[Global_industry_committee] OWASP Application Security Guide For CISOs, part I

Colin Watson colin.watson at owasp.org
Tue Aug 30 16:14:11 EDT 2011


You are absolutely right.

Not all incidents will mean a total loss of all data.  A malware
infection of a site would have different effects on different
organisations e.g. for an online retailer, the effect could be very
quick on sales due to the site being blacklisted by search engines;
for a bank the reputation effect may take longer to measure.


On 27 August 2011 13:38, Marco M. Morana <marco.m.morana at gmail.com> wrote:
> Colin
> Thanks for moving this along. I like the changes you introduced. One comment
> on the impact, we should probably emphasize that the two important factors
> to estimate besides the monetary loss/record is the likelihood (probability)
> of the incident and the type of incidents. Maybe we can expand on that as
> incidents causing reputational loss as side effect of data breach (e.g. HPY
> impact on stock price) also including loss of authentication data (e.g. RSA
> SecureIDs) and intellectual data property losses (e.g. refer to McAfee Shady
> RAT data as impact/targets). We would them specifically address impact of
> customer's data loss as example.
> Let me know your thoughts so I will change accordingly and expand on Part
> III also put framework on metrics Part IV
> Regards
> Marco M
> -----Original Message-----
> From: Colin Watson [mailto:colin.watson at owasp.org]
> Sent: Saturday, August 27, 2011 7:18 AM
> To: Marco M. Morana
> Cc: Global_industry_committee
> Subject: Re: OWASP Application Security Guide For CISOs, part I
> Marco
> I have moved much of the value/cost discussion into Appendix I-A, and
> some of the SQLi specific text into the slot for Part 2.  I have also
> added some suggestions for reference sources in Part 3 (where in the
> SDLC to spend).  There's a discussion of the Aberdeen Group and
> Forrester Consulting reports on my blog at:
> http://www.clerkendweller.com/2011/1/18/Secure-Application-Development-A-Pre
> ventative-Approach-That-Pays
> http://www.clerkendweller.com/2011/1/21/Secure-SDL-Positive-ROI-Possible
> I have added one more reference source that discusses the value of
> information (I was co-author), but have not renumbered any references
> until we are more happy with the structure and content. I have also
> not carried forward my suggested $500-$2,000 value per record into the
> subsequent text.
> Colin
> On 17 August 2011 18:38, Marco M. Morana <marco.m.morana at gmail.com> wrote:
>> Hi Colin
>> thanks x the re-arrangement and proof  reading it looks much more
> organized and digestible. For the cost of security breach maybe we should
> split the business impact calculation on different types of incidents such
> as data loss, denial of service, fraud, defacement, reputation loss
>> I am ok on appendix supporting calculations and examples
>> Regards
>> Marco
>> Sent from my iPhone
>> On Aug 17, 2011, at 4:11 AM, Colin Watson <colin.watson at owasp.org> wrote:
>>> Guys
>>> I added placeholders for Parts 2 and 3 for the "where" aspects we
>>> discussed by phone:
>>> - Part 2 is what issue to target
>>> - Part 3 is when in the SDLC
>>> ...and I see Marco has added Part 4 - Metrics & Measurements.
>>> I have done some editing of the text in the first 10 paragraphs.  But
>>> I have also added some suggested sub-headings.  I had said in the
>>> conference call that I would re-arrange the text, but it is greatly
>>> improved already.  However I think the review/discussion on costs of a
>>> data breach is wonderful and should not be lost - but it would be
>>> better in an appendix (after References?).  Then we could put in 2-3
>>> paragraphs which refer to the appendix and then say something like
>>> "from our review, we shall base our further illustrative calculations
>>> on a figure of $500 per record lost per event. This value will be
>>> different in your own organization, but it is very likely to be in the
>>> $100 to $1,000 range."
>>> Shall I proceed with this move (and renumbering of references)?
>>> Colin

More information about the Global_industry_committee mailing list