2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs
Wednesday, November 20 • 1:00 pm - 1:50 pm
Reponses for CFP for OWASP AppSec US Conference 2013 Title Of the Presentation: 2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs |
Author: Marco Morana Abstract: As organization born from grass root ideals and volunteering efforts that stared 12 years ago from the visionaries of the like of Mark Curphey and the likes OWASP has grown in members. OWASP mission has been to make application security visible to application security stakeholders. Thanks to the OWASP corporate sponsors and volunteers working on sponsored projects, OWASP has delivered free tools and guides that helped software developers to build more secure web applications. Most notably, the OWASP Top Ten provided the benchmark for testing web application vulnerabilities for several organizations. Projects such as the development guide and testing guide provides pointed guidance to software developers on how to design and test web applications. Among the application security stakeholders that OWASP serve today, (CISOs) Chief Information Security Officers are often the ones that make decisions on rolling out application security programs and activities invest in new tools and set budget for application security resources. Recognizing the important role that the CISO has in managing application security processes within the organizations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organization. Recognizing that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks. |
Presenters Bio Marco Morana serves the OWASP (Open Web Application Security Project) as project leader of the OWASP Guide for CISO and he is member of the OWASP London charter. Marco started his involvement with OWASP in 2007 by contributing to the OWASP testing guide. As OWASP project contributor, Marco has also authored and helped to review OWASP projects such as the secure coding guide and the testing guide and published several articles on application and software security topics on behalf of OWASP on Secure Magazine and on behalf of other companies on Secure Enterprise, Network Computing, ISSA Journal, and C/C++ User Journal. In 2008, Marco founded the OWASP chapter in Cincinnati USA and lead the charter to promote awareness of application and software security within the local community making strides within the local academic institutions, regional banks, and software development and consulting companies. In his current position, Marco runs the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. He is also technical advisory for security technology start up and contributor of EU projects for cyber security. During his 15+ years of distinguished career in security, he specialized in application and software security consulting services for major Fortune 500 companies and contributed to the secure design of business critical applications and security tools. Among the notable contributions in application security, include the development of first secure email with S-MIME (1996) and the first Intrusion Detection System (IDS) tool (1998). Marco current interests are in the research of cyber threat analysis and attack modeling processes and processes to better manage the risk of emerging cyber threats. Marco academic credentials include a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padova, Italy. Marco is also a Certified Software Security Lifecycle Professional (CSSLP). Ref: https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
|
and Tobias Gondrom