Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Thursday, August 22 • 11:50am - 12:35pm
OWASP - CISO Guide and CISO report 2013 for managers

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This talk will present two new OWASP projects, the CISO guide and the first results of the CISO Survey report 2013. Its main goal is to provide guidance on application and web security for senior managers and to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide.
With a constantly evolving threat landscape where hackers are seeking to attack web applications to compromise customer’s sensitive data and company proprietary information, CISOs are challenged by their businesses to make decisions on how to mitigate the risks. Often risk decisions include the trade-off between current and new web application security measures and to decide where to invest. An investment in application security program is critical for reducing the application security risks besides meeting the goals of governance and compliance with the information security policies.

OWASP has developed a guidance , the OWASP CISO Guide, to specifically to address the needs of CISOs to help them in prioritising the risk mitigation of web application vulnerabilities might severely and negatively impact the organisation and jeopardising the business.

From the strategic point of view, risk mitigation is an ongoing activity that requires CISOs to pay close attention to new threats and plan for new application security activities in different security domains that include application security governance, risk management, compliance and security in the SDLC processes. Among the CISO goals for application security, meeting compliance with information security policies is often the one that has the most focus. This guide aims also to help CISOs in using compliance of web applications with security standards and regulations as justification for investing in application security activities.

For several organizations today the costs to the business due to the impacts of security incidents is much higher than the cost of non-compliance and failing audits. Since investment in compliance as well as operations risk management are among CISO responsibilities, the focus of investment in risk management is articulated as “what are the most cost effective measures to manage security risks”.

Finally, after application security investments are made, it is important for the CISO to measure and report on the status of governance, risk and compliance of the application security program. Some guidance on metrics suitable for measuring governance, risk and compliance of application security processes is also included in this guide.

1. Business cases & Risk-cost decision criteria for application security investment
2. Prioritization and Criteria for Mitigating Application Security Risks
3. Application Security Processes
4. Selection of Metrics For Managing Risks & Application Security

avatar for Tobias Gondrom

Tobias Gondrom

Managing Director, Thames Stanley: Information Security and Risk Management Advisory
Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and... Read More →

Thursday August 22, 2013 11:50am - 12:35pm CEST
Großer Saal