Hide Notes 

Slide 1: How to Create a Business Case for Software Security Initiatives Marco Morana OWASP Lead TISO Citigroup OWASP Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
Slide 2: Status Quo of Software Security Spending OWASP 2
Slide 3: Making the Business Cases: Essentials Secure Software Engineering Awareness “ Security involves making sure things work, not in the presence of random faults, but in the face of an intelligent and malicious adversary trying to ensure that things will fail in the worst possible way at the worst possible time… again and again”  Prepare for Executive Management FAQs: Why I spend money on software security? How much I should spend ? What my competitors are doing? How I am doing at my vulnerabilities? How I get the most bang for the buck ? OWASP 3
Slide 4: Main Factors Driving Software Security Adoption ? OWASP 4
Slide 5: Lessons From the Court Room 170 million card and ATM numbers used sql injection and packet sniffers OWASP 5
Slide 6: Lessons From Law Enforcement (FBI) THREAT INTELLIGENCE: RECCOMENDATIONS: Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM 1.Disable xp_cmdshell, 2.Deny extended URL, 3.escape special characters such as “”, 4.Use store procedures, 5.Run SQL Server and IIS under non-privilege, 6.Do not use “sa” hardcoded, 7.Lock account on mainframes against brute force 8.Use minimum privileges on AD/SQL server, restrict access 9.Use proxy server for internet access, 10.Implement firewall rules 11.Ensure HSM do not take commands with PIN in the clear OWASP 6
Slide 7: Defect Management/Costs Measurements Most of my vulnerabilities are Metrics Process coding and design Management Metrics issues  Is code validated against  % of applications rated security coding standards? “business-critical” that have been security tested  Is design But are mostly  found  of developers trained, using during % of projects that where developed with the SDL pen test in UAT organizational security best  % of security issues identified practice technology, architecture and processes by lifecycle phase  % of issues whose risk has been accepted  % of security issues being fixed  Average timeThe cost of fixing to correct vulnerabilitiesthem in UAT is  Business impact of during coding 10 X critical security incidents. tests) (unit OWASP 7
Slide 8: Analysts/Researchers Opinions “75% of security breaches happen at the application layer”- Gartner “Over 70 % of security vulnerabilities exist at the application layer, not the network layer” – Gartner “If only 50 percent of software vulnerabilities were removed prior to production … costs would be reduced by 75 percent” - Gartner “Correction of security flaws at the requirement level is up to 100 times less the cost of correction of security flaws in fielded software” –Fortify OWASP 8
Slide 9: Why Using Metrics And Maturity Models? Use vulnerability metrics to articulate software security needs/opportunities Point to software security root causes Identify vulnerability trends Analyze needs for improvements Use maturity models to provide visibility on the organization’s security capabilities Assess organization capability levels Set goals and needs to reach the goals Provide the roadmap OWASP
Slide 10: Vulnerability Taxonomies and Trends Am I getting better ? Where ? OWASP 10
Slide 11: Software Security Metrics Business Cases Business Managers: shows that projects are on schedule and moving on target and testing cycles for vulnerabilities are shorter translating in cost savings Information Security Officers: show that we are getting better on reporting compliance and manage risk reduction Developer Leads: show that developers are getting better to write secure software when provided with secure coding training and tools OWASP 11
Slide 12: Software Security Maturity Models: SAMM, BSIMM Source SAMM : http://www.opensamm.org/ Source http://www.bsi-mm.com/ssf/ OWASP 12
Slide 13: Activities, Objectives and Capability Levels Use this as a yardstick to compare software security practices with other organizations Source BSIMM http://www.bsi-mm.com/ssf/ OWASP 13
Slide 14: The Software Security Maturity Curve (CMM) Software Security Capability Level Improve Coverage of Software Security Risk Assessments , Identify Gaps and Opportunities Software Security Risks Identified and Managed At Different Checkpoints During the SDLC Vulnerability Assessments Source Code Analysis Secure Coding Standards Before Product Release Ethical Hacking Secure Code Reviews on existing Applications Highest effort/cost is required here CMM Level 5 CMM Level 4 Optimizing (Service Managed Driven) (Product CMM Level 3 Driven) Defined Catch & CMM Level 2 (Proactive) Patch Repeatable (Reactive CMM Level 1 Processes) Initial (Ad Hoc) Time OWASP 14
Slide 15: Cost vs. Benefit Analysis (CBA) Purpose is to weight the cost of software security initiative vs. the benefits CBRatio = COST of initiative BENEFIT of initiative Need to cost quantify factors and compare them (to compare apples with apples) for example: COSTs: Secure software engineering costs for training, new processes and tools BENEFITs: Reduced costs in fixing with patching, lessen business impact of exploits OWASP 15
Slide 16: Assumption Costs and Failure Costs of the Software Security Initiative Assumption Costs (proactive): Cost of acquiring tools, standards and processes to develop secure software Cost of hiring and/or training a software security team Costs for implement security features (e.g. estimate possible as function of KLOC) The most difficult to estimate Failure Costs (reactive): Cost of develop and/or deploy patches Cost of incident response Cost of vulnerability exploits resulting in data breach, fraud, denial of service, quantifiable damage to the organization OWASP 16
Slide 17: Assumption Costs vs. Failure Costs No countermeasures, cost of failure (e.g. data breach is high) Cost is low but CBRatio >1 CBRatio <1 but room for improvement Optimal Spending, around 37% (Gordon and Loeb) OWASP 17
Slide 18: Data Loss Liabilities Estimates Consider FTC data (2003) 4.6 % of US population suffered identity fraud Companies spent 3 * 10^8 hours repairing the troubles caused + $ 5 Billion dollar spent out of pocket Minimum wage of 5.15 $/hr (in 2003) 10 Million people involved  P = 4.6 %  L = 3 x 10^8 x $ 5.15/hr + $ 5 * 10^9 = $ 655/victim 10^7 victims My annual liability (P X L) for each data theft victim is $ 30.11 SOURCE: Dan. E. Geer, Economics & Strategies of Data Security OWASP 18
Slide 19: Data Losses As Web Breaches (datalossdb.org) SOURCE: Open Security Foundation Data Loss Statistics OWASP 19
Slide 20: Which Vulnerabilities Are Exploited? (WHID) SOURCE: Breach Security The WHID 2009, August 2009 OWASP 20
Slide 21: Estimating SQL Injection Attack Liability Probability of attack by type and attack vector incident (identity theft) data: 13 % of incidents involve breaches of web channel (datalossdb.org) 19 % of incidents use SQL injection as attack vector (WHID) P = 0.13 x 0.19 = 0.025 (2.5 %) Estimate data loss for this attack: $ 655 per identity theft victim (2003 FTC data) 94 million individual records stolen (TJX incident) L = 94 X 10^6 x 0.025 x 655 = $ 1.5 Billion OWASP 21
Slide 22: Reporting of Losses in Quarterly Earnings The cyber attack on the retailer Marshalls and TJ Maxx (94 Million CCN reported in Jan/2007): after-tax cash charge of approximately $118 million, or $.25 per share. The company increased its estimate of pretax charges for the compromise to nearly $216 million. According to some experts, TJX may have to spend in the end a total between $ 500 Million to $ 1 Billion (BankInfoSecurity.com), including non compliance fees (e.g. PCI-DSS) litigation fees and government fines. OWASP 22
Slide 23: Another Way to Look at Business Impact Of Data Breaches : Drop in Stock Price 130 ML CCN loss (reported January 20 2009) OWASP 23
Slide 24: Quantitative Risk Analysis Goal: Justify spending to improve security by assigning an objective monetary value to risk Risk Analysis Methodology: Determine the Exposure Factor: Percentage of asset loss caused by identified threat (e.g. 20%) Determine Single Loss Expectancy (SLE): EF x the value of assets (e.g. $ 1 ML * 30%= $ 200 K) Estimate Annualized Rate of Occurrence (ARO): twice in ten years 2/10=0.2, 1 every year =1 Determine the Annualized Loss Expectancy (ALE) 24 OWASP ALE = SLE x ARO = $ 40 K
Slide 25: Use Quantitative Risk Analysis to Estimate Annual Loss Due to SQL Injection Exploit Exposure Factor (likelihood) of data loss via SQL injection attack: 2.5% Based upon datalossdb and WHID calculated probability data) SLE (EF x Value Assets): $ 43 Million  Asset Value: assume SQL injection attack will cause fraud for 3 million credit card accounts (on-line web site for major bank) at a 580 $/account (use SANS data) ARO: 40 % (four every 10 years) ALE (ALO X SLE): = $ 17 Million OWASP 25
Slide 26: ROSI Of Secure Software Initiatives ROSI (Return Of Security Investment) ROSI = Savings (Avoided loss) /Total Cost Of Solution Goal: Answer the question on how much I can save by investing in Software Security According to previous studies (Soo Hoo-IBM): For every 100,000 $ spent in software security I save:  $21,000 (21%) when defects are fixed and identified during design  $15,000 (15%) when defects are fixed during implementation  $12,000 (12%) when defects are fixed during testing OWASP 26
Slide 27: Using ROSI to justify software security investments ROSI =[(ALE X % Risk Mitigation)- SCost] SCost Calculation example: ALE: $ 17 Million, risk exposure for SQL injection Risk Mitigation: 75 % of risk mitigated by software security solution source code analysis, filtering SCost: $ 4 Million, Total Cost of Ownership (TCO) software security solution Savings = $ 8.75 Million, loss prevention savings ROSI = 210 % Negative = investment not justifiable Null = no return on investment OWASP Positive = justifiable as compared with other solutions 27
Slide 28: Security Software Assurance Metrics: Balanced Scorecards Reduced calls to CSR for reporting on security issues Correlation of budget with risk assessment and cost/benefits Growth in assessed security processes & training activities Improved results of software security processes and operations OWASP 28
Slide 29: Software Security Metrics In Support Of Business Cases Metrics of technical value Costs for testing and fixing vulnerabilities Percent security requirements satisfied Percent developers with software sec. certifications Metrics of comparative value TCO of software security activities vs. unit revenue Secure software engineering costs vs. patching costs Metrics of business value Estimate for vulnerability & risk assessment costs Budget to address gaps in software sec. processes Costs for security certifications per business unit OWASP 29
Slide 30: Come on is not so hard.. OWASP 30
Slide 31: In Summary  Rationale For Software Security Business Case  Preparing the Business Case  Maturity Models  Metrics and Measurements  Making the Business Case      Software Security Assurance Awareness Failure Costs vs. Assumption Costs Qualitative Risk Assessments Return Of Security Investment (ROSI) Performance Measurement Metrics OWASP 31  Questions & Answers
Slide 32: Thanks for listening, further references Applied Software Measurement: Assuring Productivity and Quality PCI-Data Security Standard (PCI DSS) A CISO’s Guide to Application Security http://www.amazon.com/Applied-Software-Measurement-A https://www.pcisecuritystandards.org/security_standards/p http://www.nysforum.org/committees/security/051409_pd PCI OWASP 32
Slide 33: Further references con’t Gartner 2004 Press Release Making The Business Case For Software Assurance SEI Capability Maturity Model Integration CMMi http://www.sei.cmu.edu/cmmi/ http://www.gartner.com/press_releases/asset_106327_11 https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowle OWASP 33
Slide 34: Further references con’t Software Assurance Maturity Model http://www.opensamm.org/ The Software Security Framework (SSF) http://www.bsi-mm.com/ssf/ National Information Assurance Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf Dan. E. Geer, Economics & Strategies of Data Security http://www.verdasys.com/thoughtleadership/ OWASP 34
Slide 35: Further references con’t Open Security Foundation, Data Loss Statistics http://datalossdb.org/statistics The WHID 2009 BI-Annual Report, August 2009 http://www.breach.com/resources/whitepapers/downloads Quantitative Risk Analysis Step-By-Step Breach Worse Than Reported.. http://www.bankinfosecurity.com/articles.php?art_id=606 http://www.sans.org/reading_room/whitepapers/auditing/q OWASP 35
Slide 36: Further references con’t Estimating Benefits from Investing in Secure Software Development Return On Security Investment (ROSI) Models for Assessing the Cost and Value of Software Assurance https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowle http://www.infosecwriters.com/text_resources/pdf/ROSI-P https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowle OWASP 36