According to the 2013 Chief Information Security Officers survey by the Open Web Application Security Project (OWASP), 75 percent of CISOs responded that external attacks had increased. When asked what the main areas of risk as percentage of the overall risk are, 70 percent of CISOs responded that web applications represent an area of risk higher than network infrastructure.
A renewed focus on protecting web applications
The increased perception of threats and risks for applications shifts the organization investment from the traditional network security to application security: about 48 percent of CISOs have seen the investment in application security increasing as part of the company's annual budget, 37 percent consider it relatively constant and only 15 percent have seen a decrease. But this increased investment in application security brings new challenges for CISOs since securing web applications and software requires a different set of capabilities and skills outside the traditional information security domains.
Specifically in the case of web applications security is achieve by engineering secure software during the Software Development Life Cycle (SDLC). The industry standard approach for "building security in" consists of adopting a Security in the SDLC (S-SDLC) methodology and to embed software security activities within the organization's SDLC such as architecture risk analysis, secure code reviews, static source code analysis and web application penetration testing.
Today there are several type of S-SDLC that can be adopted by organizations to build security into the SDLC such as OWASP CLASP, Microsoft SDL and Cigital Touch Points. Nevertheless, even if the implementation and execution of the S-SDLC can be driven by information security it requires the collaboration and the help of software engineering teams. This collaboration is critical and is difficult to achieve without following of an application security strategy and the awareness among software engineering teams of which application security processes, standards, training and tools can be used for building more secure web applications and products.
Ultimately, the reasonability for setting the application security strategy falls on the shoulders of CISOs as well as the budgeting for the application security programs, the set of the governance model and the training of the application security stakeholders that includes both the security team and the software developers.
Setting up a strategy for application security
To help CISOs in the definition of an application security strategy that adequately addresses the needs of compliance and web risk management, OWASP has published a specific guide, the "Application security Guide for CISOs." Traditionally, the focus of OWASP has not been the CISOs, but application security consultants and penetration testers by providing them with free guides, cheat sheets and tools for designing, coding and testing secure web applications. Each of these guides and tools has been developed by the OWASP community as "projects" and funded thanks for the support of individual membership and corporate sponsorship.
Among the most popular projects produced by OWASP is the OWASP Top Ten, a de facto benchmark for web application vulnerability testing and for compliance with security industry standards such as PCI-DSS. The main goal of this guide is to help CISOs in the definition of an application security strategy where traditional information security and compliance goals align with the technical and business risks management goals of each organization. To achieve this goal, the OWASP application security guide for CISO aims to help CISOs in setting an application security strategy that includes the following strategic activities:
The inclusion of technical and risk management criteria for assessing the impact of security incidents derived by exploit of web application vulnerabilities so these can be prioritized for fixing
The identification of the security controls and measures that have been proven effective in mitigating the impact of cyber-attacks against web applications
The assessment of technical risks that are inherent on certain types of web application technologies used by web and mobile clients as well as cloud computing
The adoption of SDLC processes to build security during software development
The planning of application security based upon the organization capabilities in different software security domains using Software Assurance Maturity Models like SAMM and BISMM
The adoption of vulnerability testing methodologies and tools that can be used to improve the overall security profile of the web applications that are managed by the organization
The training models that can be used for training software engineers in the design, development and testing of secure software
To know more about the OWASP Application Security Guide for CISOs:https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs.
The guide will be featured in a talk at AppSec USA, November 18-21, NYC: http://www.appsecusa.org.
Marco Morana serves as project leader of the OWASP Guide for CISO. In his day job, Marco is the head of the application architecture security program globally for Citigroup and is based in London, U.K.