AppSec for CISOs Breakfast

*********************************************************
This talk is geared toward CISOs, CSO, or other senior security leaders. Please RSVP accordingly. I will look and try to record in order to have attendees that are still interested but not in that category to attend via WebEx.
*********************************************************

I am helping Marco Morana, SVP of Citibank and co-author of our soon to be released application threat modeling book, to organize an OWASP day for CISO's here in Atlanta. If you are not familiar with OWASP, it is an internationally focused application security nonprofit group that is committed to application security advancements via various tools and open-source projects. As chapter president for the Atlanta area, I am a huge advocate of OWASP and I'm proud of the local and international efforts that our group has provided over the years.

Marco would like to host a specialized discussion catering to CISO's and or security executives of the Atlanta market. I am helping Marco to gauge the interest and availability of those who could attend an OWASP roundtable for next Friday morning. If you have been interested in knowing how to apply greater application security governance in your organization, this will be a great presentation to attend. If you are interested and able to attend a breakfast meeting for next week November 16th, please let me know. Additionally if you know of other Atlanta CISO or security executives that would like to attend, please feel free to forward this message along.

I have attached a copy of the presentation abstract for your review below:

Title of the presentation: The continuously evolving threat landscape call CISOs to
consider new application security measures, how OWASP can help ?
Presenter: Marco Morana, SVP Global Information Security, Risk & Control at Citibank
Abstract of the Talk:
The aim of this 20 minute talk is to introduce Chief Information Security Officers (CISO) to
the OWASP Application Security Guide. OWASP has developed a guidance to specifically
to address the needs of CISOs to help them in prioritizing the risk mitigation of web
application vulnerabilities might severely and negatively impact the organization and
jeopardizing the business.
Because of the constantly evolving threat landscape where malware and hacking are
seeking to attack web applications to compromise customer’s sensitive data and company
proprietary information, CISOs are challenged by their businesses to seek new application
measures to mitigate these risks. Often a risk mitigation decision includes the trade-off
between existing and new security measures and which vulnerabilities to target for
mitigation of risk. Investments in application security people, process and tools are critical
for reducing the possible impacts to the business.
From the risk mitigation strategy point of view, risk mitigation is an ongoing activity that
requires CISOs to pay close attention to new threats and to plan for security activities in
different security domains such as security governance, risk management and compliance.
Among the CISO goals for application security, meeting compliance with information
security policies is often the one that has the most focus.Since for several organizations
today the costs to the business due to the impacts of security incidents is much higher
than the cost of non-compliance and failing audits a more focused and strategic risk
mitigation approach is required. Since investment in compliance as well as operations risk
management are among CISO responsibilities, the focus of investment in risk
management is articulated as “what are the most cost effective measures to manage
security risks”. This guide aims also to help CISOs in using compliance of web applications
with security standards and regulations both as justification for investing in application
security and increased risk mitigation.
Finally, after application security investments are made, it is important for the CISO to
measure and report on application security risks as well as on the status of governance
and compliance for the application security processes and security in the SDLC activities
such as web application penetration testing, source code reviews and threat modeling.
Some guidance on metrics suitable for measuring governance, risk and compliance of
application security processes and security in the SDLc activities is also included in this
guide.
Agenda
This presentation is articulated in four parts, 12 slides total:
Part I provides business cases & risk-cost criteria for application security spending ;
Part II provides application security issues that can be prioritized and targeted for risk
mitigation;
Part III provides guidance on which application security processes and activities can be
targeted for spending.
Part IV provide examples of metrics and measurements for vulnerability and risk
management
References:
Application Security CISO guide:
https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
2013 CISO Survey https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013
Presenter bio: https://www.owasp.org/index.php/Marco_Morana