← Older revision
Revision as of 19:05, 21 October 2012
(3 intermediate revisions by one user not shown)
Line 3:
Line 3:
The aim of this OWASP project is to help Chief Information Security Officers (CISO) in establishing and managing an application security program that addresses the different application security goals of the organization such as meeting compliance with the information security requirements and reduce the application security risks. Specifically, in regarding of the application security risks, the focus of this guide is to help CISOs in investing in application security measures that mitigate the risks of attacks targeting web application vulnerabilities as well as weaknesses and gaps in application security controls. Since CISOs are responsible for information security, governance and risk management, they are also responsible for the application security aspects such as application security management governance, application security risk management, application security incident management and prioritization of investment in application security processes, people, tools and technologies.
The aim of this OWASP project is to help Chief Information Security Officers (CISO) in establishing and managing an application security program that addresses the different application security goals of the organization such as meeting compliance with the information security requirements and reduce the application security risks. Specifically, in regarding of the application security risks, the focus of this guide is to help CISOs in investing in application security measures that mitigate the risks of attacks targeting web application vulnerabilities as well as weaknesses and gaps in application security controls. Since CISOs are responsible for information security, governance and risk management, they are also responsible for the application security aspects such as application security management governance, application security risk management, application security incident management and prioritization of investment in application security processes, people, tools and technologies.
−
In this guide, a particular emphasis is given to the analysis
of the
impacts of security incidents caused by attacks against web applications. Due to the
evolving threat landscape
, today’s threats target web applications with
malware and hacking
for compromise
data and for financial gain,
therefore
CISOs
are
challenged by the business to
take measures
to mitigate the risks
that these threats pose to web applications
and
the business. Examples of negative impacts consist on the increased costs of recovering from
application security
incident causing data losses, online fraud, loss of revenue and reputational damage
to
the organization
.
Therefore
the aim of this guide is to provide guidance to CISOs for prioritizing the
investments in application security measures. One
of
the CISOs main goals for application security is mitigating the risk that application
vulnerabilities might severely and negatively impact the organization by jeopardizing the business.
+
Because
of the
constantly
evolving threat landscape
where
malware and hacking
are seeking to attack web applications to compromising customer’s sensitive
data and
company proprietary information
for financial gain
and for conducting fraudulent transactions
, CISOs
find themselves
challenged by the business to
make decisions on how
to mitigate the risks
by making trade-off between current
and
new
application security
measures
to
decide where to recommend investments
.
By considering this need,
the aim of this guide is to provide guidance to CISOs for prioritizing the
risk mitigation
of vulnerabilities might severely and negatively impact the organization by jeopardizing the business.
−
To decide
where
to invest
in application security
, we
will consider
criteria such as the quantification
of risk and the monetization
of the impacts of
hacking and
data breaches
to the organization
. These impacts are then compared with the costs and the benefits of investment in application security measures.
+
+
To decide
which vulnerabilities to prioritize for mitigation as well as which countermeasures
to invest, we
provide risk based
criteria such as the quantification of the
business
impacts of data breaches. These
busienss
impacts are then compared with the costs and the benefits of investment in application security measures.
Besides fixing vulnerabilities that might cause the most impact to the business, CISOs today need to identify new countermeasures to mitigate the risks of new threats. Application security preventive and detective controls play an important factor in mitigating the risks of malware and hacking to the organization. This guide will provide some examples on how to identify countermeasures that mitigate the risks of new threats and new technologies adopted by the organization such as mobile, web 2.0 and cloud computing.
Besides fixing vulnerabilities that might cause the most impact to the business, CISOs today need to identify new countermeasures to mitigate the risks of new threats. Application security preventive and detective controls play an important factor in mitigating the risks of malware and hacking to the organization. This guide will provide some examples on how to identify countermeasures that mitigate the risks of new threats and new technologies adopted by the organization such as mobile, web 2.0 and cloud computing.
−
From the strategic point of view, risk mitigation is an ongoing activity that requires CISOs to pay close attention to new threats
so he can
plan for countermeasures to mitigate these threats.
The planning
of the rolling out of
application security
measures needs to
take into consideration
the maturity
of the organization in
the
security governance
and the security
risk management processes. By assessing the
maturity
of the organization in implementing these processes, the CISO can plan to invest application security activities that are most needed. These security actives might include
application
security processes/tools such as architectural risk analysis/ threat modeling, secure code reviews/static source code analysis and application security testing/web application vulnerability scanning. A reference to the several OWASP
resources is
provided: this includes application security guidelines, security training modules and security testing tools.
+
From the strategic point of view, risk mitigation is an ongoing activity that requires CISOs to pay close attention to new threats
and
plan for
new application security activities and new
countermeasures to mitigate these
new
threats. The planning
for
application security
activities should also
take into consideration
in which domains
of
application security to invest
the organization
capabilities
in
these domains. Examples of this domain include application
security governance
,
risk management
, compliance and security in the SDLC
processes. By assessing the
capabilities
of the organization in implementing these processes
by using a maturity framework
, the CISO can plan to invest
in the
application security activities that are most needed
to reduce risks
. These
application
security actives might include
software
security processes/tools such as architectural risk analysis/ threat modeling, secure code reviews/static source code analysis and application security testing/web application vulnerability scanning. A reference to the several OWASP
projects that can be used by the CISO for planning and developing an application program are
provided: this includes
OWASP
application security guidelines, security training modules and security testing tools.
+
+
Among the CISO goals for application security, meeting compliance with information security policies is often the one that has the most focus. This guide aims also to help CISOs in using compliance of web applications with security standards and regulations as justification for investing in application security activities. Since achieving compliance today is no longer enough for secure web applications from the continuous evolving threat landscape, the aim of this guide is shift the focus of CISOs from security compliance to risk management. For several organizations today the costs to the business due to the impacts of security incidents is much higher than the cost of non-compliance and failing audits. Since investment in compliance as well as operations risk management are among CISO responsibilities, the focus of investment in risk management is articulated as “what are the most cost effective measures to manage security risks”.
−
Among the CISO goals for application security, meeting compliance with information security policies is often the one that has the most focus. This guide aims also to help CISOs in using compliance with security standards and regulations as justification for investing further in application security risk management. The aim of this guide is shift the focus of CISOs from security compliance to the reduction of security risks posed by threats and vulnerabilities of web applications since the impacts of these to the organization can be much higher than non-compliance and failing audits. Since investment in compliance as well as operations risk management are among CISO responsibilities, the focus of investment in application security measures is articulated as “what is most cost effective to manage risks”.
Finally, after application security investments are made, it is important for the CISO
to be able
to measure
compliance
and
risks and to
report
to executive management
on the status of the application security program. One important factor
of
risk metrics
is to allow senior
management to make informed decisions on where to focus the risk mitigation effort and
how
to manage security risks more effectively.
Examples of this
metrics
are
also included in this guide
as reference
.
+
Finally, after application security investments are made, it is important for the CISO to measure and report on the status
of governance, risk and compliance
of the application security program. One important factor
for managing risks is the
risk
management
metrics
. The risk
management
metrics allow CISOs
to make informed decisions on where to focus the risk mitigation effort and to manage security risks more effectively.
Some guidance on
metrics
suitable for measuring governance, risk and compliance of application security processes is
also included in this guide.
== Structure ==
== Structure ==
Line 96:
Line 99:
====Objective vs. Subjective Considerations====
====Objective vs. Subjective Considerations====
−
From the perspective of the “how much needs to be spent in application security”, the executive management that will approve the budget need to know how much, of the overall security budget should be spent to reduce the likelihood of a similar security breach will not re-occur. For example, assume an online banking site has been breached and sensitive customer data have been compromised, the question is how much need to spent and which security measures should be targeted for spending. To answer these questions, a risk based approach should be used and some application specific security investment risk based criteria need to be adopted, some of these criteria are documented in this guide for CISO reference. These criteria can help CISOs to determine security costs in terms of either potential or occurred monetary losses due to accidents and attacks, and compare this with the cost of the investment in the security of applications. Nevertheless, any risk criteria can only be useful if based upon objective and not subjective considerations, such as using quantitative risk evaluations of the costs that the organization incurred because of security breaches exploiting web application vulnerabilities. Often the next year budget is based upon extrapolation of current year expenses and financing of new programs. These are all good criteria
, a
bad criteria is budgeting based upon the perception of risk among industry peers instead of an
objective
assessment of risks. The intent of this guide is to provide
some
objective assessment of risks and to
approach application security investments from
risk
analysis
and
risk management perspective
+
From the perspective of the “how much needs to be spent in application security”, the executive management that will approve the budget need to know how much, of the overall security budget should be spent to reduce the likelihood of a similar security breach will not re-occur. For example, assume an online banking site has been breached and sensitive customer data have been compromised, the question is how much need to spent and which security measures should be targeted for spending. To answer these questions, a risk based approach should be used and some application specific security investment risk based criteria need to be adopted, some of these criteria are documented in this guide for CISO reference. These criteria can help CISOs to determine security costs in terms of either potential or occurred monetary losses due to accidents and attacks, and compare this with the cost of the investment in the security of applications. Nevertheless, any risk criteria can only be useful if based upon objective and not subjective considerations, such as using quantitative risk evaluations of the costs that the organization incurred because of security breaches exploiting web application vulnerabilities. Often the next year budget is based upon extrapolation of current year expenses and financing of new programs. These are all good criteria
whe the additional spending is justified to mitigate the increased risk exposure due to the escalating threats against web applications. A
bad criteria is budgeting based upon the perception of risk among industry peers instead of an
organization specific
assessment of risks. The intent of this guide
,
is to provide
CISOs with
objective
criteria for the
assessment of
application security
risks and to
guide the CISOs on
risk
vs. benefits considerations for help deciding on which security measures to spend
and
how much to spend.
====Seizing the right Opportunity====
====Seizing the right Opportunity====