Owasp.org

Application Security Guide For CISOs

2012-10-20

← Older revision

Revision as of 18:21, 20 October 2012

(3 intermediate revisions by one user not shown)

Line 1:

Line 1:

= Introduction =

= Introduction =

−

The aim of this project is to help Chief Information Security Officers (CISO) in establishing and managing an application security program that addresses the different application security goals of the organization such as meeting the information security compliance requirements and reduce the risks to the business due to the
cyber threats
seeking to exploit web application vulnerabilities. Because of the role that CISOs play in the organization, CISOs are critical in deciding what policies and governance are required to security operate the business within their business domain. Since CISOs are responsible of information security and governance, they are also responsible for application security governance, application security risk management, incident management, prioritization of security measures and security investments including application security measures such as processes, people and information technologies.

+

The aim of this project is to help Chief Information Security Officers (CISO) in establishing and managing an application security program that addresses the different application security goals of the organization such as meeting the information security compliance requirements and reduce the risks to the business due to the
attacks
seeking to exploit web application vulnerabilities
as well as weaknesses and gaps in application security conttols
. Because of the role that CISOs play in the organization, CISOs are critical in deciding what policies and governance are required to security operate the business within their business domain. Since CISOs are responsible of information security and governance, they are also responsible for application security governance, application security risk management, incident management, prioritization of security measures and security investments including application security measures such as processes, people and information technologies.

In this guide a particular emphasis is given to analysis of the impacts of security incidents caused by attacks against web applications. Due to the evolving threat landscape that seeks to target web applications as the main target, CISO are challenged to invest in application security measures to mitigate the risks of these threats. The aim of this guide is to provide guidance to CISO for prioritize the investment in application security measures by considering criteria such as the quantification of risk and the monetization of the impacts of data breaches to the organization. This impact is compared with the benefits of investment in application security measures and activities. From security risk management perspective, the main focus of this guide is on mitigating the risk of application vulnerabilities might severely and negatively impact the business. Examples of negative impacts consist on the increased costs of recovering from application security incident causing data losses, online fraud, loss of revenue and reputational damage to the organization.

In this guide a particular emphasis is given to analysis of the impacts of security incidents caused by attacks against web applications. Due to the evolving threat landscape that seeks to target web applications as the main target, CISO are challenged to invest in application security measures to mitigate the risks of these threats. The aim of this guide is to provide guidance to CISO for prioritize the investment in application security measures by considering criteria such as the quantification of risk and the monetization of the impacts of data breaches to the organization. This impact is compared with the benefits of investment in application security measures and activities. From security risk management perspective, the main focus of this guide is on mitigating the risk of application vulnerabilities might severely and negatively impact the business. Examples of negative impacts consist on the increased costs of recovering from application security incident causing data losses, online fraud, loss of revenue and reputational damage to the organization.

Line 7:

Line 7:

Besides investing in detecting and fixing web application vulnerabilities, CISOs today need to also invest in new countermeasures to mitigate the risks of new threats. Besides security controls and technologies, application security measures as a whole play an important factor in mitigating the risks to the organization. The planning of application security measures need to take into consideration the maturity of the organization in security governance and security risk management processes. This will allow the CISO to plan for the roll out of application security activities that can evolve from an ad-hoc application security activity to several others that are standardized and consistently managed across the organization. These include application security processes/tools such as architectural risk analysis/ threat modeling, secure code reviews/static source code analysis and application security testing/web application vulnerability scanning. This guide aim to help CISOs in achieving compliance with security standards and regulations, reduce risks of application vulnerabilities and prioritize security investments where is most cost and risk mitigation effective.

Besides investing in detecting and fixing web application vulnerabilities, CISOs today need to also invest in new countermeasures to mitigate the risks of new threats. Besides security controls and technologies, application security measures as a whole play an important factor in mitigating the risks to the organization. The planning of application security measures need to take into consideration the maturity of the organization in security governance and security risk management processes. This will allow the CISO to plan for the roll out of application security activities that can evolve from an ad-hoc application security activity to several others that are standardized and consistently managed across the organization. These include application security processes/tools such as architectural risk analysis/ threat modeling, secure code reviews/static source code analysis and application security testing/web application vulnerability scanning. This guide aim to help CISOs in achieving compliance with security standards and regulations, reduce risks of application vulnerabilities and prioritize security investments where is most cost and risk mitigation effective.

−

A reference to the several OWASP resources is provided that includes application security guidelines, security training modules and security testing tools.
Since among
CISO goals for application security
is also to report on
meeting compliance with information security policies
,
the reduction of security risks posed by threats and vulnerabilities
and to decide to invest
in application security measures
where
is most effective,
some examples of metrics
for
measuring progress toward
the
realization
of
these goals is also provided
.

+

A reference to the several OWASP resources is provided that includes application security guidelines, security training modules and security testing tools.
Among the
CISO goals for application security
,
meeting compliance with information security policies
is often the one that has the most focus. The aim of this guide is shift the focus of CISO from security compliance to
the reduction of security risks posed by threats and vulnerabilities
of web applications. Since investment in compliance as well as operations risk management are CISO responsibilities, the focus of investment
in application security measures
should be on what
is most
cost
effective
to manage risks. After the investments are made
,
it is important
for
CISO to report on
the
status
of
both application security governance and application security risks management as well as to make informed decisions on how to manage application security risks more effectively
.

== Goals ==

== Goals ==

Line 39:

Line 39:

In the digital era, global organizations serve an increasing number of customers through online web and mobile software applications. Several of these web applications provide highly trusted services to customers, in the case of financial services for example, these include feature-risk services to open bank accounts, pay bills, apply for loans, book resources and services, transfer funds, trade stocks, view account information, download statements etc. This online experience is convenient for individuals: it allows them to perform the same financial transactions as being at the branch/office/outlet, but with the added convenience of conducting these transactions remotely from their home computer or mobile phone. At the same time, this convenience for customers comes at a price to the organizations involved in developing and maintaining them. Online banking and commerce sites for example have become the target of an increased number of cyber-attacks and incidents. Several of these incidents resulted in a denial of online access, breaches of customer’s data and online fraud.

In the digital era, global organizations serve an increasing number of customers through online web and mobile software applications. Several of these web applications provide highly trusted services to customers, in the case of financial services for example, these include feature-risk services to open bank accounts, pay bills, apply for loans, book resources and services, transfer funds, trade stocks, view account information, download statements etc. This online experience is convenient for individuals: it allows them to perform the same financial transactions as being at the branch/office/outlet, but with the added convenience of conducting these transactions remotely from their home computer or mobile phone. At the same time, this convenience for customers comes at a price to the organizations involved in developing and maintaining them. Online banking and commerce sites for example have become the target of an increased number of cyber-attacks and incidents. Several of these incidents resulted in a denial of online access, breaches of customer’s data and online fraud.

−

In the case of data breach incidents, often these attacks involve the exploitation of vulnerabilities in the applications such as cross site scripting and SQL injection. The target of these attacks is the data assets that the site stores as well as the business transactions provided by the applications that processes these data. In the case of online banking applications, the data targeted by hacking and malware include personal data of customers, bank account data, credit and debit card data, online credentials such as passwords and PINs and last but not least, alteration of data in on-line financial transactions such as transfers of money to commit fraud. Verizon’s
2011
data breach investigations report (Ref [1]) identifies hacking and malware as the most prominent types of attack, yielding stolen passwords and credentials, and thus posing a major threat to any organization that trades online.

+

In the case of data breach incidents, often these attacks involve the exploitation of vulnerabilities in the applications such as cross site scripting and SQL injection. The target of these attacks is the data assets that the site stores as well as the business transactions provided by the applications that processes these data. In the case of online banking applications, the data targeted by hacking and malware include personal data of customers, bank account data, credit and debit card data, online credentials such as passwords and PINs and last but not least, alteration of data in on-line financial transactions such as transfers of money to commit fraud. Verizon’s
2012
data breach investigations report (Ref [1]) identifies hacking and malware as the most prominent types of attack, yielding stolen passwords and credentials, and thus posing a major threat to any organization that trades online.

To cope with this increase of incidents targeting web applications such as denial of services and data breaches often caused by hacking and malware, Chief Information Security Officers (CISOs) have been called by senior executives in their organizations to roll out application security measures to avoid, mitigate and reduce these risks to the organization. The increasing threat to web applications such as online banking applications challenges CISOs to consider an increased investment in application security to cope with the increasing threat.

To cope with this increase of incidents targeting web applications such as denial of services and data breaches often caused by hacking and malware, Chief Information Security Officers (CISOs) have been called by senior executives in their organizations to roll out application security measures to avoid, mitigate and reduce these risks to the organization. The increasing threat to web applications such as online banking applications challenges CISOs to consider an increased investment in application security to cope with the increasing threat.

Line 48:

Line 48:

Since it also appears to be a disconnect between organization's perceived threats (application security threats are greatest) yet spending on network and infrastructure security is still much higher (Ref[27]) we would like to shed some light on the business impact of data breaches due to application vulnerability exploits and how much these might costs to organizations.

Since it also appears to be a disconnect between organization's perceived threats (application security threats are greatest) yet spending on network and infrastructure security is still much higher (Ref[27]) we would like to shed some light on the business impact of data breaches due to application vulnerability exploits and how much these might costs to organizations.

−

Typically, additional budget allocation for application security includes the development of changes in the application to fix the causes of the incident (e.g fixing vulnerabilities) as well as roll out of additional security measures such as preventive and detective controls for mitigating risks of hacking and malware and limiting the likelihood and impact of future data breach incidents. CISOs can build a business case for additional budget for application security today for different reasons; some directly tailored to the specific company risk culture or appetite for risk; others tailored to application security needs identified
in
application security surveys
such as
[https://www.surveymonkey.com/s/SCJBX7R OWASP Application Security Survey].
Specifically
,
(TBC based by
the
OWASP CISO survey)
the
most
business
cases for budget increases
in application security
spending today need to satisfy, at minimum, the following requirements
:

+

Typically, additional budget allocation for application security includes the development of changes in the application to fix the causes of the incident (e.g
.
fixing vulnerabilities) as well as roll out of additional security measures such as preventive and detective controls for mitigating risks of hacking and malware and limiting the likelihood and impact of future data breach incidents. CISOs can build a business case for additional budget for application security today for different reasons; some directly tailored to the specific company risk culture or appetite for risk; others tailored to application security needs
. Some of these needs can be
identified
by the analysis of the results of
application security surveys
. Readers of this guide are invited to participate to the OWASP security survey herein so that the contents of this guide can be tailored to the needs of CISOs participating of the survey.
[https://www.surveymonkey.com/s/SCJBX7R OWASP Application Security Survey].
The budgeting for application security measures might depends on different factors such as compliance with security policies and regulations
,
operational risks management including
the
risks due to application vulnerabilities and
the
response of security incidents involving web applications. For the sake of this guide we will focus on the following
business
goals of investing
in application security
measures
:

#Mitigation of risks of cyber threats targeting web application vulnerabilities

#Mitigation of risks of cyber threats targeting web application vulnerabilities

Line 54:

Line 54:

#Meeting of industry specific security compliance requirements

#Meeting of industry specific security compliance requirements

−

Nevertheless, assuming the business cases can be made along these
main requirements
, CISOs today still have the difficult task to justify “how much” money should the company spend for application security and “where” to spend it. Regarding the how much, often it boils down to how much is needed to invest
satisfy
compliance requirements and
pass
the auditors check. When the focus is vulnerability risk management, the main goal is to fix high risk vulnerabilities and to reduce the residual risk to an acceptable value for the business. When the focus is to security incident management, the focus is how to quickly detect and respond to serious incidents.

+

Nevertheless, assuming the business cases can be made along these
goals
, CISOs today still have the difficult task to justify “how much” money should the company spend for application security and “where” to spend it. Regarding the how much, often it boils down to how much is needed to invest
satisfies
compliance requirements and
passes
the auditors check. When the focus is vulnerability risk management, the main goal is to fix high risk vulnerabilities and to reduce the residual risk to an acceptable value for the business. When the focus is to security incident management, the focus is how to quickly detect and respond to serious incidents.

Both for mitigating real risks (e.g. incidents, vulnerability exploits) and for mitigating non-compliance risks (e.g. unlawful non-compliance), the question for CISOs is "where" and "how" to prioritize the spending of the application security budget. Often the question is which countermeasure, application security process, activity, security tool yields “more bang for the money” for the organization.

Both for mitigating real risks (e.g. incidents, vulnerability exploits) and for mitigating non-compliance risks (e.g. unlawful non-compliance), the question for CISOs is "where" and "how" to prioritize the spending of the application security budget. Often the question is which countermeasure, application security process, activity, security tool yields “more bang for the money” for the organization.

−

Regarding the "where" it comes down to balance correctly different application security and risk domains - to name the most important ones: business governance, security risk management, operational management that includes network security, identity management and access control and incident management. Since as a discipline application security encompasses all these domains, it is important to consider all of them and look at the application security investment from different perspectives.

+

Regarding the "where" it comes down to balance correctly different application security and risk domains - to name the most important ones: business governance, security risk management, operational management that includes network security, identity management and access control and incident management. Since as a discipline application security encompasses all these domains, it is important to consider all of them and look at the application security investment from different perspectives.

+

== Legal and Compliance Criteria for Application Security Budget Allocation ==

== Legal and Compliance Criteria for Application Security Budget Allocation ==