Daily Archives: November 15, 2019

Using Benchmarks to Make the Case for AppSec

In a recent Veracode webinar on the subject of making the business case for AppSec, Colin Domoney, DevSecOps consultant, introduced the idea of using benchmarking to rally the troops around your AppSec cause. He says, “What you can do is you can show where your organization sits relative to other organizations and then your peers. If you're lagging, that's probably a good reason to further invest. If you're leading, perhaps you can use that opportunity to catch up on some of your more ambitious projects. We use benchmarking quite frequently. It's quite a useful task to undertake.”

Ultimately, the value of benchmarks is two-fold; you can see, as Colin says, “where you’re lagging” and use that data to make the case for more budget. But it also strengthens your ask by giving it priorities and a clear road map. For instance, you could say, “we need more AppSec budget,” but your argument is more powerful if you can say, “OWASP’s maturity model recommends automating security testing,” or “most organizations in the retail industry are testing for security monthly.”

If you’re looking for some AppSec benchmarking data, we recommend considering the following:

OWASP’s OpenSAMM Maturity Model: OWASP’s Software Assurance Maturity Model (SAMM) is “an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

  • Evaluating an organization’s existing software security practices.
  • Building a balanced software security assurance program in well-defined iterations.
  • Demonstrating concrete improvements to a security assurance program.
  • Defining and measuring security-related activities throughout an organization.”

At the highest level, SAMM defines four critical business functions related to software development. Within each business function are three security practices, and within each practice there are three levels of maturity, each with related activities. For instance, under the Business Function “Verification,” there is a security practice called “Implementation review,” which has the following maturity levels:

  • Level one:  “Opportunistically finding basic code-level vulnerabilities and other high-risk security issues.”
  • Level two: “Make implementation review during development more accurate and efficient through automation.”
  • Level three: “Mandate comprehensive implementation review process to discover language-level and application-specific risks.”

The model also goes into detail on each of the security activities, the success metrics, and more. There is also a related “How-To Guide” and “Quick Start Guide.”

Veracode’s Verified Program: We created Verified to both give customers a way to prove to their customers that security is a priority, but also to give customers a road map toward application security maturity, based on our own 10+ years experience of what good AppSec looks like. Want to see how you stack up against a mature program? Take a look at the requirements for the highest Verified tier – Verified Continuous level. If your program looks more like the Standard or Team levels, use that to make the case to grow your program with a clear roadmap of what is entailed in taking your program to the next level.

Veracode State of Software Security (SOSS) report: Our annual report offers some valuable benchmarking data for your AppSec program. Because we are a SaaS platform, we are able to aggregate all our scan data and look at trends across industries, geographies, and development processes.

You can use the SOSS report to benchmark your program against all organizations, those in your industry, or against those that are implementing practices that are improving the state of their software security. For instance, this year’s report found that 80 percent of applications don’t contain any high-severity flaws – how do you measure up? In addition, we found that those who are scanning the most (260+ times per year) have 5x less security debt and improve their median time to remediation by 72 percent. How often are you scanning?

You can also use the SOSS report to measure your program and progress against your peers in your industry. For example, this year, we found that most of the top 10 flaw categories show a lower prevalence among retailers compared to the cross-industry average. The exceptions to that rule are Credentials Management and, to a lesser extent, Code Injection. It’s possible these tie back to core functionality in retail applications – authenticating users and handling user input. If you’re in the retail industry, you’ve now got a solid starting point for vulnerability types to focus on. If you’re in the Government and Education sector, your peers are struggling with Cross-Site Scripting flaws, are you? And finally, those in the financial sector, have the best fix rate among all industries at 76 percent – does your fix rate compare favorably?

Learn more

To find out more about making the case for AppSec, check out our new guide, Building a Business Case for Expanding Your AppSec Program.

Broken Security? Most Business Leaders aren’t confident about their Cybersecurity

Cybersecurity is a critical battleground for UK businesses today, as the digital footprints of individuals and enterprises continue to grow. However, according to a new study commissioned by VMware in partnership with Forbes Insights, only a quarter (25%) of business leaders across EMEA are confident in their current cybersecurity practices, with UK spending without adequate assessment of the needs of organisations now commonplace.

VMware research reveals British businesses battle sophisticated security threats with old tools and misplaced spend

Key findings of the Study
  • 78% of UK business and IT security leaders believe the cybersecurity solutions their organisation is working with are outdated (despite 40% having acquired new tools over the past 12 months to address potential threats)
  • 74% reveal plans to invest even more in detecting and identifying attacks in the next three years, despite having a multitude of products already installed – a quarter (26%) of businesses currently have 26 or more products for this
  • Only 16% state extreme confidence in the readiness of their organisation to address emerging security challenges
The research shows UK businesses are trapped in a routine of spending without adequately assessing the needs of their organisation. Three quarters (78%) of business and IT security leaders believe the cybersecurity solutions their organisation is working with are outdated, despite 40% having acquired new tools over the past year to address potential threats. Nearly three quarters (74%), meanwhile, reveal plans to invest even more in detecting and identifying attacks in the next three years, despite having a multitude of products already installed – a quarter (26%) of businesses currently have 26 or more products across their enterprises for this.

The apparent hope of UK businesses to spend their way out of security crises is coupled with a significant security skills gap: just 16% of UK respondents state extreme confidence in the readiness of their organisation to address emerging security challenges, with only 14% extremely confident in the readiness of their people and talent.

The result is that, despite British businesses shoring up their defences against an evolving threat landscape, the complexity surrounding multiple cybersecurity solutions is making it harder for organisations to respond, urgently adapt or improve their strategies. In fact, a third (34%) of IT security leaders state it can take up to an entire week to address an issue.

Ian Jenkins, Director, Networking and Security UK & Ireland, VMware, said of the findings: “Businesses across the UK and beyond continue to follow the same IT security paths, and yet expect to see different results. Yet we now live in a world of greater complexity, with more and more intricate interactions, more connected devices and sensors, dispersed workers and the cloud, all of which have created an exponentially larger attack surface. Investment in traditional security solutions continues to be dwarfed by the economic repercussions of breaches.”

The lack of confidence highlighted in this study sits within a chasm forming between business leaders and security teams. In the UK, only a quarter (24%) of IT teams consider C-suite executives in their organisation to be ‘highly collaborative’ when it comes to cybersecurity. Across EMEA, meanwhile, only 27% of executives and only 16% of IT security practitioners say they are collaborating in a significant way to address cybersecurity issues.

Jenkins concludes, “Modern-day security requires a fundamental shift away from prevailing preventative solutions that try to prevent breaches at all costs. British businesses must invest in solutions that make security intrinsic to everything – the application, the network, essentially everything that connects and carries data. Breaches are inevitable, but how fast and how effectively you can mitigate that threat and protect the continuity of operations is what matters. Combining this approach with a culture of security awareness and collaboration across all departments is crucial to driving cyber best practice forward, and helping enterprises in the UK and across EMEA stay one step ahead in the world of sophisticated cybercrime.”

How to write an ISO 27001-compliant risk assessment procedure

As part of your ISO 27001 certification project, your organisation will need to prove its compliance with appropriate documentation.

ISO 27001 says that you must document your information security risk assessment process.

Key elements of the ISO 27001 risk assessment procedure

Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process.

An information security risk assessment is a formal, top management-driven process and sits at the core of an ISO 27001 information security management system (ISMS).

There are five simple steps that you should take to conduct a successful risk assessment:

  1. Establish a risk management framework
  2. Identify risks
  3. Analyse risks
  4. Evaluate risks
  5. Select risk treatment options

The risk assessment process determines the controls that have to be deployed in your ISMS. It leads to the Statement of Applicability, which identifies the controls that you are deploying in light of your risk assessment process.

Our bestselling book, Nine Steps to Success – An ISO 27001 Implementation Overview, provides more information on the topic of risk management.

Conducting a risk assessment

For an ISO 27001 risk assessment to be successful, it needs to reflect the organisation’s view on risk management – and it must produce “consistent, valid and comparable results”.

The risk assessment procedure should be detailed, and describe who is responsible for each task, when they must be completed and in what order.

This can be a daunting task for many. Inexperienced assessors often rely on spreadsheets, spending hours interviewing people in their organisation, exchanging documents and methodologies with other departments and filling in data. After all that, they’ll probably realise how inconvenient spreadsheets are. For example:

  • They are prone to user error;
  • They are hard to maintain;
  • It’s difficult to find relevant data in multiple tabs; and
  • They don’t automatically conform to ISO 27001

It doesn’t have to be like this. The risk assessment software vsRisk Cloud provides a simple and fast way to identify relevant threats, and deliver repeatable, consistent assessments year after year.

Find out more about vsRisk Cloud

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Additionally, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.

 

Learn more


A version of this blog was originally published on 11 January 2018.

The post How to write an ISO 27001-compliant risk assessment procedure appeared first on IT Governance UK Blog.