Attention, CISOs: Strategy is the only security

OWASP Guide project leader Marco Morana outlines ideal application security strategies

According to the 2013 Chief Information Security Officers survey by the Open Web Application Security Project (OWASP), 75 percent of CISOs responded that external attacks had increased. When asked what the main areas of risk as percentage of the overall risk are, 70 percent of CISOs responded that web applications represent an area of risk higher than network infrastructure.

[Why the state of application security is not so healthy]

A renewed focus on protecting web applications

The increased perception of threats and risks for applications shifts the organization investment from the traditional network security to application security: about 48 percent of CISOs have seen the investment in application security increasing as part of the company's annual budget, 37 percent consider it relatively constant and only 15 percent have seen a decrease. But this increased investment in application security brings new challenges for CISOs since securing web applications and software requires a different set of capabilities and skills outside the traditional information security domains.

Specifically in the case of web applications security is achieve by engineering secure software during the Software Development Life Cycle (SDLC). The industry standard approach for "building security in" consists of adopting a Security in the SDLC (S-SDLC) methodology and to embed software security activities within the organization's SDLC such as architecture risk analysis, secure code reviews, static source code analysis and web application penetration testing.

Today there are several type of S-SDLC that can be adopted by organizations to build security into the SDLC such as OWASP CLASP, Microsoft SDL and Cigital Touch Points. Nevertheless, even if the implementation and execution of the S-SDLC can be driven by information security it requires the collaboration and the help of software engineering teams. This collaboration is critical and is difficult to achieve without following of an application security strategy and the awareness among software engineering teams of which application security processes, standards, training and tools can be used for building more secure web applications and products.

Ultimately, the reasonability for setting the application security strategy falls on the shoulders of CISOs as well as the budgeting for the application security programs, the set of the governance model and the training of the application security stakeholders that includes both the security team and the software developers.

[What kind of target are you?]

Setting up a strategy for application security

To help CISOs in the definition of an application security strategy that adequately addresses the needs of compliance and web risk management, OWASP has published a specific guide, the "Application security Guide for CISOs." Traditionally, the focus of OWASP has not been the CISOs, but application security consultants and penetration testers by providing them with free guides, cheat sheets and tools for designing, coding and testing secure web applications. Each of these guides and tools has been developed by the OWASP community as "projects" and funded thanks for the support of individual membership and corporate sponsorship.

Among the most popular projects produced by OWASP is the OWASP Top Ten, a de facto benchmark for web application vulnerability testing and for compliance with security industry standards such as PCI-DSS. The main goal of this guide is to help CISOs in the definition of an application security strategy where traditional information security and compliance goals align with the technical and business risks management goals of each organization. To achieve this goal, the OWASP application security guide for CISO aims to help CISOs in setting an application security strategy that includes the following strategic activities:

The inclusion of technical and risk management criteria for assessing the impact of security incidents derived by exploit of web application vulnerabilities so these can be prioritized for fixing

The identification of the security controls and measures that have been proven effective in mitigating the impact of cyber-attacks against web applications

The assessment of technical risks that are inherent on certain types of web application technologies used by web and mobile clients as well as cloud computing

The adoption of SDLC processes to build security during software development

The planning of application security based upon the organization capabilities in different software security domains using Software Assurance Maturity Models like SAMM and BISMM

The adoption of vulnerability testing methodologies and tools that can be used to improve the overall security profile of the web applications that are managed by the organization

The training models that can be used for training software engineers in the design, development and testing of secure software

[7 characteristics of a secure mobile app]

To know more about the OWASP Application Security Guide for CISOs:

The guide will be featured in a talk at AppSec USA, November 18-21, NYC:

Marco Morana serves as project leader of the OWASP Guide for CISO. In his day job, Marco is the head of the application architecture security program globally for Citigroup and is based in London, U.K.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityOpen Web Application Security Project

More about MicrosoftSDL

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Morana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place