Attention, CISOs: Strategy is the only security
OWASP Guide project leader Marco Morana outlines ideal application security strategies
By Marco Morana
October 07, 2013 — CSO — According to the 2013 Chief Information Security Officers survey by the Open Web Application Security Project (OWASP), 75 percent of CISOs responded that external attacks had increased. When asked what the main areas of risk as percentage of the overall risk are, 70 percent of CISOs responded that web applications represent an area of risk higher than network infrastructure.
A renewed focus on protecting web applications
The increased perception of threats and risks for applications shifts the organization investment from the traditional network security to application security: about 48 percent of CISOs have seen the investment in application security increasing as part of the company's annual budget, 37 percent consider it relatively constant and only 15 percent have seen a decrease. But this increased investment in application security brings new challenges for CISOs since securing web applications and software requires a different set of capabilities and skills outside the traditional information security domains.
Specifically in the case of web applications security is achieve by engineering secure software during the Software Development Life Cycle (SDLC). The industry standard approach for "building security in" consists of adopting a Security in the SDLC (S-SDLC) methodology and to embed software security activities within the organization's SDLC such as architecture risk analysis, secure code reviews, static source code analysis and web application penetration testing.
Today there are several type of S-SDLC that can be adopted by organizations to build security into the SDLC such as OWASP OpenSAMM, Microsoft SDL and Cigital BSIMM. Nevertheless, even if the implementation and execution of the S-SDLC can be driven by information security it requires the collaboration and the help of software engineering teams. This collaboration is critical and is difficult to achieve without following of an application security strategy and the awareness among software engineering teams of which application security processes, standards, training and tools can be used for building more secure web applications and products.
Ultimately, the reasonability for setting the application security strategy falls on the shoulders of CISOs as well as the budgeting for the application security programs, the set of the governance model and the training of the application security stakeholders that includes both the security team and the software developers.
Setting up a strategy for application security
To help CISOs in the definition of an application security strategy that adequately addresses the needs of compliance and web risk management, OWASP has published a specific guide, the "Application security Guide for CISOs." Traditionally, the focus of OWASP has not been the CISOs, but application security consultants and penetration testers by providing them with free guides, cheat sheets and tools for designing, coding and testing secure web applications. Each of these guides and tools has been developed by the OWASP community as "projects" and funded thanks for the support of individual membership and corporate sponsorship.