Application Security Guide for CISO

Back to list of all Outcomes

Original Working Session content: Application Security Guide for CISO


The Application Security Guide for CISO 2013 Version Goals were

  1. Make Application Security and OWASP more visible to Application Security managers and CISOs.
  2. Analyse the reasons for adopting an Application Security Program by an organisation (e.g., tactical and strategic).
  3. Explain the difference between technical risks and business risks, including how to estimate costs of data breaches.
  4. Factor the impact of emerging technologies in Application Security Program (e.g., Mobile, Cloud, Web Services) and provide guidance.
  5. Provide examples of metrics and measurements for Vulnerability Risk Management.

For the Planned 2018 version, on which problems and solutions/guidance can we expand? (NOTE: these will be assessed with expanded CISO survey questions)

  1. Impact of GDPR on AppSec and recommendations (including outcomes of 2017 Summit CISO track)
  2. Emerging technology risks and risk mitigation guidance (e.g., APIs and Micro-services, Biometrics)
  3. Evolving threats facing web applications, e.g., 0-day exploits of AppSec vulnerabilities; and solutions, e.g., improved attack detection with new tools such as Outcome 1 (unranked). What topics would you like covered in the new CISO guide? (as RASP)
  4. Others (brainstorming)

Synopsis and Takeaways

Outcome 1 – What topics would you like covered in the new CISO guide? (unranked)

  • Incorporate reference to outcomes of 2017 Summit CISO track
  • Expand to include new tools/technologies
  • Expand to include compliance with GDPR
  • Expand on new emerging technology risks and provide risk mitigation guidance (e.g., APIs, proliferation, and micro-services/interoperability, biometrics, cloud (internal and external), strategies for managing risk in cloud environments)
  • Expand on Risk Management Strategies for vendors, provisioning, supply-chain risks
  • Expand on new evolving threats facing web applications (e.g., 0-day exploits)
  • Add reference to handbooks and playbooks for CISO’s managed process
  • Where to provide guidance or where to focus. For example, if there are 5,000 applications in different countries, where to allocate security resources in such a situation
  • How to get visibility across the organisation. As CISO you need to know what changes are being made, and where.
  • Corporate culture: how can a CISO be an agent of change and overcome cultural challenges? Knowing the corporate culture to enable the CISO to function properly; trust is crucial to success
  • Success stories as examples of how to win – people can refer to these as a value-add – how can the CISO provide value to the business?
  • Knowing the right questions to ask triggers the appropriate response and action.
  • A proactive, strategic CISO is better than a reactive one: a proactive CISO knows how to shift focus from fighting fires to ensure the fires do not get out of control
  • After an incident, think about how to promote change; train people to think holistically not just about the incident, but about the impact of the incident.
  • Involvement: the CISO should be involved in road mapping for future deployment, and in business development meetings, so they can plan ahead.
  • Format: It was agreed that a handbook would have more value than a playbook given threat variables between company requirements.

Outcome 2 – What type of question would you like included in the new CISO guide? (unranked)

  • Which of the organisation’s IT assets, networks, or applications are considered more at risk of cyber-attacks?
  • Does your organisation have a cyber-threat intelligence program and an attack monitoring/alert process?
  • Has your organisation adopted S-SDLC? If yes, which one? Does it include threat modeling?
  • Is application security seen as an investment or as a cost by your organisation?
  • Does your planning of application security follow a long-term strategy of at least two years’ duration?
  • Need to ask questions about how to map the scope, application, and business process perspectives
  • How to manage risk from third parties, private vs. public premise
  • How do you manage the risk for developing technologies, such as the cloud?

Back to list of all Outcomes

Edit this page here