This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CISO AppSec Guide: References"
From OWASP
(First move from original main page) |
m (→Guidelines and Best Practices: Removed angle brackets) |
||
| (11 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| + | [[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]] | ||
| + | |||
= References = | = References = | ||
| − | Verizon 2011 Data Breach Investigation Report: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf | + | == Metrics and Benchmarking == |
| + | In order of report release date. | ||
| + | |||
| + | === 2013 === | ||
| + | * Verizon 2013 Data Breach Investigation Report: http://www.verizonenterprise.com/DBIR/2013/ | ||
| + | |||
| + | * Security Innovation and the Ponemon Institute: The Current(2013) State of Application Security report:https://www.securityinnovation.com/security-lab/our-research/current-state-of-application-security.html | ||
| + | |||
| + | === 2012 === | ||
| + | * Security Innovation and Ponemon Institute's 2012 Application Security Gap Study: A Survey of IT Security & Developers: https://www.securityinnovation.com/uploads/Application%20Security%20Gap%20Report.pdf | ||
| + | |||
| + | === 2011 === | ||
| + | * Verizon 2011 Data Breach Investigation Report: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf | ||
| + | |||
| + | * US Q2 2011 GDP Report Is Bad News for the US Tech Sector, But With Some Silver Linings: http://blogs.forrester.com/andrew_bartels/11-07-29-us_q2_2011_gdp_report_is_bad_news_for_the_us_tech_sector_but_with_some_silver_linings | ||
| + | |||
| + | * Imperva's July 2011 Web Application Attack Report: http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed1.pdf | ||
| + | |||
| + | === 2010 === | ||
| + | * First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies, Sponsored by ArcSight Independently conducted by Ponemon Institute LLC, July 2010: http://www.arcsight.com/collateral/whitepapers/Ponemon_Cost_of_Cyber_Crime_study_2010.pdf | ||
| + | |||
| + | * 2010 Annual Study: U.S. Cost of a Data Breach: http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach | ||
| − | + | === 2009 and prior === | |
| + | * OWASP Security Spending Benchmarks Project Report: https://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf | ||
| − | + | * Identity Theft Survey Report, Federal Trade Commission,September, 2003: http://www.ftc.gov/os/2003/09/synovatereport.pdf | |
| − | + | == Standards == | |
| − | + | * PCI-DSS: https://www.pcisecuritystandards.org/security_standards/index.php | |
| − | + | * OWASP Application Security Verification Standard https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project | |
| − | + | == Guidelines and Best Practices == | |
| − | + | * OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project | |
| − | + | * Supplement to Authentication in an Internet Banking Environment: http://www.fdic.gov/news/news/press/2011/pr11111a.pdf | |
| − | + | * Feiman, Joseph. Teleconference on Application Security. 9 Oct. 2008. Gartner. 30 Sept. 2013 http://www.gartner.com/it/content/760400/760421/ks_sd_oct.pdf | |
| − | + | == Security Incidents and Data Breaches == | |
| + | * Data Loss Database: http://datalossdb.org/ | ||
| − | + | * WHID, Web Hacking Incident Database: http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database | |
| − | + | * Sony data breach could be most expensive ever: http://www.csmonitor.com/Business/2011/0503/Sony-data-breach-could-be-most-expensive-ever | |
| − | + | * Dmitri Alperovitch, Vice President, Threat Research, McAfee, Revealed: Operation Shady RAT: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf | |
| − | + | * Health Net discloses loss of data to 1.9 million customers: http://www.computerworld.com/s/article/9214600/Health_Net_discloses_loss_of_data_to_1.9_million_customers | |
| − | + | * Albert Gonzalez data breach indictment: http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf | |
| − | + | * Share prices and data breaches: http://www.securityninja.co.uk/data-loss/share-prices-and-data-breaches/ | |
| − | + | * EMC spends $66 million to clean up RSA SecureID mess: http://www.infosecurity-us.com/view/19826/emc-spends-66-million-to-clean-up-rsa-secureid-mess/ | |
| − | + | == Security Investments and Budgets == | |
| − | + | * Gordon, L.A. and Loeb, M.P. “The economics of information security investment”, ACM Transactions on Information and Systems Security, Vol.5, No.4, pp.438-457, 2002. | |
| − | + | * Total Cost of Ownership: http://en.wikipedia.org/wiki/Total_cost_of_ownership | |
| − | + | * Wes SonnenReich, Return of Security Investment, Practical Quantitative Model: http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf | |
| − | + | * Tangible ROI through Secure Software Engineering: http://www.mudynamics.com/assets/files/Tangible%20ROI%20Secure%20SW%20Engineering.pdf | |
| − | + | * The Privacy Dividend: the business case for investing in proactive privacy protection, Information Commissioner's Office, UK, 2009: http://www.ico.gov.uk/news/current_topics/privacy_dividend.aspx | |
| − | + | * A commissioned study conducted by Forrester Consulting on behalf of VeriSign: DDoS: A Threat You Can’t Afford To Ignore: http://www.verisigninc.com/assets/whitepaper-ddos-threat-forrester.pdf | |
| − | + | * The Security Threat/Budget Paradox: http://www.verizonbusiness.com/Thinkforward/blog/?postid=164 | |
| − | + | * Security and the Software Development Lifecycle: Secure at the Source, Aberdeen Group, 2011 http://www.aberdeen.com/Aberdeen-Library/6983/RA-software-development-lifecycle.aspx | |
| − | Security | + | * State of Application Security - Immature Practices Fuel Inefficiencies, But Positive ROI Is Attainable, Forrester Consulting, 2011 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=813810f9-2a8e-4cbf-bd8f-1b0aca7af61d&displaylang=en |
| − | + | * Dan E Geer Economics and Strategies of Data Security: http://www.amazon.com/Economics-Strategies-Data-Security-DANIEL/dp/B001LZM1BY | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | [[Category:OWASP_Application_Security_Guide_For_CISO_Project]] | |
Latest revision as of 16:47, 6 November 2013
< Back to the Application Security Guide For CISOs
References
Metrics and Benchmarking
In order of report release date.
2013
- Verizon 2013 Data Breach Investigation Report: http://www.verizonenterprise.com/DBIR/2013/
- Security Innovation and the Ponemon Institute: The Current(2013) State of Application Security report:https://www.securityinnovation.com/security-lab/our-research/current-state-of-application-security.html
2012
- Security Innovation and Ponemon Institute's 2012 Application Security Gap Study: A Survey of IT Security & Developers: https://www.securityinnovation.com/uploads/Application%20Security%20Gap%20Report.pdf
2011
- Verizon 2011 Data Breach Investigation Report: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
- US Q2 2011 GDP Report Is Bad News for the US Tech Sector, But With Some Silver Linings: http://blogs.forrester.com/andrew_bartels/11-07-29-us_q2_2011_gdp_report_is_bad_news_for_the_us_tech_sector_but_with_some_silver_linings
- Imperva's July 2011 Web Application Attack Report: http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed1.pdf
2010
- First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies, Sponsored by ArcSight Independently conducted by Ponemon Institute LLC, July 2010: http://www.arcsight.com/collateral/whitepapers/Ponemon_Cost_of_Cyber_Crime_study_2010.pdf
- 2010 Annual Study: U.S. Cost of a Data Breach: http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach
2009 and prior
- OWASP Security Spending Benchmarks Project Report: https://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf
- Identity Theft Survey Report, Federal Trade Commission,September, 2003: http://www.ftc.gov/os/2003/09/synovatereport.pdf
Standards
- OWASP Application Security Verification Standard https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Guidelines and Best Practices
- Supplement to Authentication in an Internet Banking Environment: http://www.fdic.gov/news/news/press/2011/pr11111a.pdf
- Feiman, Joseph. Teleconference on Application Security. 9 Oct. 2008. Gartner. 30 Sept. 2013 http://www.gartner.com/it/content/760400/760421/ks_sd_oct.pdf
Security Incidents and Data Breaches
- Data Loss Database: http://datalossdb.org/
- WHID, Web Hacking Incident Database: http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
- Sony data breach could be most expensive ever: http://www.csmonitor.com/Business/2011/0503/Sony-data-breach-could-be-most-expensive-ever
- Dmitri Alperovitch, Vice President, Threat Research, McAfee, Revealed: Operation Shady RAT: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
- Health Net discloses loss of data to 1.9 million customers: http://www.computerworld.com/s/article/9214600/Health_Net_discloses_loss_of_data_to_1.9_million_customers
- Albert Gonzalez data breach indictment: http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf
- Share prices and data breaches: http://www.securityninja.co.uk/data-loss/share-prices-and-data-breaches/
- EMC spends $66 million to clean up RSA SecureID mess: http://www.infosecurity-us.com/view/19826/emc-spends-66-million-to-clean-up-rsa-secureid-mess/
Security Investments and Budgets
- Gordon, L.A. and Loeb, M.P. “The economics of information security investment”, ACM Transactions on Information and Systems Security, Vol.5, No.4, pp.438-457, 2002.
- Total Cost of Ownership: http://en.wikipedia.org/wiki/Total_cost_of_ownership
- Wes SonnenReich, Return of Security Investment, Practical Quantitative Model: http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf
- Tangible ROI through Secure Software Engineering: http://www.mudynamics.com/assets/files/Tangible%20ROI%20Secure%20SW%20Engineering.pdf
- The Privacy Dividend: the business case for investing in proactive privacy protection, Information Commissioner's Office, UK, 2009: http://www.ico.gov.uk/news/current_topics/privacy_dividend.aspx
- A commissioned study conducted by Forrester Consulting on behalf of VeriSign: DDoS: A Threat You Can’t Afford To Ignore: http://www.verisigninc.com/assets/whitepaper-ddos-threat-forrester.pdf
- The Security Threat/Budget Paradox: http://www.verizonbusiness.com/Thinkforward/blog/?postid=164
- Security and the Software Development Lifecycle: Secure at the Source, Aberdeen Group, 2011 http://www.aberdeen.com/Aberdeen-Library/6983/RA-software-development-lifecycle.aspx
- State of Application Security - Immature Practices Fuel Inefficiencies, But Positive ROI Is Attainable, Forrester Consulting, 2011 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=813810f9-2a8e-4cbf-bd8f-1b0aca7af61d&displaylang=en
- Dan E Geer Economics and Strategies of Data Security: http://www.amazon.com/Economics-Strategies-Data-Security-DANIEL/dp/B001LZM1BY
