[Global_industry_committee] Interim lead of GIC

Marco M. Morana marco.m.morana at gmail.com
Sun Jul 31 10:52:05 EDT 2011


Eoin et al

Herein attached is a draft of a document that covers business cases for
application security.
 
My idea is to expand this and put in a frame of an OWASP project such as
OWASP Application Guide for CISOs.

We could also include an analysis of your survey as part of it as well as
other topics of CISO interest such as:
1) Strategic and tactical software security activities
2) Roadmap for software security adoption within the organization
3) Maturity of software security practices (e.g. SAMM, BSIMM, CMM)
4) Software security metrics and measures for CISOs, directors, dev managers
5) Security incidents and fraud: post mortem analysis

I thought it would be nice to set up a conference call to talk about this
and see if there is interest to contribute to this further for an OWASP
project.

How next Thursday August 4th  11 AM EST 7 AM PST for a conference looks like
to you guys? If you can please let me know.

With best regards

Marco M.



-----Original Message-----
From: Eoin [mailto:eoin.keary at owasp.org] 
Sent: Saturday, July 30, 2011 8:34 AM
To: Colin Watson
Cc: Marco M. Morana; global_industry_committee at lists.owasp.org
Subject: Re: [Global_industry_committee] Interim lead of GIC

Well can we do a quick call next week to energise the team!


 

On 30 Jul 2011, at 13:21, Colin Watson <colin.watson at owasp.org> wrote:

> Just bumping this one.
> 
> I was too busy to respond at the time, but will help if I can,
> 
> Colin
> 
> On 21/07/2011, Marco M. Morana <marco.m.morana at gmail.com> wrote:
>> I will put something together to look at this weekend. Perhaps we can set
up
>> a conf call next week? I can set up one if you let me know date and time
>> that work x you
>> 
>> Cheers
>> Marco
>> 
>> Sent from my iPhone
>> 
>> On Jul 21, 2011, at 7:02 AM, Eoin <eoin.keary at owasp.org> wrote:
>> 
>>> this sounds like a Project?
>>> Marco, Colin fancy doing this together?
>>> I believe it would have real impact and high adoption if done properly.
>>> 
>>> 
>>> 
>>> On 21 July 2011 02:04, Marco M. Morana <marco.m.morana at gmail.com> wrote:
>>> Colin, Eoin
>>> 
>>> Regarding ideas, it would be nice if we could provide some quantitative
>>> risk
>>> management criteria for the OWASP T10, for example by qualifying the
>>> business impacts based upon the type of incident as result of exploit of
a
>>> T10 and the cost of the incident. I wrote an article for a banking
>>> magazine
>>> (AziendaBanca) in Italian and I thought it would be nice to translate it
>>> and
>>> expand this in a context of a OWASP project.
>>> 
>>> The usefulness of such Business Impact Analysis project, from ISO (Info
>>> Sec
>>> Officer) perspective for example is that today, when confronting with a
>>> choice to invest in software/application security there is no
quantitative
>>> criteria to decide how much we should spend and where. If I can quantify
>>> the
>>> costs in terms of business impact of an exploit of SQL injection
>>> vulnerability for example, for a site with millions of users and I can
>>> also
>>> provide some criteria to decide to how much to spend in software
security
>>> measures and where to spend this will be very useful. Assuming the OWASP
>>> T10
>>> countermeasures are the choice for example is still not clear in which
>>> process, software security activity, tools/policy I should put my focus,
>>> this also include of course people/training.
>>> 
>>> A criteria that could produce this data, will also serve the purpose to
>>> make
>>> the business case for software security, for example when such spending
is
>>> justifiable in terms of cost savings besides to remediate reactively
>>> vulnerabilities or incident that exploit them also by comparing improved
>>> efficiency e.g. fixing vulnerabilities early rather than late in the
SDLC.
>>> 
>>> Regarding the survey, If I remember well, but not 100% sure, I think
>>> specific questions to profile the person responding the survey is
missing
>>> or
>>> not mandatory I think that capturing the role and responsibility of who
>>> submits it, as being this a software developer, security consultant or
>>> security manager/CISO is of critical importance.
>>> 
>>> I think what is really important in a survey, is to try to get some data
>>> to
>>> really understand what drives software security adoption for
organizations
>>> today, per different types of vertical. For example is it because of
>>> compliance? Is it because of an incident the company had? Who is driving
>>> it
>>> from organizational level? Which approach is used? Is it top down (ala
>>> Bill
>>> Gates memo) or is bottom up from operations. Is it driven by outside
>>> consulting services or by inside teams? I think also we should try to
map
>>> the survey to the OWASP project offering. For example from the survey we
>>> could gather that certain industry sectors are less mature than others
and
>>> that some software security processes are more adopted than others.
Based
>>> upon this info we could better drive out focus in the areas that are
less
>>> mature and need more dent from OWASP funding and projects.
>>> 
>>> Regards
>>> 
>>> Marco
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: global_industry_committee-bounces at lists.owasp.org
>>> [mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of
>>> Colin Watson
>>> Sent: Wednesday, July 20, 2011 4:59 AM
>>> To: Eoin
>>> Cc: global_industry_committee at lists.owasp.org
>>> Subject: Re: [Global_industry_committee] Intrim lead of GIC
>>> 
>>> Marco - thanks for your contribution to this, but I'd like to
>>> reinforce Eoin's request.  The more knowledge you can shrea with us,
>>> the better.
>>> 
>>> Do we know if Joe is still a committee member, or did he just resign as
>>> chair?
>>> 
>>> Colin
>>> 
>>> On 20 July 2011 09:34, Eoin <eoin.keary at owasp.org> wrote:
>>>> Congrats Rex, can the GIC ask Kate to announce this to the leaders
list?
>>>> Marco I believe we would still value your input as a rep for industry
>>> concerns, would it be possible to get a wish list from you and your peer
>>> group of issues owasp could help address?
>>>> Feedback on the industry survey would also be helpful.
>>>> Eoin
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 20 Jul 2011, at 01:37, Rex Booth <rex.booth at owasp.org> wrote:
>>>> 
>>>>> Marco,
>>>>> 
>>>>> Much obliged.  I'd greatly appreciate your support and insight
assuming
>>>>> the rest of the committee agrees with this approach to the transition.
>>>>> 
>>>>> Thanks,
>>>>> Rex
>>>>> 
>>>>> On 7/19/2011 6:38 PM, Marco M. Morana wrote:
>>>>>> Rex
>>>>>> 
>>>>>> I will happy to have you step in as president  of GIC and support you
>>>>>> in
>>> the endeavor as vice. That make sense since you have already been
elected
>>>>>> 
>>>>>> Regards
>>>>>> 
>>>>>> Marco
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Sent from my iPhone
>>>>>> 
>>>>>> On Jul 19, 2011, at 4:13 PM, David Campbell<dcampbell at owasp.org>
>>>>>> wrote:
>>>>>> 
>>>>>>> Agreed. Rex was elected and had our support until Joe swept in :)
>>>>>>> 
>>>>>>> I support Rex for this role.
>>>>>>> 
>>>>>>> DC
>>>>>>> 
>>>>>>> 
>>>>>>> On 7/19/2011 13:10, Rex Booth wrote:
>>>>>>>> I'm interested in leading for a year (or as an interim).  For what
>>> it's
>>>>>>>> worth, I had been "elected" by the committee when I stepped aside
>>>>>>>> for
>>>>>>>> Joe to take over.  That said, I like Marco as well and certainly
>>>>>>>> wouldn't object to his leadership.
>>>>>>>> 
>>>>>>>> However, I don't agree that an industry guy needs to lead the
>>>>>>>> committee.  The fact that one works in industry makes one no more
or
>>>>>>>> less able to lead our mission.  In fact, it may be the consultants
>>>>>>>> who
>>>>>>>> are used to interacting with a wide range of industry as clients
who
>>> are
>>>>>>>> best able to execute our mission.
>>>>>>>> 
>>>>>>>> Rex
>>>>>>>> 
>>>>>>>> On 7/19/2011 1:34 PM, Eoin wrote:
>>>>>>>>> Thanks Colin, I am aware I am shooting from the hip here. I
believe
>>> we need an industry rep to lead the gic and Marco is a great guy.
>>>>>>>>> To do gic lead shall take a fair bit of work. Also re membership
of
>>> gic I don't believe that is a problem is we can find the correct
>>> replacement?
>>>>>>>>> Anyone else want to chime in?
>>>>>>>>> 
>>>>>>>>> Eoin
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 19 Jul 2011, at 17:59, Colin Watson<colin.watson at owasp.org>
>>> wrote:
>>>>>>>>> 
>>>>>>>>>> Eoin
>>>>>>>>>> 
>>>>>>>>>> That's sad to hear.  I guess Marco would need to become a
>>>>>>>>>> committee
>>>>>>>>>> member, but we should ask if anyone else on the committee is
>>>>>>>>>> interested too in this interim role... and this email is
prompting
>>>>>>>>>> members to reply.  Yes, we could do without too big a gap - it
was
>>>>>>>>>> a
>>>>>>>>>> problem at the start of the year.
>>>>>>>>>> 
>>>>>>>>>> Regards
>>>>>>>>>> 
>>>>>>>>>> Colin
>>>>>>>>>> 
>>>>>>>>>> On 19 July 2011 17:21, Eoin<eoin.keary at owasp.org>   wrote:
>>>>>>>>>>> Hello GIC,
>>>>>>>>>>> 
>>>>>>>>>>> I am sorry to say that Joe has resigned from the position of GIC
>>> leader.
>>>>>>>>>>> May I suggest we offer the position to Marco Morana who works in
>>> citi and
>>>>>>>>>>> represents industry?
>>>>>>>>>>> Thoughts please? as I'd like to offer him the position sooner
>>> rather than
>>>>>>>>>>> later.
>>>>>>>>>>> 
>>>>>>>>>>> I believe he is willing to take on the role until we elect a new
>>> leader with
>>>>>>>>>>> a suitable profile.
>>>>>>>>>>> Eoin
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> --
>>>>>>>>>>> Eoin Keary
>>>>>>>>>>> OWASP Global Board Member
>>>>>>>>>>> OWASP Code Review Guide Lead Author
>>>>>>>>>>> 
>>>>>>>>>>> https://twitter.com/EoinKeary
>>>>>>>>>>> http://twitter.com/BCCRiskAdvisory
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Global_industry_committee mailing list
>>>>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>>>>>
https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> Global_industry_committee mailing list
>>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>>> _______________________________________________
>>>>>>>> Global_industry_committee mailing list
>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>> _______________________________________________
>>>>>>> Global_industry_committee mailing list
>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>> _______________________________________________
>>>>>> Global_industry_committee mailing list
>>>>>> Global_industry_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>> 
>>>>> _______________________________________________
>>>>> Global_industry_committee mailing list
>>>>> Global_industry_committee at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>> _______________________________________________
>>>> Global_industry_committee mailing list
>>>> Global_industry_committee at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>> 
>>> _______________________________________________
>>> Global_industry_committee mailing list
>>> Global_industry_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Eoin Keary
>>> OWASP Global Board Member
>>> OWASP Code Review Guide Lead Author
>>> 
>>> https://twitter.com/EoinKeary
>>> http://twitter.com/BCCRiskAdvisory
>>> 
>>> 
>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Application Security Guide for CISO.pdf
Type: application/pdf
Size: 322145 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110731/f6c6ea68/attachment-0001.pdf 


More information about the Global_industry_committee mailing list