2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs

Presented at AppSec USA 2013, Nov. 20, 2013, 1 p.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=J4i3RY5AGhc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=3 As organization born from grass root ideals and volunteering efforts that stared 12 years ago from the visionaries of the like of Mark Curphey and the likes OWASP has grown in members. OWASP mission has been to make application security visible to application security stakeholders. Thanks to the OWASP corporate sponsors and volunteers working on sponsored projects, OWASP has delivered free tools and guides that helped software developers to build more secure web applications. Most notably, the OWASP Top Ten provided the benchmark for testing web application vulnerabilities for several organizations. Projects such as the development guide and testing guide provides pointed guidance to software developers on how to design and test web applications. Among the application security stakeholders that OWASP serve today, (CISOs) Chief Information Security Officers are often the ones that make decisions on rolling out application security programs and activities invest in new tools and set budget for application security resources. Recognizing the important role that the CISO has in managing application security processes within the organizations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organization. Recognizing that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Presenters:

  • Marco Morana - SVP - Citi
    Dr. Morana is SVP at Citi's Information Security based in Tampa focusing on bringing emerging technologies for cybersecurity and FinTech to the level of maturity required for adoption by Citi and Citi clients. In his day to day job his focus is document internal technology standards, direct security reviews of cloud applications and manage proof of concepts and pilots of emerging technologies such as mobile payments, cloud based financial applications and hybrid private/permissioned blockchain consortium developed blockchain applications. Besides his work with Citi, Dr Morana is active contributor in the start-up and innovator community as non-resident mentor of Level 39 Fintech accelerator and CyLon cyber-security accelerator in London UK and as member of the steering committee of the Security Innovation Network (SINET) in US where he evaluates the technologies and products of emerging cybersecurity companies. Dr. Morana has been directly involved in helping cyber-security start-ups also as outside director and member of the technical advisory boards in compliance with Citi outside directorship interests. Dr Morana is active contributor as book author of risk-centric threat modelling whose book has been used to develop the NSA accredited National University graduate course of cyber-intelligence and threat modelling. He is currently working to two new book projects, the security of future enterprise blockchain applications with Wiley Publishing and updated version of the CISO guide of application security as free open-source book for OWASP. Dr Morana has more than 20 years of experience in cyber security and played a role as key employee working for cyber security start-ups as well as Fortune 500 companies. Dr Morana co-patented the first implementation of secure email using S/MIME for NASA subsequently he joined the start-up Internet Security Systems (ISS) where he developed threat adaptive network security technologies. ISS was a successful start-ups that went IPO and was later acquired by IBM. After ISS Dr Morana joined the early stage mobile security start up eXCellNET where he designed encryption APIs for the first prototypes of mobile smartphones. After eXCellNet was acquired by SyBase Inc he joined the security consultancy start-up Foundstone that was later acquired by McAfee and played a leading role in developing a new software security engineering and consulting services practice. Dr Morana holds a Doctorate Engineering (Dr. Eng) (MSME advanced degree) from Padova University (Italy) with NASA/API sponsored thesis on simulation of tethered satellite dynamics and and Master of Science in Computer System Engineering (MSCSE) from Northwestern Polytechnic (USA) an University of California at Berkeley.
  • Tobias Gondrom - Global Board Member - OWASP
    Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy. Over the years, he has trained and advised dozens of CISOs and senior information security leaders around the world on the management and organisation of security teams and programs. Since 2003 he is the chair of working groups of the IETF (www.ietf.org), a member of the IETF security directorate, since 2005 chair of various security WGs at the IETF and since 2014 member of the IETF Administrative Oversight Committee (IAOC). He has been in a number of project and chapter leadership roles for OWASP since 2007. Currently, he is serving as global board member of OWASP, leading the OWASP CISO Report and Survey project and a contributor to the OWASP CISO Guide. Tobias Gondrom is also serving as a member of the NIS Platform of the European Commission, advising the European Union on Cyber Security and Risk Management. He serves on the board of the CSA Hong Kong and Macau chapter and was an ISC2 CSSLP and CISSP Instructor. Tobias has authored the Internet security standards RFC 4998, RFC 6283 and RFC 7034, co-authored the OWASP CISO Guide and the book „Secure Electronic Archiving" and is a frequent presenter at conferences and author of articles on security.

Links:

Similar Presentations: