OWASP AppSec Research 2013

This talk will present two new OWASP projects, the CISO guide and the first results of the CISO Survey report 2013. Its main goal is to provide guidance on application and web security for senior managers and to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide.
With a constantly evolving threat landscape where hackers are seeking to attack web applications to compromise customer’s sensitive data and company proprietary information, CISOs are challenged by their businesses to make decisions on how to mitigate the risks. Often risk decisions include the trade-off between current and new web application security measures and to decide where to invest. An investment in application security program is critical for reducing the application security risks besides meeting the goals of governance and compliance with the information security policies.

OWASP has developed a guidance , the OWASP CISO Guide, to specifically to address the needs of CISOs to help them in prioritising the risk mitigation of web application vulnerabilities might severely and negatively impact the organisation and jeopardising the business.

From the strategic point of view, risk mitigation is an ongoing activity that requires CISOs to pay close attention to new threats and plan for new application security activities in different security domains that include application security governance, risk management, compliance and security in the SDLC processes. Among the CISO goals for application security, meeting compliance with information security policies is often the one that has the most focus. This guide aims also to help CISOs in using compliance of web applications with security standards and regulations as justification for investing in application security activities.

For several organizations today the costs to the business due to the impacts of security incidents is much higher than the cost of non-compliance and failing audits. Since investment in compliance as well as operations risk management are among CISO responsibilities, the focus of investment in risk management is articulated as “what are the most cost effective measures to manage security risks”.

Finally, after application security investments are made, it is important for the CISO to measure and report on the status of governance, risk and compliance of the application security program. Some guidance on metrics suitable for measuring governance, risk and compliance of application security processes is also included in this guide.

Agenda
1. Business cases & Risk-cost decision criteria for application security investment
2. Prioritization and Criteria for Mitigating Application Security Risks
3. Application Security Processes
4. Selection of Metrics For Managing Risks & Application Security