[Owasp-leaders] CISO AppSec Cheat Sheet

Peter Perfetti peter.perfetti at owasp.org
Fri Apr 9 17:49:27 EDT 2010


I tried jumping in on this thread last weekend but had some email problems
to overcome. So below are responses to several folks who had some very good
points. I'd like to add that as a former Information Security Officer and
Risk Manager, I'd be happy to colaborate on a project for this topic. Also,
this is the very topic I've been basing a series of public speaking
engagements on, make my living off of, and so I'd be happy to share that
data with the extended team.

Apologies in advance for a rather verbose continuation of the thread. The
shortcut is to just read an older version of my presentation at:

The long read in as logical an order as I can muster from the airport:

A) James wrote:

*"1. The vast majority of CISO's don't come from a software development
background (think network/infrastructure) and therefore a cheatsheet
would be of use to them.

2. The vast majority of CISO's tend to wrongly separate security from
software development and therefore wouldn't even think to read SAMM. A
cheatsheet that helps bridge this wide gap is useful.

3. Increasingly, software development is occuring less and less within
large enterprises. I am finding that traditional OWASP topics aren't of
interest to many of the Hartford chapter attendees (the majority aren't
developers) and therefore we need to figure out how to appeal higher up
the foodchain.*"

PP response:

It's true that must CISOs don't come from s/w development background
including myself. But there is substance worth putting in a cheat sheet. For
example, I cover audit and monitoring for applications, in-house development
and external acquisition, risk managementetc., in my presentations on this
topic. There is lots of data out there which is valuable to the CISO. It
just needs to be crafted from a technology and risk manager's point of view.
As the head of IT Security and Risk Management, I want the problems resolved
at the root cause and I don't want to hear that I still have SQL Injections,
ftp, telnet, r-cmds, etc., in the environment. CISOs don't need to be a
developer to understand recommendations on process, policy, standards, and
building a stable infrastructure. Conversely, most developers, auditors,
admins, etc., don't understand those concepts either.

I have seen many situations in various industries and geographical locales
where less, or no, application development takes place. From a CISO/RiskMgr
point of view, the objectives should be same even if there is no in-house
development. Sometimes application acquisition introduces risks that no one
typically thinks about: new network connections, access control, regulatory
compliance, service provider oversight, auditability (especially internal
policy audit requirements) etc. The FFIEC has specifics on what they call
best practices and technology acquisition and service provider oversight.
Coincidentally, they also reference OWASP in some their handbooks when
discussing application security frameworks. SAMM could also be referenced in
documentation and made more obvious to the CISO, and perhaps more of the

The way to appeal to executive management is to address the risk management
and compliance areas (including auditing). Exec. Mgt. cares about business
risk. Frame your topics and discussions around this point. They care about
business risk, not security.

The key application issues to address with CISOs/RiskMgrs are:

1) Access Control
2) Change Management
3) Adherence to the SDLC  and Technology Acquisition
4) Audibility of applications
5) Segration of Duties.

B) Mike wrote:

*"I find that people managing others who don't understand what those others
do, fail. I appreciate that a lot of CISOs and CIOs are oblivious to such
levels of detail, but they should be able to establish policies that will be
sufficiently prescriptive for e.g. agile teams. Those who don't or can't,
don't really have meaningful control over their apps. Having the power to
pull the plug on an app isn't meaningful control about how security controls
work or what standards of care are taken during development."*

PP response:

I agree with Mike. Ignorance of what others in the organization do goes both
ways though. DBAs, Developers, Technology Mgrs, CISOs etc., are often blind
to what the others are doing. But we also need to keep in mind a reality
that I have been trying to educate people on: Executive Mgt doesn't care
about Security - They care about business risk. Security is a means to
better managing business risk. Security practitioners, developers, auditors,
etc, need to understand this, and approach things (e.g. business planning,
countermeasures, etc) this way.

Regarding the costs of breaches, there are operational, financial,
reputational, legal, and strategic risks that all need to be addressed.
Currently I'm doing a lot more incident response gigs (e.g. fraud and
industrial espionage) and see the impact (read: cost) the loss of control
over the environment, poor security, and poor mindset causes. Usually this
leads to enhancement of the client's overall Security and Risk Management
Program as part of the recovery process. It's the risk management program
that is key to remaining in control. It's not just about compliance or best
practice. I'd be happy to share what I can about these incidents towards any
effort to enlighten the community at large.

As a former Information Security Officer, I decided to start speaking out
about this exact topic.I addressed these points amongst others as part of
the presentation that I've been giving to OWASP audiences in Dublin and
Dallas. The title is "Technology and Business Risk Management: How
Application Security Fits In". Use what you want from it, and contact me if
you want more. THe link is at the beginning of this response. I'm working on
a new presentation that includes portions of the original, but expends it to
Vulnerability and Threat Mgt.; Incident Response, Prevention, and Recovery,
Networks, Endpoints, etc.

Peter Perfetti
Chapter Leader
NY/NJ Metro Chapter
peter.perfetti at owasp.org
(not a developer)

On Tue, Apr 6, 2010 at 7:42 AM, Stanka Salamun <stanka.salamun at acros.si>wrote:

> Hello,
> To AF: right now there is no public access to the questionaires in Slovene,
> but it will be. I need to wait for public presentation on the conference
> ("Dnevi slovenske informatike") on  14 Apr. and after that the Slovenian
> version will be public. But please do not bother with Google translation -
> I
> am working on a "working" version in English (aka pre-pre-alpha) of all the
> main titles/questions, but without the comment (which I think could help
> explain why it is good to execute some particular activity). And we could
> start from here.
> To Nam: because our government has a lot of personal, monetary and
> healthcare data of the citizens, it was expected that the average sec-app
> level will be above 4 ("money" level) - it was actually 4.38. Because of
> good legal ground for privacy in EU we found a lot of emphasis in
> requirements for logging functionalities. It was also very clear that there
> are encryption and authentication & access functionalities required. There
> were some disappointments, such as: there were little formal requirements
> for including security professionals (having appsec people is Sci-Fi),
> nobody here heard about threat model, security profile or attack surface,
> nobody is taking care about latest attack trends and vulnerabilities or at
> least thinking on separating them from functional bugs, only 1 (!) required
> scanning for known vulns, no app-sec phase milestones, no external security
> testing.
> As all the projects are in development phase right now, they are not ready
> to check the correlation for activities and attacks, evaluating potential
> (or actual) damage or searching for vulnerabilities. This is what would be
> the best to achieve in the version ... hmmm ... 10.0 :)?
> To Diniz: please give me a couple of weeks to prepare some material for
> potential project. I will be in contact with Paulo about it. I am thinking
> to put an English version as a project or extension and leave Slovenian
> version as it is. In OWASP we have a lot of material to link from MASS,
> which is only a really "short index" of the subject. Also please have in
> mind that this is actually the first version of the model that I already
> know has some problems of its own - some questions will probably have to be
> re-organized or re-weighed, some added and some removed.
> Have a nice day,
> Stanka
> -----Original Message-----
> From: dinis cruz [mailto:dinis.cruz at owasp.org]
> Sent: Tuesday, April 06, 2010 1:33 PM
> To: stanka.salamun at acros.si; owasp-leaders at lists.owasp.org
> Cc: paulo.coimbra at owasp.org
> Subject: Re: [Owasp-leaders] CISO AppSec Cheat Sheet
> (sorry, pressed 'send' too soon)
> ... talk to Paulo Coimbra (CCed) to set up a project
> Dinis Cruz
> On 6 Apr 2010, at 09:58, Stanka Salamun <stanka.salamun at acros.si> wrote:
> > Hi all,
> >
> > In our company we had an internal research project last year - we
> > called it MASS (Model for Application Security Strategy) - the main
> > goal was to find a simple way of answering to two important questions:
> >
> > 1. how much of appsec my application actually need? The answer was a
> > classification of  application in a 0 to 6 level (0 - no appsec
> > needed, 1- basic sec, 2 - public access, 3 - data, 4 - money, 5 -
> > secret, 6 - life).
> > The names are just for understanding (or feeling the appsec
> > importance) of a
> > main level for requirements.
> >
> > 2. What I need to do in order to gain my target level of security?
> > For that
> > we have 4 key activities (contractual obligations, security
> > requirements, security architecture, security testing) and 6 other
> > activities (people, security coding, testing of security functions,
> > key vulnerabilities, metrics, security standards and good practices).
> >
> > Now we have 2 (quite simple) questionnaires - but unfortunately in
> > Slovene ;( - together they should be filled up in 15-25 minutes, if
> > you are familiar with the application (you do not need to be an expert
> > on MASS model). Right now we are targeting auditors and IT managers
> > with it - actually some security aware people, that are not appsec
> > experts -  so ideally also for CISOs.
> >
> > We were using a lot of sources for compiling that - OWASP SAMM, SDL,
> > just to name some of them and I would say it is just a compilation (or
> > extraction) of
> > them.
> >
> > At the end we tried to test the model on real data - we collected
> > information for all major public tenders in Slovenia in 2009 for
> > building software - we had cca 130 future projects in the stage of
> > defined requirements available. Because in EU the documentation of the
> > tenders is generally public (or at least accessible under special
> > circumstances) we had
> > all the data as the companies that competed for the job (and were
> > forced to give the price for it). From 130 we selected 37 (that we
> > assumed are larger then 500.000 EUR) and executed detailed research
> > for them. Now I am travelling from Ministry to Ministry explaining the
> > results (which were not in favor of their appsec) and suggesting the
> > future efforts that are needed in development and also future tender
> > documentation. We were lucky enough that among the tenders there were
> > some really critical ones such as our main tax system, our health
> > portal together with personal health record, documentation for
> > Ministry of justice and others. We got the overview of how security
> > critical the application in our country are and at least give some
> > recommendation about what to do with them.
> >
> > Why I am bothering you with such a long email? Well, I was already
> > thinking to make it an OWASP project, but I could not get myself into
> > translating it properly. Now I feel a little bit more obliged to do it
> > because I told you about it :). Because I am (obviously) not a native
> > English speaker I do not
> > want to embarrass myself publicly by doing it lame :).   Before
> > going into
> > all the trouble I would like to get some opinion about it from you and
> > find at least somebody who could clean-up my messy English language
> > for the questionaires.
> >
> > So what do you think? Could this be helpful for CISOs too? Is it
> > something interesting for OWASP?
> >
> > Regards,
> > Stanka
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave
> > Wichers
> > Sent: Saturday, April 03, 2010 12:53 AM
> > To: owasp-leaders at lists.owasp.org
> > Subject: Re: [Owasp-leaders] CISO AppSec Cheat Sheet
> >
> > I'd rather not confuse the existing, pretty technical, cheat sheet
> > series with articles like this.
> >
> > I do think helping CISOs would be useful. Would this essentially be a
> > summary of what OpenSAMM suggests organizations do?
> >
> > The 2010 OWASP Top 10, which I intend to release by April 15 by the
> > way, has a new page that wasn't in the release candidate called What's
> > next for Organizations, to complement the What's next for Developers/
> > Verifiers pages that were already included.
> >
> > This one page might essentially be the 'cheat sheet' you are looking
> > for.
> >
> > Jim - can you give me a bit more detail on what you think this article
> > would cover, and if you simply wrote it as an article, rather than a
> > cheat sheet, would it still serve its purpose?
> >
> > Thanks, Dave
> >
> > -----Original Message-----
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> > Sent: Friday, April 02, 2010 4:53 PM
> > To: owasp-leaders at lists.owasp.org
> > Subject: [Owasp-leaders] CISO AppSec Cheat Sheet
> >
> > I was thinking of leading an effort to build an OWASP "CISO AppSec
> > Cheat Sheet" - would this effort duplicate another in OWASP?
> >
> > http://www.owasp.org/index.php/CISO_AppSec_Cheat_Sheet
> >
> > --
> > Jim Manico
> > OWASP Podcast Host/Producer
> > OWASP ESAPI Project Manager
> > http://www.manico.net
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100409/b2fdcf98/attachment-0001.html 

More information about the OWASP-Leaders mailing list