CISO Survey 2013: Tools and technology
3. Tools and technology
Significance of OWASP guidance, books and white papers
To better understand how organizations benefit from existing OWASP activities and what is most useful for organizations, we also asked the CISOs what OWASP activities serve them well, and which ones are more or less significant. For data analysis we designed a weighted scoring that would rank based on how many rated activities as extremely significant, very significant, significant, somewhat significant or not significant. Most significant help are OWASP projects for awareness programs and awareness material, with a weighted score of 140 and about 70% stating that OWASP is extremely significant, very significant or significant for this area. While staff attending local chapter meetings or AppSec conferences is still important, with a score of 54 and more than 30% of the surveyed CISOs rating this activity as extremely significant, very significant or significant.
Top-5 most useful OWASP projects for organizations from the perspective of the CISO.
The 5 most useful OWASP projects from the standpoint of a CISO are the 1. OWASP Top-10 2. Cheatsheets 3. Development Guide 4. Secure Coding Practices Quick Reference 5. Application Security FAQ With the Top-10 a clear leading number one position, while the other four projects are relatively equal in their rating and basically sharing second place.
Design of the information security management program
As information security programs vary widely across organizations, we asked the CISO which key elements are part of their programs:
Naturally, security requirements, guidelines, security training and risk management were prevalent parts of information security management programs. Interestingly, using a secure software development lifecycle did rank fairly low as a part of the CISOs’ current security management programs. This finding might also be an indication for a lack of using an application security strategy or maturity model to determine which domains to focus on and which SDLC activities to implement. (see also the CISO AppSec Guide: Application Security Program)
Two thirds use technical tools to support their application security management process