[Global_industry_committee] Global_industry_committee Digest, Vol 35, Issue 3

Jerry Kickenson jerry.kickenson at verizon.net
Thu Sep 22 07:12:25 EDT 2011


Although I am not on the global industry committee, I am on this 
listserve.  I thought I'd offer a few comments on this very good effort. 
  I hope they are of some help.

1.  The introduction could also provide the conclusions, for CISOs who 
won't otherwise read to the end: that there are methods to quantify 
application security investments, and that cost-benefit analysis can 
provide optimal expense, and that ROSI can provide a justification for 
application security as a "capital" investment rather than an operating 

2. "Investments in application security are a growing proportion of 
overall information security and information technology budgets (Ref ???)"

One possible reference is Forester's /The State Of Enterprise IT 
Security: 2008 To 2009/, which states that the top security spending 
areas were data security, application security, and managed security 

OWASP's own Security Spending Benchmarks Project Report 
(March 2009) states: "Despite the economic downturn, over a quarter of 
respondents expect Web application security spending to increase in 2009 
and 36% expect it to remain flat."

On the other hand, a more recent report from the Ponemon Institute, 
State of Web Application Security 
states that "Eighty-eight percent of respondents say the coffee budget 
is bigger (about
$30 per employee per month) and 67 percent say it is less than the 
budget for network security."

3.  Indeed, there appears to be a disconnect between organization's 
perceived threats (application security threats are greatest) yet 
spending on network security is still much higher (see The Security 
Threat/Budget Paradox 
  Perhaps this could be addressed in this guide.

4.  " In addition, if allocating a budget of 25% of the estimated 
potential losses due to data breaches is justifiable, how much of this 
25% should be allocated in secure software development/engineering or 
application security testing for vulnerabilities?"

Might want to mention here that Part III will address this question.

5.  The Spend Optimization section is really really good.

6. There is a very strong emphasis on data loss.  Other areas of loss 
(mentioned once but not really pursued) are also important, such as DoS 
that suspends revenue for a period of time.  For such a loss, 
mitigations may also be different.  For instance, DoS vulnerability can 
be mitigated by fast recovery as well as prevention.  Data, once lost, 
is lost.  Patching your system afterwards doesn't reduce that loss 
(other than future loss).


1. "assume an online banking site become a victim" should be "assume an 
online banking site becomes a victim"
2. "and to prevent similar incidents and from occurring" should be "and 
to prevent similar incidents from occurring"
3. "if not 100% is it the 50%, 25% or 10%" should be "if not 100% is it 
50%, 25% or 10%"
4. "The return oo security investment" should be "The return on security 
5. "the key factor is the ability of ascertain" should be "the key 
factor is the ability to ascertain"
6. "and withdraw of money from ATMs" should be "and withdrawal of money 
from ATMs"
7. "include development costs of acquisition of the new technologies" 
should be "include development costs and acquisition of the new 
8. "prepared statements/store procedures" should be "prepared 
statements/stored procedures"
9. "investing in software security engineering programs expecially 
threat modeling" should be "investing in software security engineering 
programs especially threat modeling"
10. "when this risk-cost criteria" should be "when these risk-cost criteria"

If at some point you want this draft passed by CISOs or senior security 
management, let me know and I'll forward it to my organization's (SWIFT) 

Best regards,

On 9/18/11 9:04 PM, global_industry_committee-request at lists.owasp.org 
> Send Global_industry_committee mailing list submissions to
> 	global_industry_committee at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.owasp.org/mailman/listinfo/global_industry_committee
> or, via email, send a message with subject or body 'help' to
> 	global_industry_committee-request at lists.owasp.org
> You can reach the person managing the list at
> 	global_industry_committee-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Global_industry_committee digest..."
> Today's Topics:
>     1. Deck on Application Security Guide for	CISO&  Latest
>        Additions (Marco M. Morana)
> ----------------------------------------------------------------------
> Message: 1
> Date: Sun, 18 Sep 2011 21:04:17 -0400
> From: "Marco M. Morana"<marco.m.morana at gmail.com>
> Subject: [Global_industry_committee] Deck on Application Security
> 	Guide for	CISO&  Latest Additions
> To: "'Rex Booth'"<rex.booth at owasp.org>, "'Eoin'"
> 	<eoin.keary at owasp.org>,	"'Colin Watson'"<colin.watson at owasp.org>
> Cc: 'Jeff Williams'<jeff.williams at owasp.org>,
> 	'Global_industry_committee'
> 	<Global_industry_committee at lists.owasp.org>
> Message-ID:<4e76951a.6784ec0a.4e01.292a at mx.google.com>
> Content-Type: text/plain; charset="us-ascii"
> Rex
> I have included herein the deck that you were expecting from me as we
> discussed at the last GIC conference call the Thursday prior labor day
> weekend.
> Colin
> I made some additions to the guide (*), specifically:
> .         Overall goals and introduction to the several parts of the guide
> before the contents
> .         As we talked about, I added a general introduction to impacts by
> referring to examples of negative impacts from incidents (reputational loss,
> loss of revenue and loss of data)
> .         Articulated the future scope of Part III and IV to include what
> the CISO survey will provide in terms of determining where money is spent
> and in which activities to determine if application security money is spent
> effectively (I think this was suggested by Jeff as to be included in the
> CISO survey). Same in part IV relative to metrics used by CISO to report
> AppSec to management that we expect to come from the survey.
> Let me know if you need any clarification on the deck, I tried to made it as
> much as self-explanatory as possible..
> Regards
> Marco M.
> (*) https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110918/46c3e00f/attachment.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: OWASP_AppSec Guide For CISO Summary 2011.ppt
> Type: application/vnd.ms-powerpoint
> Size: 573440 bytes
> Desc: not available
> Url : https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110918/46c3e00f/attachment.ppt
> ------------------------------
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> End of Global_industry_committee Digest, Vol 35, Issue 3
> ********************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110922/d399ec89/attachment.html 

More information about the Global_industry_committee mailing list