Talk:Application Security Guide For CISOs
Meeting Notes 1/27/2012
Participants: Marco Guys, I opened the bridge at 12 OO GMT but I closed after 10 minutes because of nobody attending it.
Anyway, just wanted to give you a summary of what my thoughts are regarding this initiative. I will be attending a Security summit in Milan on March 22nd and participate to a forum with Italian Banks.
My objective is to present a complete draft to the CISO attending as well as some results of the CISO survey. This is aligned with the “momentum” objective we talked about at the last meeting. For completing the guide, we would need to draft part III that is where in the SDLC to target spending and part IV metrics for managing risks and security costs.
My idea for part III is to provide an analysis of vulnerabilities causes and how these causes can be mitigated with people, process, training, specifically, besides in which phased of the SDLC to target spending also which specific projects/activities that include SDLC specific guides as well as training. For Part II, I will also reference the result of the CISO survey in relation of what the risk mitigation needs are and what OWASP can do for satisfying these. The business cases covered in part I and II go along with the needs from CISO because when the needs are identified is also important to be able to make the case for investment/budget
For part IV the metrics help to both manage risks and countermeasures but also to support the case in terms of money for the bang metrics that is to measure effectiveness of mitigating both risk with focused budget
I will update this meeting to next month hopefully would be better attended, thanks for your attention and have u all a nice weekend
Meeting Notes 12/21/2011
Participants: Alex, Eoin, Marco, Rex Purpose of the meeting was to brief on the status of the AppSec guide for CISO, capture feedback ideas for improve the content and capture a list of points to take action in the future. What we have today in this guide, is a draft document whose purpose is to provide a set of business cases for CISO for the adoption of best practices in application security that will drive adoption/endorsement of OWASP resources/projects. The guide is divided in 4 sections, 1) the business cases for investment in application security, 2) the guidance on which issues need to be targeted by the investment, 3) the selection to where in the SDLC target spending and 4) the metrics for the management of risk and costs. The end goal of the guide, is to pair with the OWASP CISO Survey as a solution document/white paper. Ideally this document will bridge the organizational needs in application security identified as part of the CISo survey with the OWASP projects as solution for these needs. The critical value, stands in being able to provide a mapping of CISO needs, with budget for application security and the endorsement of OWASP projects to meet these needs. At the extent of which this will be possible, it depends a lot on how effective the business cases are so that can be emphasized to CISOs. The business cases that have been documented in the guide today are not part of the survey, are around common sense justification of IS spending on application security, compliance and risks specifically the risk of monetary losses due to security breaches and incidents whose root causes are exploitation of application vulnerabilities whose OWASP leads as resource of best practices/guides/tools. The important point raised during the meeting/discussion were: 1) the importance to coordinate the completion of the guide with the survey, currently the business cases are made before the survey a type of cart before the horse approach, ideally there should be 1:1 mapping survey needs: OWASP business cases to address these needs 2) The opportunity to exploit a conference such as ISSA, Blackhat, OWASP etc to build momentum about the adoption of the guide and the survey. 3) The importance to document well a metrics that allows to measure effectiveness of security investments, this need to make sense across different domains such as engineering, security, fraud risk etc 4) Capture other work done on similar subjects such assecurity costs justification papers by Denim Group 5) emphasize that this guide is in direct response of what the survey needs are, a type of we hear your problem, here is the solution we propose, ideally targeting the same list of people that participated to the survey as distribution. 6) Map as close as possible the CISO business cases to OWASP project business cases. This will require translating the technical value of OWASP projects as business value, express in tactical and strategic terms, emphasize risk mitigation, cost efficiencies/savings 7) Supply a list of business cases for each OWASP projects to direct the CISO to adoption/investment on these OWASP projects Action moving forward: 1) Need to bring to completion section III and IV 2) Will held a meeting monthly to brief and track progress on the points 1-7 captured at the meeting.
Please find below my questions/comments on the remaining justification
values. As I said, some of these are to prompt debate or to simulate
the sort of questions sceptics may come up, but they also include my
own misunderstandings. They are not meant to be critical and I only
hope they contribute to an even better final document.
The reference for this (http://www.verdasys.com/thoughtleadership/) is
not available free of charge, so I can't verify the amount or
assumptions. But the units "per customer per year" worries me a
little. What costs are there in year 2 onwards for a single incident
(in year 1)? I can only think of payment protection insurance. Over
ten years, does that mean $6550? Or should a net present value (NPV)
of the cost be used instead?
There may be some other sources we can reference for alternative
numbers, to show we haven't just picked the worst one!
If the $655 figure already includes some averaging for customers, the
4.6% may be irrelevant since this is already taken into account in the
calculation of 655 - unable to verify for the same reason as a).
However, the 4.6% doesn't seem to matter in subsequent calculations,
so this may be a minor issue.
But if $30.11 (instead of $655) is the meaningful number, the rest of
the calculations may need to be adjusted?
We need the (public?) reference source for the 4.6% number.
Is this "breach type: web"? We should state this in the reference,
and the period (e.g. 477 incidents from X to Y). It would seem to be
Need to define period in reference - sorry, can't access WHID data at
the moment to check this.
I think this figure is correct (based on the assumptions), but maybe
the way it is shown being calculated could be confusing. If any
incident caused the loss of 1 million records, the cost is 1 million x
$655 = $655,000,000 i.e. it doesn't matter what method was used. But
then we are saying that 2.5% of such incidents on average are
attributable to SQLi, that gives on average $16,000,000 per incident.
I think mentioning the $16 is confusing and maybe undermines the
argument. It would be wrong to say the cost of a SQLi record loss is
$16 for example (it is $655 still).
So I think the wording in this paragraph needs to relate to the
average proportion associated with SQLi.
My only concern with this number is that to calculate a per incident
value, we have used something which includes "per year" - see a)
We need a reference for "4 attacks every ten years".
Let's be careful, the SLE of a SQLi attack which obtains 1million
records in $655,000,000 not $16,000,000. So the question is does "4
[successful?] attacks every ten years [that grab 1 million records]"
mean 4 security incidents OF ANY TYPE?
If it is 4 of any type, of which 2.5% are SQLi, I agree $6,4000,000
(or actually 6,550,000) is the ALE due to SQLi via web.
Is there a public source to check this number and its assumptions/basis?
Can I ask why this is calculated as 0.37 x $16,000,000 and not 0.37 x
$6,400,000 number (the ALE)?
j) 95% effectiveness of mitigation
Need a reference for this.
Could you write out this calculation for me as well please. I can't
work it out!
+++ Just saw Eoin's new comment.... we could have separate examples
(as appendices) for different sectors with the numbers (and reference
sources) written in, and make the main text more generic perhaps?
Would propose to add to Risk management sections about:
- the vairous risk models: OWASP, ISO-27005, ITIL, NIST SP 800-30, FAIR (Factor Analysis of Information Risk), ISO 31000, Risk IT (ISACA), OCTAVE?
- Asset Classification, Threat Analysis & Vulnerability Assessment
- Risk Heat Map
- Qualitative vs. Quantitative