[Owasp-leaders] CISO AppSec Cheat Sheet

Stanka Salamun stanka.salamun at acros.si
Tue Apr 6 08:42:19 EDT 2010


To AF: right now there is no public access to the questionaires in Slovene,
but it will be. I need to wait for public presentation on the conference
("Dnevi slovenske informatike") on  14 Apr. and after that the Slovenian
version will be public. But please do not bother with Google translation - I
am working on a "working" version in English (aka pre-pre-alpha) of all the
main titles/questions, but without the comment (which I think could help
explain why it is good to execute some particular activity). And we could
start from here.

To Nam: because our government has a lot of personal, monetary and
healthcare data of the citizens, it was expected that the average sec-app
level will be above 4 ("money" level) - it was actually 4.38. Because of
good legal ground for privacy in EU we found a lot of emphasis in
requirements for logging functionalities. It was also very clear that there
are encryption and authentication & access functionalities required. There
were some disappointments, such as: there were little formal requirements
for including security professionals (having appsec people is Sci-Fi),
nobody here heard about threat model, security profile or attack surface,
nobody is taking care about latest attack trends and vulnerabilities or at
least thinking on separating them from functional bugs, only 1 (!) required
scanning for known vulns, no app-sec phase milestones, no external security

As all the projects are in development phase right now, they are not ready
to check the correlation for activities and attacks, evaluating potential
(or actual) damage or searching for vulnerabilities. This is what would be
the best to achieve in the version ... hmmm ... 10.0 :)? 

To Diniz: please give me a couple of weeks to prepare some material for
potential project. I will be in contact with Paulo about it. I am thinking
to put an English version as a project or extension and leave Slovenian
version as it is. In OWASP we have a lot of material to link from MASS,
which is only a really "short index" of the subject. Also please have in
mind that this is actually the first version of the model that I already
know has some problems of its own - some questions will probably have to be
re-organized or re-weighed, some added and some removed. 

Have a nice day,

-----Original Message-----
From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: Tuesday, April 06, 2010 1:33 PM
To: stanka.salamun at acros.si; owasp-leaders at lists.owasp.org
Cc: paulo.coimbra at owasp.org
Subject: Re: [Owasp-leaders] CISO AppSec Cheat Sheet

(sorry, pressed 'send' too soon)

... talk to Paulo Coimbra (CCed) to set up a project

Dinis Cruz

On 6 Apr 2010, at 09:58, Stanka Salamun <stanka.salamun at acros.si> wrote:

> Hi all,
> In our company we had an internal research project last year - we 
> called it MASS (Model for Application Security Strategy) - the main 
> goal was to find a simple way of answering to two important questions:
> 1. how much of appsec my application actually need? The answer was a 
> classification of  application in a 0 to 6 level (0 - no appsec 
> needed, 1- basic sec, 2 - public access, 3 - data, 4 - money, 5 - 
> secret, 6 - life).
> The names are just for understanding (or feeling the appsec
> importance) of a
> main level for requirements.
> 2. What I need to do in order to gain my target level of security?
> For that
> we have 4 key activities (contractual obligations, security 
> requirements, security architecture, security testing) and 6 other 
> activities (people, security coding, testing of security functions, 
> key vulnerabilities, metrics, security standards and good practices).
> Now we have 2 (quite simple) questionnaires - but unfortunately in 
> Slovene ;( - together they should be filled up in 15-25 minutes, if 
> you are familiar with the application (you do not need to be an expert 
> on MASS model). Right now we are targeting auditors and IT managers 
> with it - actually some security aware people, that are not appsec 
> experts -  so ideally also for CISOs.
> We were using a lot of sources for compiling that - OWASP SAMM, SDL, 
> just to name some of them and I would say it is just a compilation (or
> extraction) of
> them.
> At the end we tried to test the model on real data - we collected 
> information for all major public tenders in Slovenia in 2009 for 
> building software - we had cca 130 future projects in the stage of 
> defined requirements available. Because in EU the documentation of the 
> tenders is generally public (or at least accessible under special
> circumstances) we had
> all the data as the companies that competed for the job (and were 
> forced to give the price for it). From 130 we selected 37 (that we 
> assumed are larger then 500.000 EUR) and executed detailed research 
> for them. Now I am travelling from Ministry to Ministry explaining the 
> results (which were not in favor of their appsec) and suggesting the 
> future efforts that are needed in development and also future tender 
> documentation. We were lucky enough that among the tenders there were 
> some really critical ones such as our main tax system, our health 
> portal together with personal health record, documentation for 
> Ministry of justice and others. We got the overview of how security 
> critical the application in our country are and at least give some 
> recommendation about what to do with them.
> Why I am bothering you with such a long email? Well, I was already 
> thinking to make it an OWASP project, but I could not get myself into 
> translating it properly. Now I feel a little bit more obliged to do it 
> because I told you about it :). Because I am (obviously) not a native 
> English speaker I do not
> want to embarrass myself publicly by doing it lame :).   Before
> going into
> all the trouble I would like to get some opinion about it from you and 
> find at least somebody who could clean-up my messy English language 
> for the questionaires.
> So what do you think? Could this be helpful for CISOs too? Is it 
> something interesting for OWASP?
> Regards,
> Stanka
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave 
> Wichers
> Sent: Saturday, April 03, 2010 12:53 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] CISO AppSec Cheat Sheet
> I'd rather not confuse the existing, pretty technical, cheat sheet 
> series with articles like this.
> I do think helping CISOs would be useful. Would this essentially be a 
> summary of what OpenSAMM suggests organizations do?
> The 2010 OWASP Top 10, which I intend to release by April 15 by the 
> way, has a new page that wasn't in the release candidate called What's 
> next for Organizations, to complement the What's next for Developers/ 
> Verifiers pages that were already included.
> This one page might essentially be the 'cheat sheet' you are looking 
> for.
> Jim - can you give me a bit more detail on what you think this article 
> would cover, and if you simply wrote it as an article, rather than a 
> cheat sheet, would it still serve its purpose?
> Thanks, Dave
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Friday, April 02, 2010 4:53 PM
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] CISO AppSec Cheat Sheet
> I was thinking of leading an effort to build an OWASP "CISO AppSec 
> Cheat Sheet" - would this effort duplicate another in OWASP?
> http://www.owasp.org/index.php/CISO_AppSec_Cheat_Sheet
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> http://www.manico.net
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list