I presented today at IMI Security Summit on the topic of "Threat Analysis as methodology for deriving risk-based security tests of web application software". The conference gave me the opportunity to evangelize for OWASP and thanks to Dr James Walden that teaches Software Security at Northern Kentucky University I had the opportunity to give a talk besides for OWASP to have a booth to gather (I hope) members and application security enthusiasts. This is my second time that I give the talk at IMI. I really love the organization of this conference and the quality of the speakers, Patrick Gray CISO of Cisco is awesome speaker, it is worth the keynote talk 100% love his sense of humor and insight on the importance of the human firewall as way to mitigate social engineering, with facebook, generation Y and twitter and alike we are facing a security challenge to scale that we need to respond with education and better technology controls. My presentation was received OK and I was glad to have the auditorium asking me a lot of questions after my talk, that to me means I raised enough interest on the issue of not doing good enough security testing as we should do. During luncheon I loved the presentation from Dr Kevin Gallenger on his survey about information security:"State of IT Security 2009". The data shown matches previous surveys I have seen such as from Ponemon Institute, CSI-FBI and Verizon. For example it is shown that less then 60 % of organizations conduct a formal IT audit, hackers and employees are equally problematic (27%). Finally some good data, take as reference recent Ponemon-Imperva institute research that show that 71% of companies do not think compliance is strategic to security even if after experiencing at least one data breach. And also finally suspend the vendor bias belief that most of the attacks come from internal source when is at mas 20-30 %. The part that I liked the most of the survey was the difference between "acquisition" of security and "adoption" of security in particular as related to policies. Most companies acquire security and tools but they do not fully enforce and deploy them: the survey show that only 54% do. Financial services are the ones to score better in implementation mostly driven by compliance. The survey touches the problem of information security at the core: 44% of respondents indicated that they were unwilling to disclose the types of breaches. This is the main problem we face in security today. The lack of data on losses, fraud and incidents affecting business sectors so we can identify needs and opportunities to improve. In essence is like a mafia problem, we know but we do not say to public so we save the all family business in cosa nostra style... Nice we have Sb 1386 that enforce disclosure so we can still factor business impact of a data breach of PII. This is what we need to take the metrics next to correlate data breaches to business impact and fraud and monetize losses so we can make business like informed risk mitigation decisions. The other part of the conference I love it was to talk to Dr. Frank Braun (like Von Braun but he is a Frank..). We had a talk over a nice glass of merlot wine and
camembert cheese, nicely sponsored by Apple Inc on the business cases for information security. This is a topic I will be presenting in Italy next week so I was very puzzled that Frank research covered already a lot of my research on business cases for software security such as ROSI, cost/benefit analysis and quantitative risk analysis as factors for making business cases.
I loved the conversation with Frank, later on along with colleague of mine (Nathaniel Dean) that works with me at the bank (btw I had all bank ISO at the conference today approved by our boss...) and we shared some thoughts about business risk analysis, human factors elements in risk decision making and general bias, unbars decision making. Really loved the conversation, it was like when minds connect and elaborate for common good. What we elaborated was #1: business security is the most important factor to security #2 we need data that prove the point about business value of security #3 we need to approach security taking into consideration of the context political/business of the "decision makers". Most of security decision making now days follows what "Gartner says" or what vendor days or what my competitor does. This is not rational thinking and it is just follow the sheep wherever he goes... So we need to get members onboard to start a new School Of Information Security, data driven and unbars from Gartner and co, if you do would like to know what I mean please buy Adam Stoshak book.
Finally here is my Pres abstract: The risk that a web application might incur in a security incident such a major data breach depends on several risk factors such as the exposure into the public internet, the likelihood of being a target as well as the knowledge, tools and techniques available to the attacker to break into the application. In order to mitigate such risks, web applications are security tested with testing techniques such as penetration testing and secure code analysis. The aim of this presentation is first to introduce the audience to the basics of security testing such as the derivation of functional and non functional security requirements, the execution of security testing as part of the SDLC and as part of developers and tester workflows. The presentation will also cover the most used security testing techniques, OWASP testing guide, tools and vulnerability reporting and testing metrics. Often such security tests performed for compliance requirements such as PCI-DSS. Besides compliance, passing such security tests provides a level of application security assurance but in light of several data breaches occurring to organizations that had such tests done for compliance it is logical to ask whether we can consider an application secure because security testing did not found any high and medium risk vulnerabilities. From the perspective of security testing, this status quo advocates the need to a new approach toward security testing: a risk based, threat driven approach. From the risk mitigation perspective, security tests need to validate mitigations against new attack techniques used by cybercriminals and fraudsters and focus on tests where the difficulty of the attack is the least and the impact is the highest. The presentation will provide examples of derivation of risk based security test cases using data from cyber-intelligence reports, attack tree analysis, attack vector analysis, security flaw analysis, use and misuse cases and application threat modeling/secure architecture analysis.
I presented today at IMI Security Summit on the topic of "Threat Analysis as methodology for deriving risk-based security tests of web application software". The conference gave me the opportunity to evangelize for OWASP and thanks to Dr James Walden that teaches Software Security at Northern Kentucky University I had the opportunity to give a talk besides for OWASP to have a booth to gather (I hope) members and application security enthusiasts. This is my second time that I give the talk at IMI. I really love the organization of this conference and the quality of the speakers, Patrick Gray CISO of Cisco is awesome speaker, it is worth the keynote talk 100% love his sense of humor and insight on the importance of the human firewall as way to mitigate social engineering, with facebook, generation Y and twitter and alike we are facing a security challenge to scale that we need to respond with education and better technology controls. My presentation was received OK and I was glad to have the auditorium asking me a lot of questions after my talk, that to me means I raised enough interest on the issue of not doing good enough security testing as we should do. During luncheon I loved the presentation from Dr Kevin Gallenger on his survey about information security:"State of IT Security 2009". The data shown matches previous surveys I have seen such as from Ponemon Institute, CSI-FBI and Verizon. For example it is shown that less then 60 % of organizations conduct a formal IT audit, hackers and employees are equally problematic (27%). Finally some good data, take as reference recent Ponemon-Imperva institute research that show that 71% of companies do not think compliance is strategic to security even if after experiencing at least one data breach. And also finally suspend the vendor bias belief that most of the attacks come from internal source when is at mas 20-30 %. The part that I liked the most of the survey was the difference between "acquisition" of security and "adoption" of security in particular as related to policies. Most companies acquire security and tools but they do not fully enforce and deploy them: the survey show that only 54% do. Financial services are the ones to score better in implementation mostly driven by compliance. The survey touches the problem of information security at the core: 44% of respondents indicated that they were unwilling to disclose the types of breaches. This is the main problem we face in security today. The lack of data on losses, fraud and incidents affecting business sectors so we can identify needs and opportunities to improve. In essence is like a mafia problem, we know but we do not say to public so we save the all family business in cosa nostra style... Nice we have Sb 1386 that enforce disclosure so we can still factor business impact of a data breach of PII. This is what we need to take the metrics next to correlate data breaches to business impact and fraud and monetize losses so we can make business like informed risk mitigation decisions. The other part of the conference I love it was to talk to Dr. Frank Braun (like Von Braun but he is a Frank..). We had a talk over a nice glass of merlot wine and
camembert cheese, nicely sponsored by Apple Inc on the business cases for information security. This is a topic I will be presenting in Italy next week so I was very puzzled that Frank research covered already a lot of my research on business cases for software security such as ROSI, cost/benefit analysis and quantitative risk analysis as factors for making business cases.
I loved the conversation with Frank, later on along with colleague of mine (Nathaniel Dean) that works with me at the bank (btw I had all bank ISO at the conference today approved by our boss...) and we shared some thoughts about business risk analysis, human factors elements in risk decision making and general bias, unbars decision making. Really loved the conversation, it was like when minds connect and elaborate for common good. What we elaborated was #1: business security is the most important factor to security #2 we need data that prove the point about business value of security #3 we need to approach security taking into consideration of the context political/business of the "decision makers". Most of security decision making now days follows what "Gartner says" or what vendor days or what my competitor does. This is not rational thinking and it is just follow the sheep wherever he goes... So we need to get members onboard to start a new School Of Information Security, data driven and unbars from Gartner and co, if you do would like to know what I mean please buy Adam Stoshak book.
Finally here is my Pres abstract:
The risk that a web application might incur in a security incident such a major data breach depends on several risk factors such as the exposure into the public internet, the likelihood of being a target as well as the knowledge, tools and techniques available to the attacker to break into the application. In order to mitigate such risks, web applications are security tested with testing techniques such as penetration testing and secure code analysis.
The aim of this presentation is first to introduce the audience to the basics of security testing such as the derivation of functional and non functional security requirements, the execution of security testing as part of the SDLC and as part of developers and tester workflows. The presentation will also cover the most used security testing techniques, OWASP testing guide, tools and vulnerability reporting and testing metrics.
Often such security tests performed for compliance requirements such as PCI-DSS. Besides compliance, passing such security tests provides a level of application security assurance but in light of several data breaches occurring to organizations that had such tests done for compliance it is logical to ask whether we can consider an application secure because security testing did not found any high and medium risk vulnerabilities.
From the perspective of security testing, this status quo advocates the need to a new approach toward security testing: a risk based, threat driven approach. From the risk mitigation perspective, security tests need to validate mitigations against new attack techniques used by cybercriminals and fraudsters and focus on tests where the difficulty of the attack is the least and the impact is the highest. The presentation will provide examples of derivation of risk based security test cases using data from cyber-intelligence reports, attack tree analysis, attack vector analysis, security flaw analysis, use and misuse cases and application threat modeling/secure architecture analysis.
