← Older revision
Revision as of 10:10, 26 October 2013
(One intermediate revision by one user not shown)
Line 20:
Line 20:
===Application Security Governance, Risk and Compliance ===
===Application Security Governance, Risk and Compliance ===
−
Governance is the process that introduce policies, standards, processes and sets the strategy, goals and organizational structure to support them. At operational level, governance, compliance and risk management are interrelated. As part of governance responsibilities, CISOs influence the application security goals and work with executive management to set the application security standards, processes and organizational structure to support these goals. As part of compliance responsibilities, CISOs work with auditors and the legal counsel to derive information security policies and establish requirements to comply, measure and monitor these requirements including application security requirements. As part of risk management responsibilities, CISOs identify, quantify and make risk evaluations to determine how to mitigate application security risks that includes introducing new application security standards and processes (governance), new application security requirements (compliance) and new application security measures (risks and controls).
+
Governance is the process that introduce policies, standards, processes and sets the strategy, goals and organizational structure to support them. At operational level, governance, compliance and risk management are interrelated. As part of governance responsibilities, CISOs influence the application security goals and work with executive management to set the application security standards, processes and organizational structure to support these goals. As part of compliance responsibilities, CISOs work with auditors and the legal counsel to derive information security policies and establish requirements to comply, measure and monitor these requirements including application security requirements. As part of risk management responsibilities, CISOs identify, quantify and make risk evaluations to determine how to mitigate application security risks that includes introducing new application security standards and processes (governance), new application security requirements (compliance) and new application security measures (risks and controls)
. From governance perspective, the adoption of application and software security processes, the establishment of application security teams and application security standards within any given organization varies greatly depending on the type of the organization’s industry, the size of the organization and the different roles and responsibility that the CISO has in that organization. OWASP provides several projects and guidance for CISOs to help develop, implement and manage application security governance. Please consult the [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information on OWASP projects and guides in the governance domain
.
−
From governance perspective,
the
adoption
of application and
software
security
processes
, the
establishment of
application security
teams
and application security
standards within any given organization
varies greatly depending on the type of
the organization’s
industry, the
size
of the
organization
and
the different roles
and
responsibility
that the
CISO has in
that organization. OWASP provides several projects and guidance for CISOs to help develop
,
implement and
manage
application security
governance
. Please consult the [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information.
+
Typically
the
source
of application
security investments also varies depending on the size
and
the type of the organization. For CISOs reporting to the organization's head of operational information
security
and risk management
,
typically
the
budget for
application security
is part of the overall budget allocated by information security
and
operational risk departments. For these CISOs, one the main reasons for the adoption of new
application security
activities, guides and tools such as the ones that OWASP provides, is first and for the most to satisfy compliance and to reduce risks to the organization’s assets such as applications and software. Compliance
varies greatly depending on the type of industry
and clients served by the organization. For example
,
organizations that produces software that implements cryptography for use by governments such as
the
department and agencies
of the
United States Federal government need to comply with Federal Information Processing Standards (FIPS) 140. Organizations that produce software
and
applications that handle cardholder data such credit
and
debit card data for payments need to comply with is the Payment Card Industry Data Security Standard (PCI DSS). CISOs
that
report to
the
organization's head of information technology, typically have responsibility on both security and information technology functions
that
might also include the compliance of applications and software with technology security standards such as FIPS 140 and PCI-DSS. Compliance with security technology standards represent an opportunity for promoting secure development and testing within the
organization
such as by using OWASP security testing guides for achieving security certifications for applications and software products. Compliance with PCI-DSS requirements for example might already require the organization to test applications for a minimum set of common vulnerabilities such as the OWASP Top 10. The budget allocated by the IT department for achieving certifications with technology security standards such as FIPS-140 and PCI-DSS can also be used for promoting secure coding guides such as the OWASP secure coding guide and invest on static code analysis tools. For example, in the case of compliance with PCI-DSS, CISOs might opt for static code analysis to satisfy the requirement 6.6 of PCI-DSS
. OWASP provides several projects and guidance for CISOs to help develop
and
implement
policies, standards
and
guidelines for
application security
as well as to help defining application security requirements that can be verified and audited
. Please consult the [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information
on OWASP projects in the standards and policies and audit & compliance domains
.
−
Typically the source of application security investments also varies depending on the size and the type of the organization. For CISOs reporting to the organization's head of operational information security and risk management, typically the budget for application security is part of the overall budget allocated by information security and operational risk departments. For these CISOs, one the main reasons for the adoption of new application security activities, guides and tools such as the ones that OWASP provides, is first and for the most to satisfy compliance and to reduce risks to the organization’s assets such as applications and software. Compliance varies greatly depending on the type of industry and clients served by the organization. For example, organizations that produces software that implements cryptography for use by governments such as the department and agencies of the United States Federal government need to comply with Federal Information Processing Standards (FIPS) 140. Organizations that produce software and applications that handle cardholder data such credit and debit card data for payments need to comply with is the Payment Card Industry Data Security Standard (PCI DSS).
+
CISOs of small organisations can also use vulnerability management metrics to make the business case in which phases of the SDLC to invest in security and improve both software quality as well as security. For example, since most of the quality and security bugs are due coding errors, it is important for CISOs to emphasize to the IT department the need of secure coding processes, standards and training for developers since focusing on these software security activities also leads to cost savings for the organization. A study from NIST about the cost of fixing security issues for example has shown that the cost of fixing a coding issue in production is six times more expensive than fixing it during coding. To achieve these money saving and efficiency goals, CISOs can work together with the engineering department managers to promote application and secure software initiatives
. [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments Part IV] of the CISO guide provides guidance in regarding setting metrics for managing application security risks and for deciding on application security investments
.
−
+
−
CISOs that report to the organization's head of information technology, typically have responsibility on both security and information technology functions that might also include the compliance of applications and software with technology security standards such as FIPS 140 and PCI-DSS. Compliance with security technology standards represent an opportunity for promoting secure development and testing within the organization such as by using OWASP security testing guides for achieving security certifications for applications and software products. Compliance with PCI-DSS requirements for example might already require the organization to test applications for a minimum set of common vulnerabilities such as the OWASP Top 10. The budget allocated by the IT department for achieving certifications with technology security standards such as FIPS-140 and PCI-DSS can also be used for promoting secure coding guides such as the OWASP secure coding guide and invest on static code analysis tools. For example, in the case of compliance with PCI-DSS, CISOs might opt for static code analysis to satisfy the requirement 6.6 of PCI-DSS. OWASP provides several projects and guidance for CISOs to help develop and implement policies, standards and guidelines for application security as well as to help defining application security requirements that can be verified and audited. Please consult the [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information.
+
−
+
−
CISOs of small organisations can also use vulnerability management metrics to make the business case in which phases of the SDLC to invest in security and improve both software quality as well as security. For example, since most of the quality and security bugs are due coding errors, it is important for CISOs to emphasize to the IT department the need of secure coding processes, standards and training for developers since focusing on these software security activities also leads to cost savings for the organization. A study from NIST about the cost of fixing security issues for example has shown that the cost of fixing a coding issue in production is six times more expensive than fixing it during coding. To achieve these money saving and efficiency goals, CISOs can work together with the engineering department managers to promote application and secure software initiatives.
+
Among CISO responsibilities the Continuity of Business (CoB) is or primary importance specifically for web applications that provide critical business functions to customers. CISOs are responsible to roll out CoB plans to ensure that the business could continue to operate despite adverse circumstances or events. A CoB plan includes procedures to restore services that are lost because of a negative event such as a power outage of the data centre where a web application is hosted. A critical item of CoB planning is the identification of web applications that are deemed business critical and assign a level of criticality and specific requirements for CoB testing such as the maximum time to recover from a loss of service. Similarly to CoB, having a disaster recovery plan is also one of CISO responsibilities: this include process, policies and procedures for recovery or continuation of technology infrastructure in the case of natural or human provoked disaster.
Among CISO responsibilities the Continuity of Business (CoB) is or primary importance specifically for web applications that provide critical business functions to customers. CISOs are responsible to roll out CoB plans to ensure that the business could continue to operate despite adverse circumstances or events. A CoB plan includes procedures to restore services that are lost because of a negative event such as a power outage of the data centre where a web application is hosted. A critical item of CoB planning is the identification of web applications that are deemed business critical and assign a level of criticality and specific requirements for CoB testing such as the maximum time to recover from a loss of service. Similarly to CoB, having a disaster recovery plan is also one of CISO responsibilities: this include process, policies and procedures for recovery or continuation of technology infrastructure in the case of natural or human provoked disaster.
−
One of main CISOs responsibilities is increase application security awareness among the application security stakeholders. A 2012 Survey by the Ponemon Institute and Security Innovation that included more than 800 IT executives found that "gaps in perceptions between security practitioners and developers about application security maturity, readiness and accountability indicate why many organizations' critical applications are at risk." Almost 80% of developers and 64% of security managers that participated to this survey, responded that their organization has no process for building security controls into their applications, more than 50% of both developers and security officers reported that did not receive software and application security training, only 15% of developers and 12% of security officers reported that applications met security regulations and 68% of developers versus 47% of officers reported to be aware of any security breaches affecting applications occurring in the past 2 years. It is clear that there is opportunity for efficiency gain by building security into the SDLC through security training. OWASP has several training and awareness resources that can be used for the training on application and software security for development, operational and information security teams. Please consult the[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information.
+
One of main CISOs responsibilities is increase application security awareness among the application security stakeholders. A 2012 Survey by the Ponemon Institute and Security Innovation that included more than 800 IT executives found that "gaps in perceptions between security practitioners and developers about application security maturity, readiness and accountability indicate why many organizations' critical applications are at risk." Almost 80% of developers and 64% of security managers that participated to this survey, responded that their organization has no process for building security controls into their applications, more than 50% of both developers and security officers reported that did not receive software and application security training, only 15% of developers and 12% of security officers reported that applications met security regulations and 68% of developers versus 47% of officers reported to be aware of any security breaches affecting applications occurring in the past 2 years. It is clear that there is opportunity for efficiency gain by building security into the SDLC through security training. OWASP has several training and awareness resources that can be used for the training on application and software security for development, operational and information security teams. Please consult the[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information
on OWASP guides and projects in the security training domain
.
−
For CISOs whose main focus is information security and risk management, one of the main requirements besides compliance is to introduce efficiencies and save the money spent for existing security processes, including, application security. Since the information security department allocates budgeting, any request for budget of application security need to be justified by improving security and by reducing risks. Security and risk reduction goals are aligned by improving security test processes with use of better tools and training for developers. For CISOs of large organizations, promoting a software security initiative is also justified by the return of investment in the overall application security program and processes, specifically as reduction in the cost of fixing vulnerabilities because of developers following secure coding standards, conducting secure code reviews and security teams conducting security testing for vulnerabilities earlier than the validation phase of the SDLC.
+
For CISOs whose main focus is information security and risk management, one of the main requirements besides compliance is to introduce efficiencies and save the money spent for existing security processes, including, application security. Since the information security department allocates budgeting, any request for budget of application security need to be justified by improving security and by reducing risks. Security and risk reduction goals are aligned by improving security test processes with use of better tools and training for developers. For CISOs of large organizations, promoting a software security initiative is also justified by the return of investment in the overall application security program and processes, specifically as reduction in the cost of fixing vulnerabilities because of developers following secure coding standards, conducting secure code reviews and security teams conducting security testing for vulnerabilities earlier than the validation phase of the SDLC
. Please consult the[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B: Quick Reference to OWASP Guides & Projects] for more information on OWASP guides and projects that help CISOs in implementing an application security program including software security development and security testing processes
.
−
Often CISOs need to justify the budget for application security by taking into consideration the different needs of security and business departments. For CISOs that serve in financial organizations for example, security is often a compromise with security and business goals. In this case, it is important for CISOs to be able to align application security programs with the business goals and when these goals not align, to focus on the ones that do. For example, by focusing on improving both software quality and security and by reaching a compromise in the case security impacts negatively the customer experience so different security options need to be considered. In the case the business is sponsoring a new application development project, CISOs can use this as an opportunity to promote new application security features for the application and work together with project managers by achieving compliance with security standards, improving security by design and by coding and yet achieving overall cost savings for the overall project.
+
Often CISOs need to justify the budget for application security by taking into consideration the different needs of security and business departments. For CISOs that serve in financial organizations for example, security is often a compromise with security and business goals. In this case, it is important for CISOs to be able to align application security programs with the business goals and when these goals not align, to focus on the ones that do. For example, by focusing on improving both software quality and security and by reaching a compromise in the case security impacts negatively the customer experience so different security options need to be considered. In the case the business is sponsoring a new application development project, CISOs can use this as an opportunity to promote new application security features for the application and work together with project managers by achieving compliance with security standards, improving security by design and by coding and yet achieving overall cost savings for the overall project.
===The Importance of Security Metrics===
===The Importance of Security Metrics===
Line 58:
Line 54:
A comprehensive set of security requirements need to also include requirements to implement secure software by following certain security and technology standards, security approved technologies and platforms as well as security checks prior of software integration with other vendors software components/libraries.
A comprehensive set of security requirements need to also include requirements to implement secure software by following certain security and technology standards, security approved technologies and platforms as well as security checks prior of software integration with other vendors software components/libraries.
−
====Assess Risks before Procurement of Third Party Components====
+
====Assess Risks before Procurement of Third Party Components
/Services
====
−
When software is acquired as either part of the commercial off-the-shelf (COTS) or as free open source (FOSS) for example, it is important for CISO to have a process in place to validate this type of software libraries against specific security requirements prior to acquiring them. This could provide the CISO of the organization a certain level of assurance that the acquired software is secure and can be integrated with the application. In that regard, OWASP had developed a legal project and a contract annex of a sample contract that included security requirements for the life cycle so that COTS products would be more secure.
+
When software is acquired as either part of the commercial off-the-shelf (COTS) or as free open source (FOSS) for example, it is important for CISO to have a process in place to validate this type of software libraries against specific security requirements prior to acquiring them. This could provide the CISO of the organization a certain level of assurance that the acquired software is secure and can be integrated with the application. In that regard, OWASP had developed a legal project and a contract annex of a sample contract that included security requirements for the life cycle so that COTS products would be more secure
. Please refer to the [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Quick_Reference_to_OWASP_Guides_%26_Projects Appendix B Quick Reference to OWASP Guides & Projects] for more information on OWASP projects that can help CISOs to assess procurement of new application processes, services, technologies and security tools
.
===Security in the SDLC (S-SDLC) Methodologies===
===Security in the SDLC (S-SDLC) Methodologies===