes 1/27/2012

Participants: Marco Guys, I opened the bridge at 12 OO GMT but I closed after 10 minutes because of nobody attending it.

Anyway, just wanted to give you a summary of what my thoughts are regarding this initiative. I will be attending a Security summit in Milan on March 22nd and participate to a forum with Italian Banks.

My objective is to present a complete draft to the CISO attending as well as some results of the CISO survey. This is aligned with the “momentum” objective we talked about at the last meeting. For completing the guide, we would need to draft part III that is where in the SDLC to target spending and part IV metrics for managing risks and security costs.

My idea for part III is to provide an analysis of vulnerabilities causes and how these causes can be mitigated with people, process, training, specifically, besides in which phased of the SDLC to target spending also which specific projects/activities that include SDLC specific guides as well as training. For Part II, I will also reference the result of the CISO survey in relation of what the risk mitigation needs are and what OWASP can do for satisfying these. The business cases covered in part I and II go along with the needs from CISO because when the needs are identified is also important to be able to make the case for investment/budget

For part IV the metrics help to both manage risks and countermeasures but also to support the case in terms of money for the bang metrics that is to measure effectiveness of mitigating both risk with focused budget

I will update this meeting to next month hopefully would be better attended, thanks for your attention and have u all a nice weekend

Marco

Meeting Notes 12/21/2011

Participants: Alex, Eoin, Marco, Rex Purpose of the meeting was to brief on the status of the AppSec guide for CISO, capture feedback ideas for improve the content and capture a list of points to take action in the future. What we have today in this guide, is a draft document whose purpose is to provide a set of business cases for CISO for the adoption of best practices in application security that will drive adoption/endorsement of OWASP resources/projects. The guide is divided in 4 sections, 1) the business cases for investment in application security, 2) the guidance on which issues need to be targeted by the investment, 3) the selection to where in the SDLC target spending and 4) the metrics for the management of risk and costs. The end goal of the guide, is to pair with the OWASP CISO Survey as a solution document/white paper. Ideally this document will bridge the organizational needs in application security identified as part of the CISo survey with the OWASP projects as solution for these needs. The critical value, stands in being able to provide a mapping of CISO needs, with budget for application security and the endorsement of OWASP projects to meet these needs. At the extent of which this will be possible, it depends a lot on how effective the business cases are so that can be emphasized to CISOs. The business cases that have been documented in the guide today are not part of the survey, are around common sense justification of IS spending on application security, compliance and risks specifically the risk of monetary losses due to security breaches and incidents whose root causes are exploitation of application vulnerabilities whose OWASP leads as resource of best practices/guides/tools. The important point raised during the meeting/discussion were: 1) the importance to coordinate the completion of the guide with the survey, currently the business cases are made before the survey a type of cart before the horse approach, ideally there should be 1:1 mapping survey needs: OWASP business cases to address these needs 2) The opportunity to exploit a conference such as ISSA, Blackhat, OWASP etc to build momentum about the adoption of the guide and the survey. 3) The importance to document well a metrics that allows to measure effectiveness of security investments, this need to make sense across different domains such as engineering, security, fraud risk etc 4) Capture other work done on similar subjects such assecurity costs justification papers by Denim Group 5) emphasize that this guide is in direct response of what the survey needs are, a type of we hear your problem, here is the solution we propose, ideally targeting the same list of people that participated to the survey as distribution. 6) Map as close as possible the CISO business cases to OWASP project business cases. This will require translating the technical value of OWASP projects as business value, express in tactical and strategic terms, emphasize risk mitigation, cost efficiencies/savings 7) Supply a list of business cases for each OWASP projects to direct the CISO to adoption/investment on these OWASP projects Action moving forward: 1) Need to bring to completion section III and IV 2) Will held a meeting monthly to brief and track progress on the points 1-7 captured at the meeting.

Regards Marco

Marco

Please find below my questions/comments on the remaining justification

values. As I said, some of these are to prompt debate or to simulate

the sort of questions sceptics may come up, but they also include my

own misunderstandings. They are not meant to be critical and I only

hope they contribute to an even better final document.

a) $655

The reference for this (http://www.verdasys.com/thoughtleadership/) is

not available free of charge, so I can't verify the amount or

assumptions. But the units "per customer per year" worries me a

little. What costs are there in year 2 onwards for a single incident

(in year 1)? I can only think of payment protection insurance. Over

ten years, does that mean $6550? Or should a net present value (NPV)

of the cost be used instead?

There may be some other sources we can reference for alternative

numbers, to show we haven't just picked the worst one!

b) 4.6%

If the $655 figure already includes some averaging for customers, the

4.6% may be irrelevant since this is already taken into account in the

calculation of 655 - unable to verify for the same reason as a).

However, the 4.6% doesn't seem to matter in subsequent calculations,

so this may be a minor issue.

But if $30.11 (instead of $655) is the meaningful number, the rest of

the calculations may need to be adjusted?

We need the (public?) reference source for the 4.6% number.

c) 13%

Is this "breach type: web"? We should state this in the reference,

and the period (e.g. 477 incidents from X to Y). It would seem to be

12% today.

d) 19%

Need to define period in reference - sorry, can't access WHID data at

the moment to check this.

e) $16,000,000

I think this figure is correct (based on the assumptions), but maybe

the way it is shown being calculated could be confusing. If any

incident caused the loss of 1 million records, the cost is 1 million x

$655 = $655,000,000 i.e. it doesn't matter what method was used. But

then we are saying that 2.5% of such incidents on average are

attributable to SQLi, that gives on average $16,000,000 per incident.

I think mentioning the $16 is confusing and maybe undermines the

argument. It would be wrong to say the cost of a SQLi record loss is

$16 for example (it is $655 still).

So I think the wording in this paragraph needs to relate to the

average proportion associated with SQLi.

My only concern with this number is that to calculate a per incident

value, we have used something which includes "per year" - see a)

above.

f) 4

We need a reference for "4 attacks every ten years".

g) SLE

Let's be careful, the SLE of a SQLi attack which obtains 1million

records in $655,000,000 not $16,000,000. So the question is does "4

[successful?] attacks every ten years [that grab 1 million records]"

mean 4 security incidents OF ANY TYPE?

If it is 4 of any type, of which 2.5% are SQLi, I agree $6,4000,000

(or actually 6,550,000) is the ALE due to SQLi via web.

h) 37%

Is there a public source to check this number and its assumptions/basis?

i) $5,920,000

Can I ask why this is calculated as 0.37 x $16,000,000 and not 0.37 x

$6,400,000 number (the ALE)?

j) 95% effectiveness of mitigation

Need a reference for this.

k) ROSI

Could you write out this calculation for me as well please. I can't

work it out!

+++ Just saw Eoin's new comment.... we could have separate examples

(as appendices) for different sectors with the numbers (and reference

sources) written in, and make the main text more generic perhaps?

Colin

Risk Management
Would propose to add to Risk management sections about:

- the vairous risk models: OWASP, ISO-27005, ITIL, NIST SP 800-30, FAIR (Factor Analysis of Information Risk), ISO 31000, Risk IT (ISACA), OCTAVE?

- Asset Classification, Threat Analysis & Vulnerability Assessment

- Risk Heat Map

- Qualitative vs. Quantitative