This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Application Security Guide For CISOs
Marco
Please find below my questions/comments on the remaining justification
values. As I said, some of these are to prompt debate or to simulate
the sort of questions sceptics may come up, but they also include my
own misunderstandings. They are not meant to be critical and I only
hope they contribute to an even better final document.
a) $655
The reference for this (http://www.verdasys.com/thoughtleadership/) is
not available free of charge, so I can't verify the amount or
assumptions. But the units "per customer per year" worries me a
little. What costs are there in year 2 onwards for a single incident
(in year 1)? I can only think of payment protection insurance. Over
ten years, does that mean $6550? Or should a net present value (NPV)
of the cost be used instead?
There may be some other sources we can reference for alternative
numbers, to show we haven't just picked the worst one!
b) 4.6%
If the $655 figure already includes some averaging for customers, the
4.6% may be irrelevant since this is already taken into account in the
calculation of 655 - unable to verify for the same reason as a).
However, the 4.6% doesn't seem to matter in subsequent calculations,
so this may be a minor issue.
But if $30.11 (instead of $655) is the meaningful number, the rest of
the calculations may need to be adjusted?
We need the (public?) reference source for the 4.6% number.
c) 13%
Is this "breach type: web"? We should state this in the reference,
and the period (e.g. 477 incidents from X to Y). It would seem to be
12% today.
d) 19%
Need to define period in reference - sorry, can't access WHID data at
the moment to check this.
e) $16,000,000
I think this figure is correct (based on the assumptions), but maybe
the way it is shown being calculated could be confusing. If any
incident caused the loss of 1 million records, the cost is 1 million x
$655 = $655,000,000 i.e. it doesn't matter what method was used. But
then we are saying that 2.5% of such incidents on average are
attributable to SQLi, that gives on average $16,000,000 per incident.
I think mentioning the $16 is confusing and maybe undermines the
argument. It would be wrong to say the cost of a SQLi record loss is
$16 for example (it is $655 still).
So I think the wording in this paragraph needs to relate to the
average proportion associated with SQLi.
My only concern with this number is that to calculate a per incident
value, we have used something which includes "per year" - see a)
above.
f) 4
We need a reference for "4 attacks every ten years".
g) SLE
Let's be careful, the SLE of a SQLi attack which obtains 1million
records in $655,000,000 not $16,000,000. So the question is does "4
[successful?] attacks every ten years [that grab 1 million records]"
mean 4 security incidents OF ANY TYPE?
If it is 4 of any type, of which 2.5% are SQLi, I agree $6,4000,000
(or actually 6,550,000) is the ALE due to SQLi via web.
h) 37%
Is there a public source to check this number and its assumptions/basis?
i) $5,920,000
Can I ask why this is calculated as 0.37 x $16,000,000 and not 0.37 x
$6,400,000 number (the ALE)?
j) 95% effectiveness of mitigation
Need a reference for this.
k) ROSI
Could you write out this calculation for me as well please. I can't
work it out!
+++ Just saw Eoin's new comment.... we could have separate examples
(as appendices) for different sectors with the numbers (and reference
sources) written in, and make the main text more generic perhaps?
Colin

