[Global_industry_committee] Global_industry_committee Digest, Vol 35, Issue 3
jerry.kickenson at verizon.net
Thu Sep 22 07:12:25 EDT 2011
Although I am not on the global industry committee, I am on this
listserve. I thought I'd offer a few comments on this very good effort.
I hope they are of some help.
1. The introduction could also provide the conclusions, for CISOs who
won't otherwise read to the end: that there are methods to quantify
application security investments, and that cost-benefit analysis can
provide optimal expense, and that ROSI can provide a justification for
application security as a "capital" investment rather than an operating
2. "Investments in application security are a growing proportion of
overall information security and information technology budgets (Ref ???)"
One possible reference is Forester's /The State Of Enterprise IT
Security: 2008 To 2009/, which states that the top security spending
areas were data security, application security, and managed security
OWASP's own Security Spending Benchmarks Project Report
(March 2009) states: "Despite the economic downturn, over a quarter of
respondents expect Web application security spending to increase in 2009
and 36% expect it to remain flat."
On the other hand, a more recent report from the Ponemon Institute,
State of Web Application Security
states that "Eighty-eight percent of respondents say the coffee budget
is bigger (about
$30 per employee per month) and 67 percent say it is less than the
budget for network security."
3. Indeed, there appears to be a disconnect between organization's
perceived threats (application security threats are greatest) yet
spending on network security is still much higher (see The Security
Perhaps this could be addressed in this guide.
4. " In addition, if allocating a budget of 25% of the estimated
potential losses due to data breaches is justifiable, how much of this
25% should be allocated in secure software development/engineering or
application security testing for vulnerabilities?"
Might want to mention here that Part III will address this question.
5. The Spend Optimization section is really really good.
6. There is a very strong emphasis on data loss. Other areas of loss
(mentioned once but not really pursued) are also important, such as DoS
that suspends revenue for a period of time. For such a loss,
mitigations may also be different. For instance, DoS vulnerability can
be mitigated by fast recovery as well as prevention. Data, once lost,
is lost. Patching your system afterwards doesn't reduce that loss
(other than future loss).
1. "assume an online banking site become a victim" should be "assume an
online banking site becomes a victim"
2. "and to prevent similar incidents and from occurring" should be "and
to prevent similar incidents from occurring"
3. "if not 100% is it the 50%, 25% or 10%" should be "if not 100% is it
50%, 25% or 10%"
4. "The return oo security investment" should be "The return on security
5. "the key factor is the ability of ascertain" should be "the key
factor is the ability to ascertain"
6. "and withdraw of money from ATMs" should be "and withdrawal of money
7. "include development costs of acquisition of the new technologies"
should be "include development costs and acquisition of the new
8. "prepared statements/store procedures" should be "prepared
9. "investing in software security engineering programs expecially
threat modeling" should be "investing in software security engineering
programs especially threat modeling"
10. "when this risk-cost criteria" should be "when these risk-cost criteria"
If at some point you want this draft passed by CISOs or senior security
management, let me know and I'll forward it to my organization's (SWIFT)
On 9/18/11 9:04 PM, global_industry_committee-request at lists.owasp.org
> Send Global_industry_committee mailing list submissions to
> global_industry_committee at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
> or, via email, send a message with subject or body 'help' to
> global_industry_committee-request at lists.owasp.org
> You can reach the person managing the list at
> global_industry_committee-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Global_industry_committee digest..."
> Today's Topics:
> 1. Deck on Application Security Guide for CISO& Latest
> Additions (Marco M. Morana)
> Message: 1
> Date: Sun, 18 Sep 2011 21:04:17 -0400
> From: "Marco M. Morana"<marco.m.morana at gmail.com>
> Subject: [Global_industry_committee] Deck on Application Security
> Guide for CISO& Latest Additions
> To: "'Rex Booth'"<rex.booth at owasp.org>, "'Eoin'"
> <eoin.keary at owasp.org>, "'Colin Watson'"<colin.watson at owasp.org>
> Cc: 'Jeff Williams'<jeff.williams at owasp.org>,
> <Global_industry_committee at lists.owasp.org>
> Message-ID:<4e76951a.6784ec0a.4e01.292a at mx.google.com>
> Content-Type: text/plain; charset="us-ascii"
> I have included herein the deck that you were expecting from me as we
> discussed at the last GIC conference call the Thursday prior labor day
> I made some additions to the guide (*), specifically:
> . Overall goals and introduction to the several parts of the guide
> before the contents
> . As we talked about, I added a general introduction to impacts by
> referring to examples of negative impacts from incidents (reputational loss,
> loss of revenue and loss of data)
> . Articulated the future scope of Part III and IV to include what
> the CISO survey will provide in terms of determining where money is spent
> and in which activities to determine if application security money is spent
> effectively (I think this was suggested by Jeff as to be included in the
> CISO survey). Same in part IV relative to metrics used by CISO to report
> AppSec to management that we expect to come from the survey.
> Let me know if you need any clarification on the deck, I tried to made it as
> much as self-explanatory as possible..
> Marco M.
> (*) https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110918/46c3e00f/attachment.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: OWASP_AppSec Guide For CISO Summary 2011.ppt
> Type: application/vnd.ms-powerpoint
> Size: 573440 bytes
> Desc: not available
> Url : https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110918/46c3e00f/attachment.ppt
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> End of Global_industry_committee Digest, Vol 35, Issue 3
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global_industry_committee