2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs

Schedule Speakers

Wednesday, November 20 • 1:00 pm - 1:50 pm

Reponses for CFP for OWASP AppSec  US Conference 2013

Title Of the Presentation:  2013  AppSec Guide and CISO Survey: Making OWASP Visible to CISOs

Author: Marco Morana

Abstract:

As organization born from grass root ideals and volunteering efforts that stared 12 years ago from the visionaries of the like of Mark Curphey and the likes OWASP has grown in members. OWASP mission has been to make application security visible to application security stakeholders. Thanks to the OWASP corporate sponsors and volunteers working on sponsored projects, OWASP has delivered free tools and guides that helped software developers to build more secure web applications. Most notably, the OWASP Top Ten provided the benchmark for testing web application vulnerabilities for several organizations. Projects such as the development guide and testing guide provides pointed guidance to software developers on how to design and test web applications. Among the application security stakeholders that OWASP serve today, (CISOs) Chief Information Security Officers are often the ones that make decisions on rolling out application security programs and activities invest in new tools and set budget for application security resources. Recognizing the important role that the CISO has in managing application security processes within the organizations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organization. Recognizing that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Presenters Bio

Marco Morana serves the OWASP (Open Web Application Security Project) as project leader of the OWASP Guide for CISO and he is member of the OWASP London charter. Marco started his involvement with OWASP in 2007 by contributing to the OWASP testing guide. As OWASP project contributor, Marco has also authored and helped to review OWASP projects such as the secure coding guide and the testing guide and published several articles on application and software security topics on behalf of OWASP on Secure Magazine and on behalf of other companies on Secure Enterprise, Network Computing, ISSA Journal, and C/C++ User Journal. In 2008, Marco founded the OWASP chapter in Cincinnati USA and lead the charter to promote awareness of application and software security within the local community making strides within the local academic institutions, regional banks, and software development and consulting companies.

In his current position, Marco runs the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. He is also technical advisory for security technology start up and contributor of EU projects for cyber security. During his 15+ years of distinguished career in security, he specialized in application and software security consulting services for major Fortune 500 companies and contributed to the secure design of business critical applications and security tools. Among the notable contributions in application security, include the development of first secure email with S-MIME (1996) and the first Intrusion Detection System (IDS) tool (1998). Marco current interests are in the research of cyber threat analysis and attack modeling processes and processes to better manage the risk of emerging cyber threats.

Marco academic credentials include a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padova, Italy. Marco is also a Certified Software Security Lifecycle Professional (CSSLP).

Ref: https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs

 

Speakers:
Marco Morana

In his current position, Marco runs the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. He is also technical advisory for security technology start up and contributor of EU projects for cyber security. During his 15+ years of distinguished career in security, he specialized in application and software security consulting services for major Fortune 500 companies and contributed to the secure design of business critical applications and security tools. Among the notable contributions in application security, include the development of first secure email with S-MIME (1996) and the first Intrusion Detection System (IDS) tool (1998). Marco current interests are in the research of cyber threat analysis and attack modeling processes and processes to better manage the risk of emerging cyber threats. Marco academic credentials include a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padova, Italy. Marco is also a Certified Software Security Lifecycle Professional (CSSLP).

Marco Morana serves the OWASP (Open Web Application Security Project) as project leader of the OWASP Guide for CISO and he is member of the OWASP London charter. Marco started his involvement with OWASP in 2007 by contributing to the OWASP testing guide. As OWASP project contributor, Marco has also authored and helped to review OWASP projects such as the secure coding guide and the testing guide and published several articles on application and software security topics on behalf of OWASP on Secure Magazine, Secure Enterprise, Network Computing, ISSA Journal, and C/C++ User Journal. In 2008, Marco founded the OWASP chapter in Cincinnati USA and lead the charter to promote awareness of application and software security within the local community making strides within the local academic institutions, regional banks, and software development and consulting companies. He is currently SVP at major bank in London U.K. and he is responsable for managing the secure architecture analysis process for architectural significant programs globally.

and Tobias Gondrom

most recent training history: - presentations at AppSec EU and Asia, OWASP Summit - trainings at AppSec US 2012, APAC in 2011 and 2012 - frequently presentations and chairing working groups at the IETF conferences (since 2003) E.g. feedback received from participants at previous AppSecUS2012 CISO training: course content: 50% excellent, 50% above average; quality of instructor: 84% excellent, 16% above average

Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany. Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008, and currently board member of OWASP London, project lead of the OWASP CISO report, and member/chaior of the former OWASP Global Industry Committee. Tobias is the author of the international standards RFC 4998 and RFC 6283 (Evidence Record Syntax) and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“ (ISBN 3-87081-427-6), and frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, Moderner Staat, VOI-booklet “Electronic Signature“, iX).

See more of: Presentations
www.appsecusa.org
<< Previous Presentation | Next Presentation >>