[Global_industry_committee] OWASP Application Security Guide For CISOs, part I

Marco M. Morana marco.m.morana at gmail.com
Sat Aug 27 08:38:07 EDT 2011


Thanks for moving this along. I like the changes you introduced. One comment
on the impact, we should probably emphasize that the two important factors
to estimate besides the monetary loss/record is the likelihood (probability)
of the incident and the type of incidents. Maybe we can expand on that as
incidents causing reputational loss as side effect of data breach (e.g. HPY
impact on stock price) also including loss of authentication data (e.g. RSA
SecureIDs) and intellectual data property losses (e.g. refer to McAfee Shady
RAT data as impact/targets). We would them specifically address impact of
customer's data loss as example.

Let me know your thoughts so I will change accordingly and expand on Part
III also put framework on metrics Part IV


Marco M

-----Original Message-----
From: Colin Watson [mailto:colin.watson at owasp.org] 
Sent: Saturday, August 27, 2011 7:18 AM
To: Marco M. Morana
Cc: Global_industry_committee
Subject: Re: OWASP Application Security Guide For CISOs, part I


I have moved much of the value/cost discussion into Appendix I-A, and
some of the SQLi specific text into the slot for Part 2.  I have also
added some suggestions for reference sources in Part 3 (where in the
SDLC to spend).  There's a discussion of the Aberdeen Group and
Forrester Consulting reports on my blog at:



I have added one more reference source that discusses the value of
information (I was co-author), but have not renumbered any references
until we are more happy with the structure and content. I have also
not carried forward my suggested $500-$2,000 value per record into the
subsequent text.


On 17 August 2011 18:38, Marco M. Morana <marco.m.morana at gmail.com> wrote:
> Hi Colin
> thanks x the re-arrangement and proof  reading it looks much more
organized and digestible. For the cost of security breach maybe we should
split the business impact calculation on different types of incidents such
as data loss, denial of service, fraud, defacement, reputation loss
> I am ok on appendix supporting calculations and examples
> Regards
> Marco
> Sent from my iPhone
> On Aug 17, 2011, at 4:11 AM, Colin Watson <colin.watson at owasp.org> wrote:
>> Guys
>> I added placeholders for Parts 2 and 3 for the "where" aspects we
>> discussed by phone:
>> - Part 2 is what issue to target
>> - Part 3 is when in the SDLC
>> ...and I see Marco has added Part 4 - Metrics & Measurements.
>> I have done some editing of the text in the first 10 paragraphs.  But
>> I have also added some suggested sub-headings.  I had said in the
>> conference call that I would re-arrange the text, but it is greatly
>> improved already.  However I think the review/discussion on costs of a
>> data breach is wonderful and should not be lost - but it would be
>> better in an appendix (after References?).  Then we could put in 2-3
>> paragraphs which refer to the appendix and then say something like
>> "from our review, we shall base our further illustrative calculations
>> on a figure of $500 per record lost per event. This value will be
>> different in your own organization, but it is very likely to be in the
>> $100 to $1,000 range."
>> Shall I proceed with this move (and renumbering of references)?
>> Colin

More information about the Global_industry_committee mailing list