[Global_industry_committee] OWASP Application Security Guide For CISOs, part I

Colin Watson colin.watson at owasp.org
Sat Aug 27 07:17:48 EDT 2011


I have moved much of the value/cost discussion into Appendix I-A, and
some of the SQLi specific text into the slot for Part 2.  I have also
added some suggestions for reference sources in Part 3 (where in the
SDLC to spend).  There's a discussion of the Aberdeen Group and
Forrester Consulting reports on my blog at:



I have added one more reference source that discusses the value of
information (I was co-author), but have not renumbered any references
until we are more happy with the structure and content. I have also
not carried forward my suggested $500-$2,000 value per record into the
subsequent text.


On 17 August 2011 18:38, Marco M. Morana <marco.m.morana at gmail.com> wrote:
> Hi Colin
> thanks x the re-arrangement and proof  reading it looks much more organized and digestible. For the cost of security breach maybe we should split the business impact calculation on different types of incidents such as data loss, denial of service, fraud, defacement, reputation loss
> I am ok on appendix supporting calculations and examples
> Regards
> Marco
> Sent from my iPhone
> On Aug 17, 2011, at 4:11 AM, Colin Watson <colin.watson at owasp.org> wrote:
>> Guys
>> I added placeholders for Parts 2 and 3 for the "where" aspects we
>> discussed by phone:
>> - Part 2 is what issue to target
>> - Part 3 is when in the SDLC
>> ...and I see Marco has added Part 4 - Metrics & Measurements.
>> I have done some editing of the text in the first 10 paragraphs.  But
>> I have also added some suggested sub-headings.  I had said in the
>> conference call that I would re-arrange the text, but it is greatly
>> improved already.  However I think the review/discussion on costs of a
>> data breach is wonderful and should not be lost - but it would be
>> better in an appendix (after References?).  Then we could put in 2-3
>> paragraphs which refer to the appendix and then say something like
>> "from our review, we shall base our further illustrative calculations
>> on a figure of $500 per record lost per event. This value will be
>> different in your own organization, but it is very likely to be in the
>> $100 to $1,000 range."
>> Shall I proceed with this move (and renumbering of references)?
>> Colin

More information about the Global_industry_committee mailing list