← Older revision
Revision as of 22:11, 26 September 2012
(2 intermediate revisions by one user not shown)
Line 264:
Line 264:
* '''Targeting CISO Roles & Responsibilities'''
* '''Targeting CISO Roles & Responsibilities'''
−
The adoption of software security processes within organizations varies greatly depending on the type of industry and the
role that the CISO plays
the organization.
For
CISOs of large organizations, the budget for
insuring
compliance
and risk management might
already allocated
for
information security
programs that include
application
security
and security
in the SDLC as one
of the
programs
. For
these type of
CISOs, the main
concern
is
where in the SDLC
to
target spending based upon criteria such as achieving
compliance and
minimization of
risks.
Often
the
goal
is
not
to
increase spending but rather to allocate budget
manage
security and risks process
more efficiently. CISOs
in
small organizations
, typically report
to
IT department and need to justify the
security
budget as a fraction of
the
overall IT budget. Part of this security budget can be allocated
to
application and software security. Examples of drivers for the adoption of application security processes are compliance
with
information
security standards such as
ISO 27001, certification
of security technology
such as encryption to specific government standards such as FIPS 140 and permission to process
financial transactions
such as credit cards
such as PCI-DSS
standards
.
Some security
standards such as PCI-DSS represent
the
opportunity to drive application security
requirements
within the organization such as
requirements
for
develop
and
maintain
secure systems and applications and
to conduct
external application layer penetration tests
that in
case of web applications
includes at
a minimum the OWASP Top 10. CISOs of small organizations
need to
justify
additional compliance costs and identify opportunities
for
improving efficiency and
reducing compliance costs. For example in the case of PCI-DSS, CISOs might opt for
different
security assessments
to
satisfy
a
compliance
requirement such as in
the
case of
the
requirement 6
.
6 of PCI-DSS that allow
organizations
to
choose between static code analysis and the deployment of Web Application Firewalls (WAFs).
A CISO
might opt
to adopt
static code analysis
to
provide a greater return of investment in security
than adopting a WAF
. For CISOs of large organizations the focus is rather to
improve
current security processes
by focusing on
improving security testing processes and
reduce
risks to the organization by remediating vulnerabilities earlier in the SDLC. For CISOs of large organizations, focusing on software security can be justified by the return of investment in software engineering activities such as threat modeling and source code analysis
and
by the reduction of
security testing
costs
by
investing in static and dynamic application security testing tools. For CISOs that serve in small organizations and report to the IT
organization
, security is often a compromise
between
technical and business goals. In this case, it is important for
the CISO
to be able to align security with engineering and business goals. A possible business case for adoption of application and software security
can be driven by
reduction of the costs of
fixing
security issues by investing in
the adoption
of secure coding standards, manual and automated code reviews and secure code training for developers. CISOs of small organizations can
rely on software
defect management metrics to
decide
in which phase to invest in security and improve both software quality as well as security.
for
example, since most of the
bugs including
security bugs are
introduced during
coding, it is important for CISOs to emphasize to the IT department that
is too expensive
to
fix bugs during validation tests
. A study from NIST about the cost of fixing security issues
can be cited as
example that the cost of fixing a
bug
in
the field
is 6 times more expensive
that
fixing
in
during coding. To achieve
this
goals, CISOs
need to partner
with engineering
leads
to
drive together the
secure software
initiative
.
Successful
CISOs
are also the ones that work
closely with business and project managers and can demonstrate that the adoption of secure coding standards, security assessment tools and training for software developers ultimately
empower software developers in
delivering
more secure
software.
+
The adoption of
application and
software security processes within organizations varies greatly depending on the type of industry and the
size of
the organization.
Because of their role and responsibility within their organization,
CISOs
play a significant role in promoting application security initiatives. The main role
of
CISOs in
large organizations
is typically to manage compliance with information security standards and policies and operational risk management. For these CISOs
, the budget for compliance
is usually
already allocated
by either the
information security
or the operational risk departments and the budget for
application and
software
security
intitives is part
of the
overall budget for information security
. For CISOs
of large organizations
, the main
objective of adoption of application security processes and tools
is
first and for most
to
achieve
compliance
with standards
and
regulations and minimize operational
risks.
Besides compliance,
the
main objective for introducing application security initiatives
is to manage
vulnerability assessments
more efficiently.
+
The role and responsibility of
CISOs
of
small organizations
is not just
to
manage information
security
policies for
the
organization but also
to
develop technology that is compliant
with security standards such as
FIPS 140 as one example
of security technology
standard. In the
financial
industry, certification with standards for processing credit card
transactions such as PCI-DSS
is also of a CISO responsibility
.
Compliance with technology
standards such as
FIPS 140 and
PCI-DSS represent
an
opportunity
for CISOs
to drive application security
initiatives
within the organization such as
application security programs
for
developing
and
maintaining
secure systems and applications and
for conducting
external application layer penetration tests
. In the
case of
compliance with PCI-DSS requirements for example, the requirement of conducting application layer penetration tests for
web applications
include testing for
a minimum
set of vulnerabilities such as
the OWASP Top 10. CISOs of small organizations
can
justify
budget
for
application security programs by achieving compliance with technology standards yet by
reducing compliance costs. For example
,
in the case of
compliance with
PCI-DSS, CISOs might opt for security assessments
that
satisfy compliance
requirements yet reducing
the
overall costs for
the
IT department
.
For example,
organizations
can
choose between static code analysis and the deployment of Web Application Firewalls (WAFs)
to satisfy the requirement 6
.
6 of PCI-DSS. CISOs
might opt
for
static code analysis
and
provide a greater return of investment in security
for the organization. Reducing costs of compliance by introducing process efficiencies and return of investments are therefore critical factors for adoption of application security measures by CISOs of small organizations
.
+
+
For CISOs of large organizations
,
the focus is rather to
save the money that is spent to run
current security processes
including application security. Examples of money saving initiatives in application security include
improving security testing processes and
reducing
risks to the organization by remediating vulnerabilities earlier in the SDLC. For CISOs of large organizations, focusing on software security can be justified by the return of investment in software engineering activities
that provide most long term savings to the organization
such as threat modeling and source code analysis
. In the case of vulnerability assessments, budget for application security initiatives can be justified
by the reduction of
operational
costs
. Examples of operational cost reductions in conducting vulnerability assessments include
investing in static and dynamic application security testing
processes and
tools. For CISOs that serve in small organizations and
that
report to the IT
department
, security is often a compromise
with
technical and business goals. In this case, it is important for
CISOs
to be able to align
application
security
programs
with engineering and business goals. A possible business case for adoption of application and software security
is the
reduction of the costs of
managing
security issues
such as vulnerabilities
by investing in
assessments with higher Return
of
Investment in Security (ROSI) than penetration tests such as secure architecture reviews,
secure coding standards, manual and automated code reviews and secure code training for developers
. For CISOs of large and small organizations, vulnerability metrics plays an important factor in making business cases for budgeting application security
. CISOs of small organizations can
use
defect management metrics to
make the business case
in which phase
of the SDLC
to invest in security and improve both software quality as well as security.
For
example, since most of the
quality and
security bugs are
due
coding
errors
, it is important for CISOs to emphasize to the IT department that
focus on secure coding processes, standards and training for developers. Focusing on these software security activities also leads
to
cost saving for the organization
. A study from NIST about the cost of fixing security issues
for
example
has shown
that the cost of fixing a
coding issue
in
production
is 6 times more expensive
than
fixing
it
during coding. To achieve
these money saving and efficiency
goals, CISOs
can work together
with
the
engineering
department managers
to
promote application and
secure software
initiatives
. CISOs
of both small and large organizations can successfully promote application security initiatives by working
closely with business and project managers
by achieving security, engineering efficiency
and
cost saving goals. Security metrics such as application vulnerability metrics
can
be used to
demonstrate that the adoption of
application security initiatives such as
secure coding standards,
adoption of
security
development and
assessment tools and training for software developers ultimately
help the organization to
delivering
applications that have fewer number of vulnerabilities before either applications or
software
are promoted into production
.
== Choosing the right Tools from OWASP and other organisations ==
== Choosing the right Tools from OWASP and other organisations ==