[Owasp-leaders] Your answers will be highly appreciated :)

Andrew van der Stock vanderaj at owasp.org
Wed May 25 14:00:34 UTC 2016

If there is no or inadequate funding, the first order of business is to
build a business aligned strategy for the next 1-5 years and associated
business case for adequate funding and resourcing that is both achievable
and measurable. If you can't get a decent business case across the line,
the enterprise's management or Board is IMHO negligent, and you should
strongly invest significant time in brushing up your resume and looking for
your next gig, because they will be pwned sooner or later through that

In the meantime, whilst you are working on a decent strategy and business
case, for the corporate network, I would suggest adopting tactical
controls, such as addressing the ASD Top 4 out of the Top 35 controls. This
will keep you very busy for a while, but will make huge inroads into the
risk posed by the average enterprise / corporate network. If you can, try
to address the Top 11, as these are the best bang for buck, usually
extremely cheap (either process driven, or using tech you already have in
place), and are extremely effective.




Also consider re-architecture, such as Google's excellent BeyondCorp
architectural model and associated papers.


This enables your network for BYOD, mobile, convergence, and future state,
whilst coping with "assume breach" and basically the end point apocalypse
that's already well underway. Consider the prime axes of identity and
trust, data protection, data access monitoring, and incident response.
These will stand you in excellent stead. Security controls for the 1990's
network are useless. Don't do that.

In terms of an appsec program, the best investment when you're completely
underfunded is to invest in securing the SDLC, so you produce secure apps
until such time as you can prove that you're doing so. You could spend a
heap on pen testing or code review, but say you invested $100k in pen
testing, you might get 10 cheap reviews, but that same investment could set
you up to produce every app in a more secure way. There were heaps of
excellent SDLC talks at OWASP AppSec USA 2015, which you can watch here:


Focus on training developers, checklists (ASVS, cheat sheets), and ensuring
a basic pipeline (e.g. OWASP Pipeline, Zap, your favorite static code
analysis tool), is built that tests for the low hanging fruit. Investing
hundreds of thousands in EDR and monitoring and response only works once
you have identified all your assets and classified them.


On Wed, May 25, 2016 at 8:20 PM, Ahmed Neil <ahmed.neil at owasp.org> wrote:

> Leaders,
> A question has been asked
> *:How to make the balance between deploying the best cyber security
> practice inside the enterprise when the funding is not adequate, or lets
> say resources are so limited? How to work with the business to find the
> defense that are not only successful, but are wholly effective in the eyes
> of the businesses?*
> Your answers will be highly appreciated :)
> --
> Kind Regards,
> Ahmed M. Neil <https://www.owasp.org/index.php/User:Ahmed_M_Neil>, MSc.
> You can Call me at (+2010)002.423.44
> Setup a meeting here
> <https://www.google.com/calendar/embed?src=ahmed.neil%40owasp.org&ctz=Africa/Cairo>
> .
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160526/549d8b57/attachment.html>

More information about the OWASP-Leaders mailing list