Talk:Application Security Guide For CISOs

Marco

Please find below my questions/comments on the remaining justification

values. As I said, some of these are to prompt debate or to simulate

the sort of questions sceptics may come up, but they also include my

own misunderstandings. They are not meant to be critical and I only

hope they contribute to an even better final document.

a) $655

The reference for this (http://www.verdasys.com/thoughtleadership/) is

not available free of charge, so I can't verify the amount or

assumptions. But the units "per customer per year" worries me a

little. What costs are there in year 2 onwards for a single incident

(in year 1)? I can only think of payment protection insurance. Over

ten years, does that mean $6550? Or should a net present value (NPV)

of the cost be used instead?

There may be some other sources we can reference for alternative

numbers, to show we haven't just picked the worst one!

b) 4.6%

If the $655 figure already includes some averaging for customers, the

4.6% may be irrelevant since this is already taken into account in the

calculation of 655 - unable to verify for the same reason as a).

However, the 4.6% doesn't seem to matter in subsequent calculations,

so this may be a minor issue.

But if $30.11 (instead of $655) is the meaningful number, the rest of

the calculations may need to be adjusted?

We need the (public?) reference source for the 4.6% number.

c) 13%

Is this "breach type: web"? We should state this in the reference,

and the period (e.g. 477 incidents from X to Y). It would seem to be

12% today.

d) 19%

Need to define period in reference - sorry, can't access WHID data at

the moment to check this.

e) $16,000,000

I think this figure is correct (based on the assumptions), but maybe

the way it is shown being calculated could be confusing. If any

incident caused the loss of 1 million records, the cost is 1 million x

$655 = $655,000,000 i.e. it doesn't matter what method was used. But

then we are saying that 2.5% of such incidents on average are

attributable to SQLi, that gives on average $16,000,000 per incident.

I think mentioning the $16 is confusing and maybe undermines the

argument. It would be wrong to say the cost of a SQLi record loss is

$16 for example (it is $655 still).

So I think the wording in this paragraph needs to relate to the

average proportion associated with SQLi.

My only concern with this number is that to calculate a per incident

value, we have used something which includes "per year" - see a)

above.

f) 4

We need a reference for "4 attacks every ten years".

g) SLE

Let's be careful, the SLE of a SQLi attack which obtains 1million

records in $655,000,000 not $16,000,000. So the question is does "4

[successful?] attacks every ten years [that grab 1 million records]"

mean 4 security incidents OF ANY TYPE?

If it is 4 of any type, of which 2.5% are SQLi, I agree $6,4000,000

(or actually 6,550,000) is the ALE due to SQLi via web.

h) 37%

Is there a public source to check this number and its assumptions/basis?

i) $5,920,000

Can I ask why this is calculated as 0.37 x $16,000,000 and not 0.37 x

$6,400,000 number (the ALE)?

j) 95% effectiveness of mitigation

Need a reference for this.

k) ROSI

Could you write out this calculation for me as well please. I can't

work it out!

+++ Just saw Eoin's new comment.... we could have separate examples

(as appendices) for different sectors with the numbers (and reference

sources) written in, and make the main text more generic perhaps?

Colin