OWASP CISO Survey Report 2015 Tactical Insights for Managers

Similar documents
Tobias Gondrom (OWASP Member)

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Session ID: CISO-W22 Session Classification: General Interest

Presentation Overview

locuz.com SOC Services

SDLC Maturity Models

Combating Cyber Risk in the Supply Chain

CCISO Blueprint v1. EC-Council

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Applica;on Security Guide for CISO & Survey Version 2, 2018 Edi;on Project Updates. Marco M. Morana, OWASP CISO Guide Project Lead

THALES DATA THREAT REPORT

V Conference on Application Security and Modern Technologies

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

External Supplier Control Obligations. Cyber Security

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

TRAINING CURRICULUM 2017 Q2

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cybersecurity Session IIA Conference 2018

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Cybersecurity 2016 Survey Summary Report of Survey Results

Certified Information Security Manager (CISM) Course Overview

Reinvent Your 2013 Security Management Strategy

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Managing SaaS risks for cloud customers

2017 THALES DATA THREAT REPORT

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

INTELLIGENCE DRIVEN GRC FOR SECURITY

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cybersecurity and the Board of Directors

EU General Data Protection Regulation (GDPR) Achieving compliance

Cybersecurity for Service Providers

BHConsulting. Your trusted cybersecurity partner

Cybersecurity The Evolving Landscape

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

THALES DATA THREAT REPORT

Global Security Consulting Services, compliancy and risk asessment services

Cybersecurity in Higher Ed

GDPR Update and ENISA guidelines

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Protect Your Organization from Cyber Attacks

PT Unified Application Security Enforcement. ptsecurity.com

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Building a Resilient Security Posture for Effective Breach Prevention

Business continuity management and cyber resiliency

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

State of Cloud Survey GERMANY FINDINGS

Best Practices in Securing a Multicloud World

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Nebraska CERT Conference

Compliance Audit Readiness. Bob Kral Tenable Network Security

What every IT professional needs to know about penetration tests

Spotlight Report. Information Security. Presented by. Group Partner

10 FOCUS AREAS FOR BREACH PREVENTION

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity Survey Results

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Sirius Security Overview

CYBER INSURANCE: MANAGING THE RISK

Manchester Metropolitan University Information Security Strategy

CISO as Change Agent: Getting to Yes

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

DeMystifying Data Breaches and Information Security Compliance

Security Operations & Analytics Services

IoT & SCADA Cyber Security Services

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

GDPR COMPLIANCE REPORT

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

IT risks and controls

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

State of Security Operations

WORKSHARE SECURITY OVERVIEW

Bringing Cybersecurity to the Boardroom Bret Arsenault

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Art of Performing Risk Assessments

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Achieving Java Application Security With Parasoft Jtest

01.0 Policy Responsibilities and Oversight

The Honest Advantage

Ingram Micro Cyber Security Portfolio

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

What It Takes to be a CISO in 2017

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Transcription:

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Disclaimer The views and opinions expressed in this presentation are those of the author and not of any organisation. Everything I say is my own personal opinion. Especially the wrong ones.

About Me OWASP Open Web & Application Security Project, www.owasp.org global non-profit open source security community Tobias Gondrom Global Board, OWASP CTO Security, Huawei 20 years information security and development experience (Global Head of Security, CISO, CTO), CISSP, CSSLP, CCISO Project Leader OWASP CISO Survey Report Author of Internet Standards on Secure Archiving, CISO training and co-author of the OWASP CISO survey report and CISO guide Sloan Fellow M.Sc. London Business School Chair of IAOC (IETF Admininistrative Ovesight Committee), Chair of IETF Security WGs, Member of the IETF Security Directorate, Cloud Security Alliance HK chapter board member

Based on findings of the OWASP CISO Survey Report & CISO Guide OWASP CISO Guide: https://www.owasp.org/images/d/d6/owasp-ciso-guide.pdf OWASP CISO Survey: https://www.owasp.org/index.php/owasp_ciso_survey

CISO Survey Methodology Phase 1: Online Survey sent to 1000s of CISOs and Information Security Managers, with comprehensive question sets Dataset received of about 500 replies from various industries Phase 2: Followed by selective personal interviews Release of 2015 version in June 2016 5

Cyber-Attacks Targeting Web Applications

CISO Survey: External Threats are on the Rise! External vs. Internal Threats - changes EXTERNAL 79% 18% 3%»External attacks or fraud (e.g., phishing, website attacks) INTERNAL 37% 53% 9%»Internal attacks or fraud (e.g., abuse of privileges, theft of information) Increase Same Decrease

CISO Survey: Threats towards your organization Main areas of risk for your organisation (in % out of 100% in total) 10% 39% 51% Application Infrastruktur Other Other, 13% 2013 Infrastr ucture, 36% Applica tion, 51%

CISO Survey : Threat Trends 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Compared to 12 months ago, do you see a change in these areas 7% 4% 50% 43% Infrastructure Security Risks Increase Same Decrease 26% 71% Application Security Risks New Threats to web applications negatively impacting your organization 44% Yes No 56%

Top-5 Sources of application security risk 1. Lack of awareness of application security issues within the organization 2. Insecure source code development 3. Staffing (e.g. lack of security skills within team) 4. Third-party suppliers and outsourcing (e.g. lack of security, lack of assurance) 5. Poor/inadequate testing methodologies 10

you think are the most likely to target your company in the next 12 months 1. Criminals 2. Insiders/employees 3. Hobbyist hackers 4. Activists / Anonymous 5. Those involved in corporate/industrial espionage 6. State sponsored spies 7. Competitors 8. Suppliers/partners

Learning from application security incidents things are easier than you think Reviewing the incidents of the past year(s), many could be traced back to: 1. Lack of proper basic application security controls during the development phase 2. Lack of awareness 3. Did not require a very high level of skill from the attacker to exploit (though they may require time and patience to find )

Application Security As Strategic Investment

CISO Survey & Report: Investments in Security - % of IT budget for Security 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 10+% 10% 9% 8% 7% 6% 5% 4% 3% 2% 1% 0.50% 0.10% 0.05% 0.01% 0% % of the total annual IT budget your company spends on cyber security

CISO Survey & Report: Investments in Security Your total cyber security spending over the next 12 months will 14% 1%1%2% 3% 6% 3% 26% Decrease by more than 50% Decrease 30% to 50% Decrease 10% to 30% Decrease less than 10% Stay the same Increase up to 10% Increase 10% to 50% Increase by 50-100% Increase more than 100% 23% Don't know 21%

How many security breaches did your company experience in the last 12 months? (Cyber security and Application Security breaches) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% None 1 2 3 4 5 6 7 8 9 10 15 20 30 40 60 80 100 More than 100

Main damage types caused by cyber attacks 0% 10% 20% 30% 40% 50% 60% 70% 80% INTERRUPTION OF SERVICE REPUTATION DAMAGE LOSS OF CUSTOMER DATA LOSS OR COMPROMISE OF PERSONAL DATA No.1 No.2 No.3 DIRECT FINANCIAL LOSS, FOR EXAMPLE FRAUD THEFT OF INTELLECTUAL PROPERTY

Investments in Security: Top security priorities for the coming 12 months 0% 10% 20% 30% 40% 50% 60% CYBER RISK MANAGEMENT / INFORMATION SECURITY RISK MANAGEMENT DATA LEAKAGE/DATA LOSS PREVENTION APPLICATION LAYER VULNERABILITY MANAGEMENT TECHNOLOGIES AND CODE REVIEW (STATIC ANALYSIS OF SOURCE CODE TO FIND SECURITY COMPLIANCE WITH REGULATORY REQUIREMENTS (PCI-DSS, FISMA, ETC.) IMPLEMENTING SECURITY STANDARDS INFRASTRUCTURE SECURITY (E.G., ANTIVIRUS, IDS, IPS, PATCHING, INCIDENT RESPONSE CAPABILITIES THREAT AND VULNERABILITY MANAGEMENT (E.G., SECURITY ANALYTICS, DEPLOYMENT OF APPLICATION SECURITY INFRASTRUCTURE (SUCH AS WEB SECURITY AWARENESS AND TRAINING FOR DEVELOPERS MOBILE DEVICES SECURITY PENETRATION TESTING SDLC - SECURE DEVELOPMENT LIFECYCLE PROCESSES (E.G., SECURE CODING, SECURITY TESTING OF APPLICATIONS (DYNAMIC ANALYSIS, RUNTIME SECURITY ASSURANCE FOR CLOUD-BASED (SAAS, IAAS, PAAS, ) SOFTWARE RECRUITING AND RETAINING QUALIFIED APPLICATION SECURITY RESOURCES PRIVACY No.1 No.2 No.3 No.4 No.5

Biggest challenges delivering your organization's application security initiatives 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% AVAILABILITY OF SKILLED RESOURCES ADEQUATE BUDGET MANAGEMENT AWARENESS AND SPONSORSHIP LEVEL OF SECURITY AWARENESS BY THE DEVELOPERS ORGANIZATIONAL CHANGE JUSTIFYING BUSINESS CASE Extremely challenging Very challenging Challenging Slightly challenging Not a challenge CONFLICTING BUSINESS REQUIREMENTS EMERGING TECHNOLOGIES BUSINESS UNCERTAINTY REGULATORY CHANGE OR UNCERTAINTY

Where you see OWASP can help you Significance of OWASP guidance for your organisation 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% AWARENESS MATERIALS (E.G. TOP-10) CODE DEVELOPMENT GUIDELINES APPLICATION DEVELOPMENT POLICY TESTING METHODOLOGIES REFERENCE TO LEADING PRACTICE Extremely significant Very significant Significant Somewhat significant Not significant STAFF ATTENDING LOCAL OWASP CHAPTER MEETINGS FOR INFORMATION STAFF ATTENDING OWASP APPSEC CONFERENCE

Which OWASP projects people found useful (Top-10) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% OWASP TOP-10 APPLICATION SECURITY FAQ CHEATSHEETS CISO GUIDE SECURE CODING PRACTICES - QUICK REFERENCE GUIDE TESTING GUIDE ZED ATTACK PROXY (ZAP) CISO SURVEY REPORT 2013 CODE REVIEW GUIDE APPLICATION SECURITY VERIFICATION STANDARD (ASVS) DEVELOPMENT GUIDE WEBGOAT Very useful Somewhat useful Not useful for us Don't know it WEBSCARAB ESAPI (ENTERPRISE SECURITY API) BROKEN WEB APPLICATIONS PROJECT MOD_SECURITY CORE RULESET RFP CRITERIA APPSENSOR OPENSAMM

As part of your information security management program, do you As part of your information security management program, do you... 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% CONDUCT SECURITY TRAINING SPECIFY SECURITY REQUIREMENTS USE RISK MANAGEMENT DOCUMENT AND ENFORCE SECURITY GUIDELINES SECURE ARCHITECTURE HAVE A VULNERABILITY MANAGEMENT PROCESS DO CODE REVIEWS Currently in use Planned within 12-18 months No plans to implement HARDEN THE DEPLOYMENT ENVIRONMENT USE TESTED COMMON SECURITY MODULES/FRAMEWORKS TESTING WITH TEST CASES FOR SECURITY USE A SDLC (SECURE DEVELOPMENT LIFE CYCLE) USE THREAT MODELING

Which technology tools organizations use or are planning to use Which technology tools your organization uses or is planning to use 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% APPLICATION VULNERABILITY SCANNERS WEB APPLICATION FIREWALLS Currently in use DESKTOP WEB APPLICATION VULNERABILITY SCANNERS Planned within 12-18 months No plans to implement SOURCE CODE ANALYZERS OR SCANNERS RUNTIME ANALYZERS

Build Security In, Security Strategy & Maturity Models

Strategy & Planning: board awareness Board Briefings on Cybeer Security No 30% Yes 70%

How confident are you that your organization is protected from cyber security risk? Not Secure, 7% Don't know, 2% Very good, 3% routinely assess your organisation's cyber security Good, 20% once per month or more, or continously We have problems, 28% 11% 6% 3% 20% between once per year to once per month ca. once per year Ok, 39% 29% 31% infrequently, or less than once per year No. We do not asses. Don't know.

Strategy & Planning Documented security strategy Your application security strategy... 0% 5% 10% 15% 20% 25% 30% 35%...HAS BEEN REVIEWED AND UPDATED WITHIN THE PAST 12 MONTHS 29% No 31%...IS ALIGNED WITH, OR INTEGRATED INTO, THE ORGANIZATION'S BUSINESS STRATEGY 21% Yes 69%...IS ALIGNED WITH, OR INTEGRATED INTO, THE ORGANIZATION'S IT STRATEGY 26%...OUTLINES OUR KEY SECURITY ACTIVITIES FOR THE NEXT 12 MONTHS 19% In case you wonder: We found a medium positive correlation between board briefings and whether you have a security strategy: 0.43

Strategy & Planning How long time does your security strategy plan ahead 24% 18% 7% 3% 11% 37% 3 months 6 months 1 year 2 years 3 years 5+ years Trends of security strategy planning 2013 -> 2015: longer time horizons Time Horizon 2013 2015 3 months 9.3% 3% 6 months 9.3% 11% 1 year 37.0% 37% 2 years 27.8% 18% 3 years 11.1% 24% 5 years+ 5.6% 7%

Security Strategy (findings from 2013): advantages of a 2-year security strategy»benefits of a security strategy for application security investments: 70% 60% 50% 40% 30% 20% 10% 0% Correlation between investments in Application Security and a 2year Application Security Strategy Increase Same Decrease App App (2y) App (not 2y) Analysis for correlations with: - Recent security breach - Has a ASMS - Company size - Role (i.e. CISO) - Has a Security Strategy - Time horizon of security strategy (2 years)

Strategy & Planning: Usage trends for ASMS and Maturity Models (2015 vs. 2013) Use of Application Security Management System (ASMS) or Maturity model 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 6% 9% 9% 42% 34% 2013 - Application Security Management System (ASMS) or Maturity Model (e.g., OWASP SAMM) 45.00% 40.00% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% 4.00% 6.70% 13.30% 41.30% 34.70%

Strategy & Planning: Maturity Model trends compare with 2013 Which Models are in use? 38% 27% 20% 15% 15% 12% 6% 5% 3% 2% 2% 1%

How does your organization assess the quality and effectiveness of application security? 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% INTERNAL SELF ASSESSMENTS BY IT OR APPLICATION SECURITY FUNCTION 40% ASSESSMENT BY EXTERNAL PARTY/THIRD PARTY 29% ASSESSMENTS PERFORMED BY OTHER INTERNAL FUNCTION 20% CODE REVIEW AND METRICS 17% FORMAL CERTIFICATION TO INDUSTRY SECURITY STANDARDS (E.G. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD(PCI DSS), SECURITY STANDARD) 11% FORMAL CERTIFICATION TO EXTERNAL SECURITY STANDARDS 11% NO ASSESSMENTS PERFORMED 6%

Suppliers & External Partners: How do you verify your external partners 0% 5% 10% 15% 20% 25% 30% 35% 40% COMMUNICATE OUR SECURITY REQUIREMENTS TO OUR KEY SUPPLIERS AND PARTNERS 37% ASESSMENTS PERFORMED BY OUR ORGANIZATION'S APPLICATION SECURITY, PROCUREMENT OR INTERNAL AUDIT FUNCTION (E.G. SITE VISITS, SECURITY TESTING) 27% SELF ASSESSMENTS OR OTHER CERTIFICATIONS PERFORMED BY PARTNERS, VENDORS OR CONTRACTORS 20% INDEPENDENT EXTERNAL ASSESSMENTS OF PARTNERS, VENDORS OR CONTRACTORS 15% NO REVIEWS OR ASSESSMENTS PERFORMED 10%

Incident Response In the last 12 months, have you experienced, exercised or prepared how you will recover from a cyber security incident Effectiveness of Incident Response 10% 10% 3% 8% Very confident Yes 21% 22% confident somewhat confident 35% 55% No N/A - Dont know some doubts Not confident 36% N/A - Don't know

Incident Response (2) Incident Response: When an incident or breach occurs 41% 35% 18% 20% 18% 12% conduct an informal root cause analysis run a formal internal investigation contact an external CERT or independent non-profit from a country/region or industry contact law enforcement share information with other companies (like peers in your industry) Be required by law to report security incidents to a regulator or government.

Incident Response: Increase spending after incident? 100% Spending more after a security incident? 90% 80% 39% 70% 60% 70% 50% 40% No Yes 30% 61% 20% 10% 30% 0% 2015 2013

Incident Response: Increase spending after incident? 100% Spending more after a security incident? 90% 80% 70% 60% 39% 70% 48% 50% 40% No Yes 30% 20% 10% 61% 30% 52% 0% 2015 2013 2013 - WITH RECENT BREACH

Thank you - Q&A Q &U E S T I O N S AN S W E R S» If you like to be notified when the new OWASP CISO Survey Report will be released, leave your card or send an email.

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback