WIXLIB

Tobias Gondrom(OWASP Member)

Disclaimer All characters appearing in this work arefictitious. Any resemblance to real persons,living or dead, is purely coincidental. The views and opinions expressed in thisarticle are those of the author and not of anyorganisations. “Everything I say is my own personal opinion.Especially the wrong ones .”

Tobias Gondrom– 15 years information security experience(Global Head of Security, CISO, CTO)CISSP, CSSLP, CCISO– 12 years management of application security & developmentexp.– Sloan Fellow M.Sc. In Leadership and Strategy, LondonBusiness School– OWASP Global Board member, OWASP Project Leader forthe CISO Survey, www.owasp.org– Author of Internet Standards on Secure Archiving, CISOtraining and co-author of the OWASP CISO guide– Chair of IETF Web Security Working /Member of the IETF Security DirectorateChair of IETF Administrative Oversight Committee (IAOC),– Cloud Security Alliance, Hong Kong chapter, Vice Chairman– Previously working for Thames Stanley: Managing Director,CISO Advisory, Information Security & Risk Management,Research and Advisory

The BeginningYou think you have this: Well fortified. Secure perimeterprotection, anti-virus, secure off-the-shelf softwaresystems customized for yourbusiness needs and a few self-built systemapplications. Very little budget, but you aredoing fine, because you neverhad a breach . until Today.

The TruthIn truth you have this:

“Hello John.” “Hello, my name is John Smith. I am theCISO of a medium sized company.And we had a breach.” “Hello John.”

What now?

Now? your Exec Management team is prettyupset, your customers worried, your employees confused, your CEO has you on speed dial and you get the "pleasure" of daily andthen weekly briefings on fixing everything andwhat you do to make sure this never happensagain.

Summer holiday? Now is May, and you had so nice plans fora relaxing summer holiday on the beachin July . Are you crazy? All bets are off .

Fix it Before you could even think of going on holiday, you need to Have a security strategy? Upgrade your Security policy? SDLC – do we have one, do we live it? And if yes, why dideverything go sideways .? How do we benchmark against others? Use Risk Management? Have a security team / organise it? Security training and awareness? Secure coding guidelines . . All by yesterday

You are not alone .

Make everything yourself? No chance to get there in time.

Learn and copy from the expertsThere is this crazy group of experts andeverything they do is open source andfree . . maybe we should take a look. Shall we?13

So how do we get there Have a security strategy? Upgrade your Security policy? SDLC – do we have one, do we live it? And if yes, whydid everything go sideways .? How do we benchmark against others? Use Risk Management? Have a security team / organise it? Security training and awareness? Secure coding guidelines . . All by yesterday / all by next month / within 3 months?14

How OWASP can help youMaterial &ToolsPeopleIdeas

You go to the OWASP webpage - Projects ormChallengesScrubbrApplication openSAMMModSecurityAntiSamy FuzzingSoftwaresProjectMutillidae CSRFGuardWebCore RuleProject CodeAssuranceVicnumProjectXMLProjectBrowser JavaApplicationHTTPDatabaseMaturity Model Set oolCodeWeb TestingCSRFTestProjectWebGoatSystemGuide ForWapitiReviewEnvironmen erSecureProjectProjectCISOsProjectWebScarabGuidet ProjectOWASPCodingLegalJavaScriptLAPSE PracticesTop TenZAP - ZedSandboxesProjectAppSecFiddlerProject CornucopiaQuickAttackTutorialCloud ‐ 10Addons forReferenceProxySeriesWebslayerProject MantraSecurityASVS - JoomlaCTFGuideTesting ctGuide odesTestingofBroken Securityy ScannerVirtualDevelopmeYascaSecurityWSFuzzerEnDe VirtualConductWeb rwardStandardAPIProjectWorldsApplicationBestSheets ProjectProjectExploits ProjectPractices ProjectProjectTool

And others?Multitude of Standards and Documents- OWASP- ISO 2700x, ISO 31000- Cobit, Risk IT (ISACA)- ITIL, NIST, PCI-DSS, ISF “Standard of GoodPractice for Information Security”- CSA (Cloud Security Alliance)- .17

Web & Application SecurityPeopleProcessTechnology TrainingOrganisationRisk rameworks

OWASP Projects for an industryor development companyopenSAMM SoftwareAssuranceMaturity ModelOWASPTop TenCodeReviewGuideDevelopment GuideProjectASVS SecurityGuide ForSecure Coding CISOsPractices ebGoatProjectCISOSurvey

One Roadmap ExampleBasicIntermediateSophisticate Benchmarking / Maturity Model OWASP Top-10 - Awareness Risk managementOrganisational DesignSDLCTraining Training: Development Guide Verification: ASVS Application Security Verification StandardProject, Code Review Guide, Testing Guide Development: ESAPI Operation: AppSensor20

Maturity Models & BenchmarkingBenchmarkingOr:Where are we? – And where are we going?

Maturity Models & Benchmarking Review of existing security efforts Benchmarking, Measuring Progress andMaturity Models- Software Assurance Maturity Model(SAMM, http://www.opensamm.org)- ISO 27000s- Capability Maturity Model (CMM)- 22

Your choiceBSIMM, or another x00page model . Sophisticated anddetailed, but .openSAMM Short, but easy First assessmentdone in a day .23

SAMM SecurityPractices From each of the Business Functions, 3 Security Practices aredefined The Security Practices cover all areas relevant to software securityassurance Each one can be targeted individually for improvement

Basic awareness training . Build / Buy / Use .

OWASP Top 10 – Awareness & Training

OWASP Top-10 version 2013 how Easy to use to start a first discussion and awareness Initial developer training (1.5 hours) Management awareness Available in many languages (Spanish, Chinese,Japanese, Korean, Vietnamese, Indonesian, ) Also other Top-10 for cloud, But: there exist more risks beyond top-10! Referenced by many external standards, regulationand best practices, e.g. PCI DSS etc.27

OWASP Top-10 Usually a good first awareness training fordevelopers ( 1-2 hours) Recommend to tailor it to your applicationlandscape: make it meaningful for them assome of the security risks may not be asurgent in your organisation as others Enrich with examples / use cases fromyour applications28

and some more Training OWASP Top-10Secure Coding PracticesCheatsheetsWebgoat29

Secure Coding Practices Quick ReferenceGuide Good next step of “To do” after initial “OWASP Top-10”Technology agnostic coding practicesWhat to do, not how to do itCompact (17 pages), comprehensive checklist formatFocuses on secure coding requirements, rather then on vulnerabilitiesand exploits Includes cross referenced glossary to get developers and security folkstalking the same language Tailor to your application landscape(not all parts may be equally important for your organisation). Goal: Build a secure coding kick-start tool, to help developmentteams quickly understand secure coding Originally developed for use inside The Boeing Company, July2010, Boeing assigned copyright to OWASP30

Secure Coding Practices Quick ReferenceGuide SummaryHelpdevelopmentteams to quicklyunderstandsecure codingpracticesAssist definingrequirementsand adding themto policies andcontractsContext andvocabulary forinteractions withsecurity staffEasy deskreference31

OWASP Cheat Sheet SeriesTransportLayerProtection Forgery(CSRF)Prevention CheatDOMSheetbasedXSSPrevention onPrevention ripting)Prevention tyCheatSheetForgotPassword CheatSheetWebServiceSecurityCheatSheet

Webgoat Exercise with Example Web Application toillustrate typical Security Flaws within WebApplications Practice Lessons for Common Vulnerabilities Teach a Structured Approach to Testing andExploiting Give Practical Training and Examples33

Risk ManagementWhat &How muchis enough?34

Risk ManagementRisk: The probable frequency and probablemagnitude of future loss Why – or where do you put your resources? Methods: OWASP, ISO-27005, ITIL, NIST SP800-30, OCTAVE Asset Classification, Threat Analysis &Vulnerability Assessment What do you do with Risks? Quality vs. quantity, Human behavior & risk35

Risk managementWhy / Benefits:– Allocation of resources Asset Classification and values? Threats Analysis & Scenarios?– Establish ownership of assets, risk and controlsMethods:– OWASP– FAIR (Factor Analysis of Information Risk)– ISO 27005, ISO 31000– Risk IT (ISACA)– 36

OWASP Top 10 RiskRating alenceWeaknessDetectabilityTechnical njection ExampleBusinessImpact?1.66 weighted risk rating

Other methods:e.g. ISO 27005, inessImpactControls38Asset values

LikelihoodRisk Heat Map– Threat diumLowLowLowMediumMediumImpact39

Secure Software DevelopmentLifecycle - SDLC e.g. Microsoft has a nice one: SDL comprehensive, but heavy. But has some very good ideas;btw. if you don’t like Microsoft, Adobe has a nice one published, too.“Adobe Secure Product Lifecycle” But if you want to get ready in time for your holiday (read: in thenext 2 years) don’t try to do all of it at once . – Cherry pick whatis good for you

Security Strategy and wantsome “high-level stuff” E.g. not sure what should be in yoursecurity strategy? OWASP CISO Guide OWASP CISO -guide.pdf41

Want some forward looking intelligence?Need some data to justify your proposals? Further Resources: OWASP CISO Surveyhttps://www.owasp.org/index.php/OWASP CISOSurvey

CISO Survey: External Threatsare on the Rise! External attacks orfraud (e.g., phishing,website attacks)Internal attacks or fraud(e.g., abuse of privileges,theft of information)Decrease,2%Decrease,12%Same, 13%Increase,85%Same,71%Increase,17%

CISO Survey: Change in the threatsfacing your organizationwhat are the main areas of risk for yourorganisation in % out of 100%?Other, 13%Infrastructure,36%ApplicationApplication, 51%InfrastructureOther

CISO Survey : Change in the ThreatsCompared to 12 months ago, do you see achange in these %

CISO Survey & Report 2013 Top five sources of application security risk within yourorganization?Lack of awareness of application security issues within the organizationInsecure source code developmentPoor/inadequate testing methodologiesLack of budget to support application security initiativesStaffing (e.g., lack of security skills within team)46

CISO Survey & Report:Investments in SecurityAspects of organization's annual investment crease50%Same60%70%13%80%90%Decrease47100%

CISO Survey & Report 2013 Top application security priorities for the coming 12months.Security awareness and training for developersSecure development lifecycle processes (e.g., secure coding,QA process)Security testing of applications (dynamic analysis, runtimeobservation)Application layer vulnerability management technologies andprocessesCode review (static analysis of source code to find security defects)48

Spending after security incidentIs your organization spending more on security in response to a security incident?Yes, 30%AllNo, 70%Yes, 52%with recent breach0%10%20%30%No, 48%40%50%YesNo4960%70%80%90%100%

CISO Survey & Report 2013 Top five challenges related to effectively delivering yourorganization's application security initiativesAvailability of skilled resourcesLevel of security awareness by the developersManagement awareness and sponsorshipAdequate budgetOrganizational change50

One Roadmap ExampleBasicIntermediateSophisticate Benchmarking / Maturity Model OWASP Top-10 - Awareness Risk managementOrganisational DesignSDLCTraining Training: Development Guide Verification: ASVS Application Security Verification StandardProject, Code Review Guide, Testing Guide Development: ESAPI Operation: AppSensor51

So how are we doing?Template, write one. Have a security strategy?Guide, Coding guide Upgrade your Security policy? SDLC – do we have one, do we live it? And if yes, whydid everything go sideways .?Learn from Microsoft SDL How do we benchmark?openSAMM, CISO SurveyISO 27005 Use Risk Management?Hey, we need to leave some Have a security team / organise it? work also for you Security training and awareness? OWASP Top-10, and more Secure coding guidelines .OWASP Secure Coding QuickReference Guide . All within 3 months?52