Application Security Guide for CISO
The Application Security Guide for CISO 2013 Version Goals were
- Make Application Security and OWASP more visible to Application Security managers and CISOs.
- Analyse the reasons for adopting an Application Security Program by an organisation (e.g., tactical and strategic).
- Explain the difference between technical risks and business risks, including how to estimate costs of data breaches.
- Factor the impact of emerging technologies in Application Security Program (e.g., Mobile, Cloud, Web Services) and provide guidance.
- Provide examples of metrics and measurements for Vulnerability Risk Management.
For the Planned 2018 version, on which problems and solutions/guidance can we expand? (NOTE: these will be assessed with expanded CISO survey questions)
- Impact of GDPR on AppSec and recommendations (including outcomes of 2017 Summit CISO track)
- Emerging technology risks and risk mitigation guidance (e.g., APIs and Micro-services, Biometrics)
- Evolving threats facing web applications, e.g., 0-day exploits of AppSec vulnerabilities; and solutions, e.g., improved attack detection with new tools such as Outcome 1 (unranked). What topics would you like covered in the new CISO guide? (as RASP)
- Others (brainstorming)
Synopsis and Takeaways
Outcome 1 – What topics would you like covered in the new CISO guide? (unranked)
- Incorporate reference to outcomes of 2017 Summit CISO track
- Expand to include new tools/technologies
- Expand to include compliance with GDPR
- Expand on new emerging technology risks and provide risk mitigation guidance (e.g., APIs, proliferation, and micro-services/interoperability, biometrics, cloud (internal and external), strategies for managing risk in cloud environments)
- Expand on Risk Management Strategies for vendors, provisioning, supply-chain risks
- Expand on new evolving threats facing web applications (e.g., 0-day exploits)
- Add reference to handbooks and playbooks for CISO’s managed process
- Where to provide guidance or where to focus. For example, if there are 5,000 applications in different countries, where to allocate security resources in such a situation
- How to get visibility across the organisation. As CISO you need to know what changes are being made, and where.
- Corporate culture: how can a CISO be an agent of change and overcome cultural challenges? Knowing the corporate culture to enable the CISO to function properly; trust is crucial to success
- Success stories as examples of how to win – people can refer to these as a value-add – how can the CISO provide value to the business?
- Knowing the right questions to ask triggers the appropriate response and action.
- A proactive, strategic CISO is better than a reactive one: a proactive CISO knows how to shift focus from fighting fires to ensure the fires do not get out of control
- After an incident, think about how to promote change; train people to think holistically not just about the incident, but about the impact of the incident.
- Involvement: the CISO should be involved in road mapping for future deployment, and in business development meetings, so they can plan ahead.
- Format: It was agreed that a handbook would have more value than a playbook given threat variables between company requirements.
Outcome 2 – What type of question would you like included in the new CISO guide? (unranked)
- Which of the organisation's IT assets, networks, or applications are considered more at risk of cyber-attacks?
- Does your organisation have a cyber-threat intelligence program and an attack monitoring/alert process?
- Has your organisation adopted S-SDLC? If yes, which one? Does it include threat modeling?
- Is application security seen as an investment or as a cost by your organisation?
- Does your planning of application security follow a long-term strategy of at least two years' duration?
- Need to ask questions about how to map the scope, application, and business process perspectives
- How to manage risk from third parties, private vs. public premise
- How do you manage the risk for developing technologies, such as the cloud?