CISO AppSec Guide v2: Executive Summary - Revision history

Marco-cincy at 02:49, 7 November 2017

2017-11-07T02:49:51Z

Marco-cincy at 02:17, 7 November 2017

2017-11-07T02:17:26Z

Marco-cincy at 02:16, 7 November 2017

2017-11-07T02:16:35Z

Marco-cincy: on

2017-11-07T02:15:27Z

Marco-cincy at 01:56, 7 November 2017

2017-11-07T01:56:08Z

Marco-cincy at 01:55, 7 November 2017

2017-11-07T01:55:35Z

Marco-cincy at 01:50, 7 November 2017

2017-11-07T01:50:57Z

Marco-cincy at 01:36, 7 November 2017

2017-11-07T01:36:10Z

Marco-cincy at 13:44, 4 November 2017

2017-11-04T13:44:56Z

Marco-cincy at 13:38, 4 November 2017

2017-11-04T13:38:49Z

@@ Line 20: / Line 20: @@
 When creating the business cases for investing in application security, CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economical impact of security incidents compared with the costs of unlawful non compliance. Today's costs to the business due to the economical impacts of security incidents are much higher than the costs of non-compliance and failing audits. Often the severity of the impact of security incidents might costs CISOs their jobs and the company losing reputation and revenues. In part I of this guide we provide CISOs guidance on how to build a business cases from cyber-threat risk perspective with useful examples for estimating the business impact caused by exploitation of web application vulnerabilities.
-All security priorities must be able to be mapped to business priorities. This is the first step towards establishing the relevance of every security initiative and shows business management how security supports the mission. It also demonstrates to security staff how the staff supports the mission.
+Managing risk is about prioritising the mitigation effort based upon the level of risk but also to align security priorities to the business priorities (i.e. referred to the appetite for risk of the organisation ). This alignment is the first step towards establishing the relevance of every security initiative and shows business management how security supports their mission. Besides alignment between application security and business priorities it is important to align to the capabilities of the organisation and specifically to the maturity of software security processes executed within the organisation. The main challenge that CISOs and SecDevOps managers might face is on where to put the focus/effort for the biggest gain by the "buck" being invested into the application security program. After a measurement of the software security maturity of processes (e.g. SAMM, BSIMM) being executed CISOs might find that the organisation is not ready yet to start an application security program without investment in tools, training and processes (i.e. ad-hoc process execution,  no documented standards and sporadic use of tools). These measurements allow the CISO to gain visibility and assess company culture by asking the right questions.
-''Gain Visibility on Organisation Culture and Engineering Processest'''
+Starting an application security program might also be triggered by compliance events such as the need to comply to specific industry standards (e.g. testing web applications for OWASP T10 to comply with PCI-DSS) or by a security event such as data compromise cause by an exploit of vulnerabilities in a web application.
-Organisation is not ready yet to start an application security program, where we should put the focus ?. Get visibility and assess company culture by asking the right questions. Identity limitations  such as software engineers are not yet trained on software security and maturity of processes (no process, ad-hoc execution, no standards, sporadic use of tools etc)
+Independently from the "triggers" is is important that the CISOs set realistic expectations of the risk reduction that can be achieved based upon the resources out in place. and created a roadmap for creating the application security program including training of the software development team, on boarding of application security  tools and technologies following proof of concepts and pilots.
-Follow a strategy such as exploit or create a momentum as opportunity to kick-start application security (can be a security breach or a requirement to comply) focus on company strenghts and leverage resources available
+The most important aspect that CISOs and SecDevOps mangers need to focus upon during the initial phases of the application security program is to gain commitments from the sponsors of the application and software security initiative as well as from the application security stakeholders that, besides the business managers, include program managers, software  developers/engineers and testers. This level of commitment depends also on the approach taken by the organisation to push the application security initiative within the organisation.  Possible approaches are either a top down approach where in the driving seat is the CEO/business. Example of top down approach might include a two months freeze on development, every developer on security training, S-SDLC to be created and executed by all teams and for all projects. A bottom up approach is where in the driving seat are CISO and SecDevIps Managers  and there is need to partner and working together with DevOp managers that might agree to commit developers to secure training and demand secure code reviews and testing to be executed in compliance with application security standards.
 === Part II: How To Create Application Security Program(s) ===

← Older revision		Revision as of 02:17, 7 November 2017
Line 19:		Line 19:

	When creating the business cases for investing in application security, CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economical impact of security incidents compared with the costs of unlawful non compliance. Today's costs to the business due to the economical impacts of security incidents are much higher than the costs of non-compliance and failing audits. Often the severity of the impact of security incidents might costs CISOs their jobs and the company losing reputation and revenues. In part I of this guide we provide CISOs guidance on how to build a business cases from cyber-threat risk perspective with useful examples for estimating the business impact caused by exploitation of web application vulnerabilities.		When creating the business cases for investing in application security, CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economical impact of security incidents compared with the costs of unlawful non compliance. Today's costs to the business due to the economical impacts of security incidents are much higher than the costs of non-compliance and failing audits. Often the severity of the impact of security incidents might costs CISOs their jobs and the company losing reputation and revenues. In part I of this guide we provide CISOs guidance on how to build a business cases from cyber-threat risk perspective with useful examples for estimating the business impact caused by exploitation of web application vulnerabilities.
−
−	~~''Map business priorities to security priorities'''~~

	All security priorities must be able to be mapped to business priorities. This is the first step towards establishing the relevance of every security initiative and shows business management how security supports the mission. It also demonstrates to security staff how the staff supports the mission.		All security priorities must be able to be mapped to business priorities. This is the first step towards establishing the relevance of every security initiative and shows business management how security supports the mission. It also demonstrates to security staff how the staff supports the mission.

@@ Line 18: / Line 18: @@
 In part I we guide CISOs and SecDevOps managers in the initial steps that lead to the creation of an application security program. Initially is is important to creating awareness within the organisation in regarding the need to institute an application security program and then create business cases and gain commitments from the business/sponsors of the program. An example of creating awareness is to explain the difference between application and software security and between the approach of security built in vs. the security bolt on.  An example of creating a business case is save money spent on fixing vulnerabilities late in the SDLC by focus on proactive security (i.e. manage issue early in the SDLC) vs reactive  security (i.e. catch issues late in SDLC and apply costly patches to applications that are already deployed).
-When creating the business cases for investing in application security, CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economical impact of security incidents compared with the costs of unlawful non compliance. Today's costs to the business due to the economical impacts of security incidents are much higher than the costs of non-compliance and failing audits. Ofte he severity of the impact of security incidents might costs CISOs their jobs and the company losing reputation and revenues. In part I of this guide we provide CISOs guidance on how to build a business cases from cyber-threat risk perspective with useful examples for estimating quantifying business impact
+When creating the business cases for investing in application security, CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economical impact of security incidents compared with the costs of unlawful non compliance. Today's costs to the business due to the economical impacts of security incidents are much higher than the costs of non-compliance and failing audits. Often the severity of the impact of security incidents might costs CISOs their jobs and the company losing reputation and revenues. In part I of this guide we provide CISOs guidance on how to build a business cases from cyber-threat risk perspective with useful examples for estimating the business impact caused by exploitation of web application vulnerabilities.
 ''Map business priorities to security priorities'''

@@ Line 16: / Line 16: @@
 [[CISO AppSec Guide v2: How To Start |Go to Part I:]]
-Explain clearly that this is not the start of the program (that need to be created first) but creating awareness in regarding the need to create and start one, create business cases and gain commitments and sponsorship
+In part I we guide CISOs and SecDevOps managers in the initial steps that lead to the creation of an application security program. Initially is is important to creating awareness within the organisation in regarding the need to institute an application security program and then create business cases and gain commitments from the business/sponsors of the program. An example of creating awareness is to explain the difference between application and software security and between the approach of security built in vs. the security bolt on.  An example of creating a business case is save money spent on fixing vulnerabilities late in the SDLC by focus on proactive security (i.e. manage issue early in the SDLC) vs reactive  security (i.e. catch issues late in SDLC and apply costly patches to applications that are already deployed).
-'''The Triggers""'''
+When creating the business cases for investing in application security, CISOs need to be real about cyber-threat risks and present to the business the overall picture of information security risks, not just compliance and vulnerabilities, but also security incidents and threat intelligence of threat agents targeting the organization information assets including for applications. The ability to communicate risks to the business empowers CISOs to articulate the business case for application security and justify additional spending in application security measures. This justification needs to consider the economical impact of security incidents compared with the costs of unlawful non compliance. Today's costs to the business due to the economical impacts of security incidents are much higher than the costs of non-compliance and failing audits. Ofte he severity of the impact of security incidents might costs CISOs their jobs and the company losing reputation and revenues. In part I of this guide we provide CISOs guidance on how to build a business cases from cyber-threat risk perspective with useful examples for estimating quantifying business impact
 ''Map business priorities to security priorities'''

@@ Line 9: / Line 9: @@
 * From the governance perspective, CISOs might be responsible for institute application security processes, the roles and responsibilities to manage them including security training and awareness. Training might also include secure coding for software developers, threat modelling for application architects and vulnerability testing for pen testers.
 * From the risk management perspective, the risks managed by the CISOs might also include managing application security risks, such as the risks of exploit of gaps in security controls and application vulnerabilities.  SecDevOps managers might be responsible for application vulnerability management as well as managing application security throughout the software development life-cycle (SDLC).
-* From compliance perspective, compliance with application and software security standards might be among both CISO and SecDevOps managers role and responsibility to manage. Compliance with industry standards (e.g. PCI-DSS) might be one of the reasons for starting an application security programs for the organisation including hiring staff for managing and executing the various application security activities that the program/initiative entails
+* From compliance perspective, compliance with application and software security standards might be among both CISO and SecDevOps managers role and responsibility to manage. Compliance with industry standards (e.g. PCI-DSS) might be one of the reasons for starting an application security programs for the organisation including hiring staff for managing and executing the various application security activities that the program/initiative entails.
 === Part I: How To Initiate Application Security Program(s) ===
@@ Line 18: / Line 18: @@
 Explain clearly that this is not the start of the program (that need to be created first) but creating awareness in regarding the need to create and start one, create business cases and gain commitments and sponsorship
-'''The Triggers""
+'''The Triggers""'''
 There might be different reasons to why a Chief Information Security Officer (CISOs) might consider creating an application security program for the organisation. Elaborate on the evolving threat landscape targeting web applications.. audit, legal and compliance requirements.
@@ Line 116: / Line 116: @@
 Articulate when and where in the SDLC to use them (which phase) who need to use and how are deployed including the value that they provide
-'''Emerging Application Security Technologies""
+'''Emerging Application Security Technologies""'''
 RASP document how can be piloted before deployment

@@ Line 3: / Line 3: @@
 == Executive Summary ==
-One of the main responsibilities of CISOs is to make sure policies and standards are in place for protecting the company's assets such confidential data from un-authorized access as well as from integrity and availability perspectives.  The scope of compliance with information security policies and standards might also include the security applications and software when these are considered company assets. The scope for compliance with information security policies and standards for applications, systems and software  typically depends on the classification of the asset-data stored by the application, the type of exposure of the application to the users (e.g. internet, intranet, extranet) and the risk of the functionality that the application supports with the data (e.g. access to confidential data, transfer of money, payments, users administration etc).
+One of the main responsibilities of CISOs is to make sure information security policies and standards are in place for protecting the company's assets. The main goals of these policies and standards is to protect confidential data from un-authorized access, ensure integrity and availability. Besides data, applications and software can also be considered among the company assets. that need to be protected. These applications and software might also be in scope for security assessments such as ethical hacking-pentesting, secure code reviews and threat modelling. The goal of these assessments is to identify and remediate vulnerabilities during the various phases of the SDLC that include requirements,  design, implementation, deployment and  operations. These application security assessments are often part of CISOs and SecDevOps managers responsibility to manage by make sure processes are followed to ensure compliance with standards and policies.
-From compliance perspectives, applications, software and servers might need to be in scope for vulnerability assessments to identify and remediate vulnerabilities and application security assessments to validate  application security requirements such as the secure design, secure coding and secure operations. These are often part of the goals of application security standards that is SecDevOps managers responsibility to ensure compliance with.
+Although compliance might be a critical aspect of application security, it is not the only one. Application security spans other security domains that can be summarised as (GRC) Governance, Risk and Compliance.  Putting application security in perspective of GRC helps to align this guide to CISOs roles and responsibilities when initiating, creating, managing and improving application security programs as summarised herein:
 * From the governance perspective, CISOs might be responsible for institute application security processes, the roles and responsibilities to manage them including security training and awareness. Training might also include secure coding for software developers, threat modelling for application architects and vulnerability testing for pen testers.

← Older revision		Revision as of 01:36, 7 November 2017
Line 1:		Line 1:
	[[Application Security Guide For CISOsVs2\|< Back to the Application Security Guide For CISOs]]		[[Application Security Guide For CISOsVs2\|< Back to the Application Security Guide For CISOs]]
−
−	~~__NOTOC__~~

	== Executive Summary ==		== Executive Summary ==

@@ Line 117: / Line 117: @@
 Test Driven Security
-'''Application Security Tools'''
+'''Adoption of Application Security Tools'''
 Articulate when and where in the SDLC to use them (which phase) who need to use and how are deployed including the value that they provide
 '''Emerging Application Security Technologies""
-RASP
+RASP document how can be piloted before deployment
 '''Software Security Training'''
-Articulate for who and what
+Articulate for who and what and document in official document
-""Set Objectives and Measure Goals/Milestones"""
+""Create A Strategy With Goals For Activities""
 * teams trained on software security and threat modelling
 * apps/products in scope for vulnerability testing, secure code reviews and static build testing and consistently executed during changes
@@ Line 135: / Line 135: @@
 ""Application Security Program Deployment Plan""
-* Plan for reaching goals and track goals on activities
+* Plan with milestones for reaching goals for activities and metrics to track goals
-* Plan for training and tool on-boarding
+* Plan should include governance model with roles and duties with RACI reflected in the previously created application security standards documents
-* Plan for tool and technologies PoVs and PoCs and production deployment
+* Plan should include on boarding with tool and technologies including PoVs and PoCs before production deployment
 === Part III: How to Manage Application Security Program(s) ===

@@ Line 146: / Line 146: @@
 [[CISO AppSec Guide v2: How To Manage | Go to Part III:]]
-After the program has bee created that is process and standards are documented, application security testing activities are executed according to process requirements and application and products are required to follow security requirements during design, development and before deployment it is important to be able to track and manage execution for the process as well as  measure the benefit of the program in term of increased security of the application/product that is being developed.
+After the program has been created that is process and standards are documented, application security testing activities, use of tools and training need a plan for execution before these can be managed.
 '''Articulate process and program execution management vs risk-vulnerability management'''
 Articulate process management
-CISOs also need metrics to manage and monitor the people, processes, and technologies that make up the application security program.  Example metrics for measuring governance, risk and compliance of application security processes are also included.
+CISOs and SecDevOps need to create a plan and metrics to manage and monitor the people, processes, and technologies that make up the application security program.  Example metrics for measuring governance, risk and compliance of application security processes are also included.
 Security metrics consist of three categories: