Marco Morana, profile picture
Uploaded byMarco Morana
PPT, PDF4,371 views

Business cases for software security

The document provides guidance on creating a business case for software security initiatives by estimating costs and benefits. It discusses estimating failure costs from vulnerabilities versus assumption costs of security measures. Metrics like the vulnerability lifecycle and maturity models can demonstrate security improvements. The business case should quantify risk reduction through qualitative and quantitative analysis to show initiatives are cost-beneficial.

Technology
Related topics:
Software Security

Embed presentation

Downloaded 148 times
How to Create a Business Case for Software Security Initiatives Marco Morana OWASP Lead TISO Citigroup
Status Quo of Software Security Spending
Making the Business Cases: Essentials Secure Software Engineering Awareness “ Security involves making sure things work, not in the presence of random faults, but in the face of an intelligent and malicious adversary trying to ensure that things will fail in the worst possible way at the worst possible time … again and again” Prepare for Executive Management FAQs: Why I spend money on software security? How much I should spend ? What my competitors are doing? How I am doing at my vulnerabilities? How I get the most bang for the buck ?
Main Factors Driving Software Security Adoption ?
Lessons From the Court Room 170 million card and ATM numbers used sql injection and packet sniffers
Lessons From Law Enforcement (FBI) THREAT INTELLIGENCE: Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM RECCOMENDATIONS: Disable xp_cmdshell, Deny extended URL, escape special characters such as “”, Use store procedures, Run SQL Server and IIS under non-privilege, Do not use “sa” hardcoded, Lock account on mainframes against brute force Use minimum privileges on AD/SQL server, restrict access Use proxy server for internet access, Implement firewall rules Ensure HSM do not take commands with PIN in the clear
Defect Management/Costs Measurements Process Metrics Is code validated against security coding standards? Is design of developers trained, using organizational security best practice technology, architecture and processes Management Metrics % of applications rated “business-critical” that have been security tested % of projects that where developed with the SDL % of security issues identified by lifecycle phase % of issues whose risk has been accepted % of security issues being fixed Average time to correct vulnerabilities Business impact of critical security incidents. Most of my vulnerabilities are coding and design issues But are mostly found during pen test in UAT The cost of fixing them in UAT is 10 X during coding (unit tests)
Analysts/Researchers Opinions “ 75% of security breaches happen at the application layer”- Gartner “ Over 70 % of security vulnerabilities exist at the application layer, not the network layer” – Gartner “ If only 50 percent of software vulnerabilities were removed prior to production … costs would be reduced by 75 percent ” - Gartner “ Correction of security flaws at the requirement level is up to 100 times less the cost of correction of security flaws in fielded software” – Fortify
Why Using Metrics And Maturity Models? Use vulnerability metrics to articulate software security needs/opportunities Point to software security root causes Identify vulnerability trends Analyze needs for improvements Use maturity models to provide visibility on the organization’s security capabilities Assess organization capability levels Set goals and needs to reach the goals Provide the roadmap
Vulnerability Taxonomies and Trends Am I getting better ? Where ?
Software Security Metrics Business Cases Business Managers : shows that projects are on schedule and moving on target and testing cycles for vulnerabilities are shorter translating in cost savings Information Security Officers: show that we are getting better on reporting compliance and manage risk reduction Developer Leads : show that developers are getting better to write secure software when provided with secure coding training and tools
Software Security Maturity Models: SAMM, BSIMM Source http://www.bsi-mm.com/ssf/ Source SAMM : http://www.opensamm.org/
Activities, Objectives and Capability Levels Use this as a yardstick to compare software security practices with other organizations Source BSIMM http://www.bsi-mm.com/ssf/
The Software Security Maturity Curve (CMM) Highest effort/cost is required here
Cost vs. Benefit Analysis (CBA) Purpose is to weight the cost of software security initiative vs. the benefits CBRatio = COST of initiative BENEFIT of initiative Need to cost quantify factors and compare them (to compare apples with apples) for example: COSTs: Secure software engineering costs for training, new processes and tools BENEFITs: Reduced costs in fixing with patching, lessen business impact of exploits
Assumption Costs and Failure Costs of the Software Security Initiative Assumption Costs (proactive): Cost of acquiring tools, standards and processes to develop secure software Cost of hiring and/or training a software security team Costs for implement security features (e.g. estimate possible as function of KLOC) Failure Costs (reactive): Cost of develop and/or deploy patches Cost of incident response Cost of vulnerability exploits resulting in data breach, fraud, denial of service, quantifiable damage to the organization The most difficult to estimate
Assumption Costs vs. Failure Costs No countermeasures, cost of failure (e.g. data breach is high) Cost is low but CBRatio >1 CBRatio <1 but room for improvement Optimal Spending, around 37% (Gordon and Loeb)
Data Loss Liabilities Estimates Consider FTC data (2003) 4.6 % of US population suffered identity fraud Companies spent 3 * 10^8 hours repairing the troubles caused + $ 5 Billion dollar spent out of pocket Minimum wage of 5.15 $/hr (in 2003) 10 Million people involved P = 4.6 % L = 3 x 10^8 x $ 5.15/hr + $ 5 * 10^9 = $ 655/victim 10^7 victims My annual liability (P X L) for each data theft victim is $ 30.11 SOURCE: Dan. E. Geer, Economics & Strategies of Data Security
Data Losses As Web Breaches (datalossdb.org) SOURCE: Open Security Foundation Data Loss Statistics
Which Vulnerabilities Are Exploited? (WHID) SOURCE: Breach Security The WHID 2009, August 2009
Estimating SQL Injection Attack Liability Probability of attack by type and attack vector incident (identity theft) data : 13 % of incidents involve breaches of web channel (datalossdb.org) 19 % of incidents use SQL injection as attack vector (WHID) P = 0.13 x 0.19 = 0.025 (2.5 %) Estimate data loss for this attack: $ 655 per identity theft victim (2003 FTC data) 94 million individual records stolen (TJX incident) L = 94 X 10^6 x 0.025 x 655 = $ 1.5 Billion
Reporting of Losses in Quarterly Earnings The cyber attack on the retailer Marshalls and TJ Maxx (94 Million CCN reported in Jan/2007): after-tax cash charge of approximately $118 million , or $.25 per share. The company increased its estimate of pre-tax charges for the compromise to nearly $216 million . According to some experts, TJX may have to spend in the end a total between $ 500 Million to $ 1 Billion (BankInfoSecurity.com), including non compliance fees (e.g. PCI-DSS) litigation fees and government fines.
Another Way to Look at Business Impact Of Data Breaches : Drop in Stock Price 130 ML CCN loss (reported January 20 2009)
Quantitative Risk Analysis Goal: Justify spending to improve security by assigning an objective monetary value to risk Risk Analysis Methodology: Determine the Exposure Factor: Percentage of asset loss caused by identified threat (e.g. 20%) Determine Single Loss Expectancy (SLE): EF x the value of assets (e.g. $ 1 ML * 30%= $ 200 K) Estimate Annualized Rate of Occurrence (ARO): twice in ten years 2/10=0.2, 1 every year =1 Determine the Annualized Loss Expectancy (ALE) ALE = SLE x ARO = $ 40 K
Use Quantitative Risk Analysis to Estimate Annual Loss Due to SQL Injection Exploit Exposure Factor (likelihood) of data loss via SQL injection attack: 2.5% Based upon datalossdb and WHID calculated probability data) SLE (EF x Value Assets) : $ 43 Million Asset Value: assume SQL injection attack will cause fraud for 3 million credit card accounts (on-line web site for major bank) at a 580 $/account (use SANS data) ARO : 40 % (four every 10 years) ALE (ALO X SLE) : = $ 17 Million
ROSI Of Secure Software Initiatives ROSI (Return Of Security Investment) ROSI = Savings (Avoided loss) /Total Cost Of Solution Goal: Answer the question on how much I can save by investing in Software Security According to previous studies (Soo Hoo-IBM): For every 100,000 $ spent in software security I save: $21,000 (21%) when defects are fixed and identified during design $15,000 (15%) when defects are fixed during implementation $12,000 (12%) when defects are fixed during testing
Using ROSI to justify software security investments ROSI = [( ALE X % Risk Mitigation)- SCost] SCost Calculation example: ALE : $ 17 Million, risk exposure for SQL injection Risk Mitigation: 75 % of risk mitigated by software security solution source code analysis, filtering SCost: $ 4 Million, Total Cost of Ownership (TCO) software security solution Savings = $ 8.75 Million, loss prevention savings ROSI = 210 % N egative = investment not justifiable Null = no return on investment Positive = justifiable as compared with other solutions
Security Software Assurance Metrics: Balanced Scorecards Correlation of budget with risk assessment and cost/benefits Improved results of software security processes and operations Reduced calls to CSR for reporting on security issues Growth in assessed security processes & training activities
Software Security Metrics In Support Of Business Cases Metrics of technical value Costs for testing and fixing vulnerabilities Percent security requirements satisfied Percent developers with software sec. certifications Metrics of comparative value TCO of software security activities vs. unit revenue Secure software engineering costs vs. patching costs Metrics of business value Estimate for vulnerability & risk assessment costs Budget to address gaps in software sec. processes Costs for security certifications per business unit
Come on is not so hard..
In Summary Rationale For Software Security Business Case Preparing the Business Case Maturity Models Metrics and Measurements Making the Business Case Software Security Assurance Awareness Failure Costs vs. Assumption Costs Qualitative Risk Assessments Return Of Security Investment (ROSI) Performance Measurement Metrics Questions & Answers
Thanks for listening, further references Applied Software Measurement: Assuring Productivity and Quality http://www.amazon.com/Applied-Software-Measurement-Assuring-Productivity/dp/0070328269 PCI-Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml A CISO’s Guide to Application Security http://www.nysforum.org/committees/security/051409_pdfs/A%20CISO'S%20Guide%20to%20Application%20Security.pdf PCI http://www.breach.com/resources/whitepapers/downloads/WP_TheWebHackingIncidents-2009.pdf ROSI http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677-BSI.html http://www.balancedscorecard.org/BSCResources/AbouttheBalancedScorecard/tabid/55/Default.aspx Gartner study on phising: http://www.gartner.com/it/page.jsp?id=565125 ) UC Berkeley Center for Law and Technology on identity theft http://repositories.cdlib.org/cgi/viewcontent.cgi?article=1045&context=bclt
Further references con’t Gartner 2004 Press Release http://www.gartner.com/press_releases/asset_106327_11.html Making The Business Case For Software Assurance https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/685-BSI.html SEI Capability Maturity Model Integration CMMi http://www.sei.cmu.edu/cmmi/
Further references con’t Software Assurance Maturity Model http://www.opensamm.org/ The Software Security Framework (SSF) http://www.bsi-mm.com/ssf/ National Information Assurance Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf Dan. E. Geer, Economics & Strategies of Data Security http://www.verdasys.com/thoughtleadership/
Further references con’t Open Security Foundation, Data Loss Statistics http://datalossdb.org/statistics The WHID 2009 BI-Annual Report, August 2009 http://www.breach.com/resources/whitepapers/downloads/WP_TheWebHackingIncidents-2009.pdf Quantitative Risk Analysis Step-By-Step http://www.sans.org/reading_room/whitepapers/auditing/quantitative_risk_analysis_stepbystep_849?show=849.php&cat=auditing Breach Worse Than Reported.. http://www.bankinfosecurity.com/articles.php?art_id=606
Further references con’t Estimating Benefits from Investing in Secure Software Development https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/267-BSI.html Return On Security Investment (ROSI) http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf Models for Assessing the Cost and Value of Software Assurance https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/684-BSI.html

More Related Content

PPT
Software Security Initiatives
byMarco Morana
 
PDF
TUD CS4105 | 2015 | Lecture 1
byEelco Visser
 
PPT
Software Security Engineering
byMarco Morana
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PDF
Presentation on vulnerability analysis
byAsif Anik
 
PPTX
Threat Modeling 101
byVlad Styran
 
PPT
Application Threat Modeling
byMarco Morana
 
PPT
Software Security Frameworks
byMarco Morana
 
Software Security Initiatives
byMarco Morana
 
TUD CS4105 | 2015 | Lecture 1
byEelco Visser
 
Software Security Engineering
byMarco Morana
 
Software security engineering
byAHM Pervej Kabir
 
Presentation on vulnerability analysis
byAsif Anik
 
Threat Modeling 101
byVlad Styran
 
Application Threat Modeling
byMarco Morana
 
Software Security Frameworks
byMarco Morana
 

What's hot

PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PDF
ByteCode pentest report example
byIhor Uzhvenko
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Application Threat Modeling
byRochester Security Summit
 
PPTX
Secure Design: Threat Modeling
byCigital
 
PPTX
6 Most Popular Threat Modeling Methodologies
byEC-Council
 
PPTX
Vulnerability Assesment
byDedi Dwianto
 
PDF
Threat modeling demystified
byPriyanka Aash
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PPT
Software Security Testing
byankitmehta21
 
PDF
A successful application security program - Envision build and scale
byPriyanka Aash
 
PPT
Security Compliance Web Application Risk Management
byMarco Morana
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PPTX
Threat Simulation and Modeling Training
byBryan Len
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PPTX
Threat Modeling - Writing Secure Code
byCaleb Jenkins
 
PPT
六合彩香港-六合彩
bybaoyin
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
PPT
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
Application Threat Modeling In Risk Management
byMel Drews
 
ByteCode pentest report example
byIhor Uzhvenko
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
Application Threat Modeling
byRochester Security Summit
 
Secure Design: Threat Modeling
byCigital
 
6 Most Popular Threat Modeling Methodologies
byEC-Council
 
Vulnerability Assesment
byDedi Dwianto
 
Threat modeling demystified
byPriyanka Aash
 
Application Threat Modeling
byPriyanka Aash
 
Software Security Testing
byankitmehta21
 
A successful application security program - Envision build and scale
byPriyanka Aash
 
Security Compliance Web Application Risk Management
byMarco Morana
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
Threat Simulation and Modeling Training
byBryan Len
 
Null bachav
byNaga Venkata Sunil Alamuri
 
Threat Modeling - Writing Secure Code
byCaleb Jenkins
 
六合彩香港-六合彩
bybaoyin
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 

Similar to Business cases for software security

KEY
Application Security Done Right
bypvanwoud
 
PDF
SecurityBSides London - Jedi mind tricks for building application security pr...
bySecurity Ninja
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
Jedi mind tricks for building application security programs
bySecurity BSides London
 
PDF
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
Justifying Security Investment
byJojo Colina
 
PDF
Introduction to Software Security Initiative
bySudarshan Narayanan
 
PDF
Security For Free
bygwarden
 
PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PDF
Application Security Maturity Model
bySecurity Innovation
 
PDF
InformationSecurity_11141
bysraina2
 
PPTX
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
PDF
Biggest info security mistakes security innovation inc.
byuNIX Jim
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PDF
Security is our duty and we shall deliver it - White Paper
byMohd Anwar Jamal Faiz
 
PPT
Whittaker How To Break Software Security - SoftTest Ireland
byDavid O'Dowd
 
PDF
Security overview 2
byCMR WORLD TECH
 
PDF
Information Security in the Gaming World
byDimitrios Stergiou
 
PPTX
ISACA New York Metro April 30 2012
byUlf Mattsson
 
Application Security Done Right
bypvanwoud
 
SecurityBSides London - Jedi mind tricks for building application security pr...
bySecurity Ninja
 
Software Security in the Real World
byMark Curphey
 
Jedi mind tricks for building application security programs
bySecurity BSides London
 
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Digital Product Security
bySoftServe
 
Justifying Security Investment
byJojo Colina
 
Introduction to Software Security Initiative
bySudarshan Narayanan
 
Security For Free
bygwarden
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
Application Security Maturity Model
bySecurity Innovation
 
InformationSecurity_11141
bysraina2
 
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
Biggest info security mistakes security innovation inc.
byuNIX Jim
 
The Future of Software Security Assurance
byRafal Los
 
Security is our duty and we shall deliver it - White Paper
byMohd Anwar Jamal Faiz
 
Whittaker How To Break Software Security - SoftTest Ireland
byDavid O'Dowd
 
Security overview 2
byCMR WORLD TECH
 
Information Security in the Gaming World
byDimitrios Stergiou
 
ISACA New York Metro April 30 2012
byUlf Mattsson
 

More from Marco Morana

PDF
Is talent shortage ws marco morana
byMarco Morana
 
PPTX
Isaca conference threat_modeling_marco_morana_short.pdf
byMarco Morana
 
PPTX
Owasp atlanta-ciso-guidevs1
byMarco Morana
 
PPTX
Owasp e crime-london-2012-final
byMarco Morana
 
PDF
Security And Privacy Cagliari 2012
byMarco Morana
 
PPT
Presentation sso design_security
byMarco Morana
 
PPTX
Owasp security summit_2012_milanovs_final
byMarco Morana
 
PPTX
Security Summit Rome 2011
byMarco Morana
 
PPTX
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
PDF
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
byMarco Morana
 
PPT
Security Exploit of Business Logic Flaws, Business Logic Attacks
byMarco Morana
 
PPT
Web Application Security Testing
byMarco Morana
 
PPT
Owasp Forum Web Services Security
byMarco Morana
 
PPT
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
PPT
OWASP Top 10 And Insecure Software Root Causes
byMarco Morana
 
PPT
Software Open Source, Proprierio, Interoperabilita'
byMarco Morana
 
PPT
Progetti Open Source Per La Sicurezza Delle Web Applications
byMarco Morana
 
PPT
Introduction To OWASP
byMarco Morana
 
PPT
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
PDF
Software Security Initiative And Capability Maturity Models
byMarco Morana
 
Is talent shortage ws marco morana
byMarco Morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
byMarco Morana
 
Owasp atlanta-ciso-guidevs1
byMarco Morana
 
Owasp e crime-london-2012-final
byMarco Morana
 
Security And Privacy Cagliari 2012
byMarco Morana
 
Presentation sso design_security
byMarco Morana
 
Owasp security summit_2012_milanovs_final
byMarco Morana
 
Security Summit Rome 2011
byMarco Morana
 
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
byMarco Morana
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
byMarco Morana
 
Web Application Security Testing
byMarco Morana
 
Owasp Forum Web Services Security
byMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
byMarco Morana
 
Software Open Source, Proprierio, Interoperabilita'
byMarco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
byMarco Morana
 
Introduction To OWASP
byMarco Morana
 
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
Software Security Initiative And Capability Maturity Models
byMarco Morana
 

Recently uploaded

PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Workflow and decision Automation with Flowable
bychakib ch
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 

Business cases for software security

  • 1.
    How to Createa Business Case for Software Security Initiatives Marco Morana OWASP Lead TISO Citigroup
  • 2.
    Status Quo ofSoftware Security Spending
  • 3.
    Making the BusinessCases: Essentials Secure Software Engineering Awareness “ Security involves making sure things work, not in the presence of random faults, but in the face of an intelligent and malicious adversary trying to ensure that things will fail in the worst possible way at the worst possible time … again and again” Prepare for Executive Management FAQs: Why I spend money on software security? How much I should spend ? What my competitors are doing? How I am doing at my vulnerabilities? How I get the most bang for the buck ?
  • 4.
    Main Factors DrivingSoftware Security Adoption ?
  • 5.
    Lessons From theCourt Room 170 million card and ATM numbers used sql injection and packet sniffers
  • 6.
    Lessons From LawEnforcement (FBI) THREAT INTELLIGENCE: Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM RECCOMENDATIONS: Disable xp_cmdshell, Deny extended URL, escape special characters such as “”, Use store procedures, Run SQL Server and IIS under non-privilege, Do not use “sa” hardcoded, Lock account on mainframes against brute force Use minimum privileges on AD/SQL server, restrict access Use proxy server for internet access, Implement firewall rules Ensure HSM do not take commands with PIN in the clear
  • 7.
    Defect Management/Costs MeasurementsProcess Metrics Is code validated against security coding standards? Is design of developers trained, using organizational security best practice technology, architecture and processes Management Metrics % of applications rated “business-critical” that have been security tested % of projects that where developed with the SDL % of security issues identified by lifecycle phase % of issues whose risk has been accepted % of security issues being fixed Average time to correct vulnerabilities Business impact of critical security incidents. Most of my vulnerabilities are coding and design issues But are mostly found during pen test in UAT The cost of fixing them in UAT is 10 X during coding (unit tests)
  • 8.
    Analysts/Researchers Opinions “75% of security breaches happen at the application layer”- Gartner “ Over 70 % of security vulnerabilities exist at the application layer, not the network layer” – Gartner “ If only 50 percent of software vulnerabilities were removed prior to production … costs would be reduced by 75 percent ” - Gartner “ Correction of security flaws at the requirement level is up to 100 times less the cost of correction of security flaws in fielded software” – Fortify
  • 9.
    Why Using MetricsAnd Maturity Models? Use vulnerability metrics to articulate software security needs/opportunities Point to software security root causes Identify vulnerability trends Analyze needs for improvements Use maturity models to provide visibility on the organization’s security capabilities Assess organization capability levels Set goals and needs to reach the goals Provide the roadmap
  • 10.
    Vulnerability Taxonomies andTrends Am I getting better ? Where ?
  • 11.
    Software Security MetricsBusiness Cases Business Managers : shows that projects are on schedule and moving on target and testing cycles for vulnerabilities are shorter translating in cost savings Information Security Officers: show that we are getting better on reporting compliance and manage risk reduction Developer Leads : show that developers are getting better to write secure software when provided with secure coding training and tools
  • 12.
    Software Security MaturityModels: SAMM, BSIMM Source http://www.bsi-mm.com/ssf/ Source SAMM : http://www.opensamm.org/
  • 13.
    Activities, Objectives andCapability Levels Use this as a yardstick to compare software security practices with other organizations Source BSIMM http://www.bsi-mm.com/ssf/
  • 14.
    The Software SecurityMaturity Curve (CMM) Highest effort/cost is required here
  • 15.
    Cost vs. BenefitAnalysis (CBA) Purpose is to weight the cost of software security initiative vs. the benefits CBRatio = COST of initiative BENEFIT of initiative Need to cost quantify factors and compare them (to compare apples with apples) for example: COSTs: Secure software engineering costs for training, new processes and tools BENEFITs: Reduced costs in fixing with patching, lessen business impact of exploits
  • 16.
    Assumption Costs andFailure Costs of the Software Security Initiative Assumption Costs (proactive): Cost of acquiring tools, standards and processes to develop secure software Cost of hiring and/or training a software security team Costs for implement security features (e.g. estimate possible as function of KLOC) Failure Costs (reactive): Cost of develop and/or deploy patches Cost of incident response Cost of vulnerability exploits resulting in data breach, fraud, denial of service, quantifiable damage to the organization The most difficult to estimate
  • 17.
    Assumption Costs vs.Failure Costs No countermeasures, cost of failure (e.g. data breach is high) Cost is low but CBRatio >1 CBRatio <1 but room for improvement Optimal Spending, around 37% (Gordon and Loeb)
  • 18.
    Data Loss LiabilitiesEstimates Consider FTC data (2003) 4.6 % of US population suffered identity fraud Companies spent 3 * 10^8 hours repairing the troubles caused + $ 5 Billion dollar spent out of pocket Minimum wage of 5.15 $/hr (in 2003) 10 Million people involved P = 4.6 % L = 3 x 10^8 x $ 5.15/hr + $ 5 * 10^9 = $ 655/victim 10^7 victims My annual liability (P X L) for each data theft victim is $ 30.11 SOURCE: Dan. E. Geer, Economics & Strategies of Data Security
  • 19.
    Data Losses AsWeb Breaches (datalossdb.org) SOURCE: Open Security Foundation Data Loss Statistics
  • 20.
    Which Vulnerabilities AreExploited? (WHID) SOURCE: Breach Security The WHID 2009, August 2009
  • 21.
    Estimating SQLInjection Attack Liability Probability of attack by type and attack vector incident (identity theft) data : 13 % of incidents involve breaches of web channel (datalossdb.org) 19 % of incidents use SQL injection as attack vector (WHID) P = 0.13 x 0.19 = 0.025 (2.5 %) Estimate data loss for this attack: $ 655 per identity theft victim (2003 FTC data) 94 million individual records stolen (TJX incident) L = 94 X 10^6 x 0.025 x 655 = $ 1.5 Billion
  • 22.
    Reporting of Lossesin Quarterly Earnings The cyber attack on the retailer Marshalls and TJ Maxx (94 Million CCN reported in Jan/2007): after-tax cash charge of approximately $118 million , or $.25 per share. The company increased its estimate of pre-tax charges for the compromise to nearly $216 million . According to some experts, TJX may have to spend in the end a total between $ 500 Million to $ 1 Billion (BankInfoSecurity.com), including non compliance fees (e.g. PCI-DSS) litigation fees and government fines.
  • 23.
    Another Way toLook at Business Impact Of Data Breaches : Drop in Stock Price 130 ML CCN loss (reported January 20 2009)
  • 24.
    Quantitative Risk AnalysisGoal: Justify spending to improve security by assigning an objective monetary value to risk Risk Analysis Methodology: Determine the Exposure Factor: Percentage of asset loss caused by identified threat (e.g. 20%) Determine Single Loss Expectancy (SLE): EF x the value of assets (e.g. $ 1 ML * 30%= $ 200 K) Estimate Annualized Rate of Occurrence (ARO): twice in ten years 2/10=0.2, 1 every year =1 Determine the Annualized Loss Expectancy (ALE) ALE = SLE x ARO = $ 40 K
  • 25.
    Use Quantitative RiskAnalysis to Estimate Annual Loss Due to SQL Injection Exploit Exposure Factor (likelihood) of data loss via SQL injection attack: 2.5% Based upon datalossdb and WHID calculated probability data) SLE (EF x Value Assets) : $ 43 Million Asset Value: assume SQL injection attack will cause fraud for 3 million credit card accounts (on-line web site for major bank) at a 580 $/account (use SANS data) ARO : 40 % (four every 10 years) ALE (ALO X SLE) : = $ 17 Million
  • 26.
    ROSI Of SecureSoftware Initiatives ROSI (Return Of Security Investment) ROSI = Savings (Avoided loss) /Total Cost Of Solution Goal: Answer the question on how much I can save by investing in Software Security According to previous studies (Soo Hoo-IBM): For every 100,000 $ spent in software security I save: $21,000 (21%) when defects are fixed and identified during design $15,000 (15%) when defects are fixed during implementation $12,000 (12%) when defects are fixed during testing
  • 27.
    Using ROSI tojustify software security investments ROSI = [( ALE X % Risk Mitigation)- SCost] SCost Calculation example: ALE : $ 17 Million, risk exposure for SQL injection Risk Mitigation: 75 % of risk mitigated by software security solution source code analysis, filtering SCost: $ 4 Million, Total Cost of Ownership (TCO) software security solution Savings = $ 8.75 Million, loss prevention savings ROSI = 210 % N egative = investment not justifiable Null = no return on investment Positive = justifiable as compared with other solutions
  • 28.
    Security Software AssuranceMetrics: Balanced Scorecards Correlation of budget with risk assessment and cost/benefits Improved results of software security processes and operations Reduced calls to CSR for reporting on security issues Growth in assessed security processes & training activities
  • 29.
    Software Security MetricsIn Support Of Business Cases Metrics of technical value Costs for testing and fixing vulnerabilities Percent security requirements satisfied Percent developers with software sec. certifications Metrics of comparative value TCO of software security activities vs. unit revenue Secure software engineering costs vs. patching costs Metrics of business value Estimate for vulnerability & risk assessment costs Budget to address gaps in software sec. processes Costs for security certifications per business unit
  • 30.
    Come on isnot so hard..
  • 31.
    In Summary RationaleFor Software Security Business Case Preparing the Business Case Maturity Models Metrics and Measurements Making the Business Case Software Security Assurance Awareness Failure Costs vs. Assumption Costs Qualitative Risk Assessments Return Of Security Investment (ROSI) Performance Measurement Metrics Questions & Answers
  • 32.
    Thanks for listening,further references Applied Software Measurement: Assuring Productivity and Quality http://www.amazon.com/Applied-Software-Measurement-Assuring-Productivity/dp/0070328269 PCI-Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml A CISO’s Guide to Application Security http://www.nysforum.org/committees/security/051409_pdfs/A%20CISO'S%20Guide%20to%20Application%20Security.pdf PCI http://www.breach.com/resources/whitepapers/downloads/WP_TheWebHackingIncidents-2009.pdf ROSI http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677-BSI.html http://www.balancedscorecard.org/BSCResources/AbouttheBalancedScorecard/tabid/55/Default.aspx Gartner study on phising: http://www.gartner.com/it/page.jsp?id=565125 ) UC Berkeley Center for Law and Technology on identity theft http://repositories.cdlib.org/cgi/viewcontent.cgi?article=1045&context=bclt
  • 33.
    Further references con’tGartner 2004 Press Release http://www.gartner.com/press_releases/asset_106327_11.html Making The Business Case For Software Assurance https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/685-BSI.html SEI Capability Maturity Model Integration CMMi http://www.sei.cmu.edu/cmmi/
  • 34.
    Further references con’tSoftware Assurance Maturity Model http://www.opensamm.org/ The Software Security Framework (SSF) http://www.bsi-mm.com/ssf/ National Information Assurance Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf Dan. E. Geer, Economics & Strategies of Data Security http://www.verdasys.com/thoughtleadership/
  • 35.
    Further references con’tOpen Security Foundation, Data Loss Statistics http://datalossdb.org/statistics The WHID 2009 BI-Annual Report, August 2009 http://www.breach.com/resources/whitepapers/downloads/WP_TheWebHackingIncidents-2009.pdf Quantitative Risk Analysis Step-By-Step http://www.sans.org/reading_room/whitepapers/auditing/quantitative_risk_analysis_stepbystep_849?show=849.php&cat=auditing Breach Worse Than Reported.. http://www.bankinfosecurity.com/articles.php?art_id=606
  • 36.
    Further references con’tEstimating Benefits from Investing in Secure Software Development https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/267-BSI.html Return On Security Investment (ROSI) http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf Models for Assessing the Cost and Value of Software Assurance https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/684-BSI.html

Editor's Notes

  • #3 Because of the current economic recession, security managers have to deal with shrinking budgets and limited resources dedicated to application security and often asked to present the “business cases” for application security as well as software security initiatives. Gartner Survey Shows Security Software and Services Budgets to Increase 4 Per Cent in 2010 Analysts Discuss Key Security Issues During Gartner Information Security Summit, 21-22 September in London Egham, UK, September 8, 2009 — Security software and services spending will outpace other IT spending areas in 2010, according to a new survey by Gartner, Inc. Security software budgets are expected to grow by approximately 4 per cent in 2010, outpacing all other areas of infrastructure software. Security services budgets are projected to grow almost 3 per cent, significantly outperforming other service areas. In April and May of 2009, Gartner surveyed more than 1,000 IT professionals with budget responsibility worldwide to determine their budget-planning expectations for 2010. “ In the current highly uncertain economic environment, with overall IT budgets shrinking, even the modest spending increases indicated by the survey show that security spending accounts for a higher percentage of the IT budget,” said Adam Hils, principal research analyst at Gartner. “Security decision makers should work to allocate limited budgets based on enterprise-specific security needs and risk assessments.” Specific areas of projected security-related software spending growth in 2010 includes security information and event management (SIEM), e-mail security, URL filtering, and user provisioning. The continued, comparatively strong emphasis on security extends beyond software. The survey showed that security services spending will also outpace spending in other services areas, with budgets expected to grow 2.74 per cent in 2010. This anticipated increase is being driven in part by a growing movement towards managed security services, cloud-based e-mail/web security solutions, and third-party compliance-related consulting and vulnerability audits and scans.  “ When evaluating and planning 2010 security budgets, organisations should work to achieve a realistic view of current spending and recognise that it may be impossible to capture all security-related spending because of organisationally diffused security budgets,” said Ruggero Contu, principal research analyst at Gartner. “Businesses should also recognise that new threats or vulnerabilities may require security spending that exceeds the amounts allocated, and should consider setting aside up to 15 per cent of the IT security budget to address the potential risks and impact of such unforeseen issues.” Additional detail is available in the Gartner report “ Security Software and Services Spending Will Outpace Other IT Spending Areas in 2010 .&amp;quot; The report is available on Gartner’s website at http://www.gartner.com/DisplayDocument?ref=g_search&amp;id=1141513&amp;subref=simplesearch . Key issues facing the security industry will be discussed during the Gartner Information Security Summit, taking place 21 -22 September, at the Royal Lancaster hotel in London. The Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners will deliver unbiased, realistic analysis of the current state of information security, as well as an independent vision of how things will evolve over the long term. For complete event details, please visit the Gartner IT Security Summit website at http://www.gartner.com/it/page.jsp?id=787512 . Members of the media can register by contacting Holly Stevens at [email_address] .
  • #4 # 1 per creare il caso e’ creare awareness come ad esempio le conference OWASP di questo tipo. E’ di importanza critica definere il problema per esempio spiegare ad executive management cosa si intende per secure software security engineering e come sia diversdo da application security e perimiter security for example. #2 preparazione per le FAQs come e perche e dove devo spendere il mio budget in software security?
  • #5 Maybe compliance is #1, analysts opinions and surverys #2 , incidents #3 and cost savings #4 dal punto di vista della mia esperienza
  • #6 Anche tenendo conto che I piu grandi incidenti di perdita di dati sensibili nella storia degli USA sono dovuti a problem di application security Heartland Payment Systems (HPY) data breach: 130 Credit Card Accounts Exploited SQL Injection vulnerabilities to install malware (Hannaford 9/07, Company A &amp; B on 1/08) Used “wardriving” and installed sniffers Acted ad member of a Cybercrime gang Profited from the sale of ACC#, PINs to fake credit cards and commit ATM fraud Engaged in money laundering
  • #7 Come mostrato in questo caso… In same cases the cyber attack vectors are reported step by step Use &amp;quot;xp_cmdshell“ to download hacker tools to the compromised MSSQL server. Obtain valid Windows credentials by using fgdump Install network &amp;quot;sniffers&amp;quot; to identify card data and systems involved in processing credit card transactions. Install backdoors that &amp;quot;beacon&amp;quot; periodically to their command and control servers Target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs. Use WinRAR to compress the information they pilfer from the compromised networks.
  • #8 Dal punto di vista dei costi, quantificazione di quanto cost gestire I dfetti del software e’ essenziale per il business cases
  • #9 L’opinione degli analisti e’ che la maggioranza delle vulnerabilita’ e degli incidenti succede a livello delle applicazioni, in realta dipende dal tipo di incidenti. Dal punto di vista dei cost studi dimostrano che c’e significativamente una riduzione dei cost ed un ROI nel risolvere le issues early in the SDLC da un fattore 100X requirements vs. field test ad un fattore 10 X fra coding e test
  • #10 I modelli di maturity permetttono di usare un metodo standard per ottenere una scorecard o pagella della maturita’ dei processi e delle discipline e a che livello siano riaggiunte. La metrica provvede un livello fo visiabilita’ reale e una misura delle cause, trends e bisogni
  • #11 A parte la maturity un buon caso da usare e’ la metrica Defect management metrics Where the issue is found? (e.g. requirements, design, code, application) When has been fixed? (e.g. found in coding fixed before testing) How has been fixed (e.g. design change, coding, configuration) Vulnerability management metrics Which type of vulnerabilities are found the most during design review, code analysis, pen tests? Which security vulnerabilities we having trouble fixing?
  • #12 E per finire I business cases debbono trovare supporto da punto di vista degli sponsors e di chi usa software security secondo diversi obbiettivi
  • #13 Dal circa un anno o due abbiamo la fortuna grazie a Pravir Chandra e Gary McGraw due modelli per la software security maturity. I modelli si basano su survey di casi reali empirici do come varie organizzazioni implementano software security initiatives (35 prese in esame nel caso di BSIMM e 9 ditte di diversi settori Google, MS, Adobe e telco come qualcomm e anche DTCC , Well Fargo banks etc) I modelli sono organizzati per domini BSMIMM, business functions nel caso di SAMM in tutto molto simili anche in numero 12. I livelli di maturity sono da 1 a 3 e varie attivita per obbiettivi e livelli
  • #14 Un esempio di come siano utili a parte la pagella ci danno la mappa degli obbitettivi e delle attivita da raggiungere.
  • #15 Un fatto importante della maturity e’ la learning curve, lo sviluppo non e’ lineare ma accelerato dall’ apprendimento e in alcune fasi e’ piu difficile di altre come il passaggio dal livello 3 a 4 (defined a managed) questo ha importanza sul planning.
  • #16 CBA costi vs benefici il beneficio ne deve valere la pena come si dice…. La formula e’ semplice ed un fattore &lt; 1 significa I benefici sono maggiori dei costi quindi se i nebefici sono I risparmi in costi per il defect management e incidenti vs I costi per processi, people, technology.tools ed il fattore e’ &lt;1 si puo dire che ne valga la candeal Il problema pero non e’ semplice da evalutate questi costi
  • #17 Alcuni exempi di costi di assunzione del software sicuro includono il costi per lo svulippo training e implementazione mentre I costi di incidenti includono I costi di sviuppo delle patches, pen testing e I costi degli exploits/incidenti che sono I piu difficili da quantificare
  • #18 Se per esempio prendiamo in considerazione il cost delle contromisure vs il costo dei danni dovuti ad un exploit di una vulnerabilita come anche I costi per le patches etc vediamo che man mano che le spese per la rimediazione dei danni aumentano I costi dovute alle perdite diminuiscono. Un esempio di come questi dati possano essere usati per esempio e che se le mei perdite grossolane dovure a frodi via banking on line channel sono 3 millioni di euro un millione di euro in spese in programmi si software security e’ giustificabile. Most organization&apos;s directors of technology and security try to sell technologies and new initiatives to high management with the sales pitch of getting the most &amp;quot;Bang For The Buck&amp;quot; BFTB. But the BFTB business case need to answer the basic question: if I spend that much on a security technology or process what is the benefit for security ? In technical terms this means doing a Cost vs Benefit Analysis (CBA). CBA can be used in security to correlate the total cost of security to increased information or software security assurance. Dan Geer covers well this analysis as related to data security in his book &amp;quot; Economics and Strategies of Data Security &amp;quot;. By analogy, in the case of software security, &amp;quot;Bang For The Buck&amp;quot; decision spending need to take into account the total security costs that is all failure costs such as the total cost of failing as business impact as well the total cost of finding, fixing, testing and deploying the security defect. Only then, the total cost of software security (the BUCK) can be compared against the BANG that is the increased level of software security assurance. The general law for bang for the buck is that you are getting the most bang for the buck when your total costs (cost of failure/data loss/fraud + cost of security/countermeasure) reaches a minimum. As failure costs decrease exponentially, the &amp;quot;anticipation costs&amp;quot; that you take proactively by spending in software security initiatives will increase. From risk management perspective this means that the total software security costs decrease up to a minimum to raise again as you keep spending on security measures. You will reach an optimal cost vs. benefit where more spending in anticipation cost (e.g. countermeasures) will not provide the most benefit (e.g. spending more in countermeasures then the value of the assets that the countermeasure is supposed to protect) This optimal spending for anticipation costs (proactive countermeasures) is about 40% of your failure costs (to be exact 37% according to Gordon and Loeb research: The Economics of Information Security Investment ). According to the empirical law of the most bang for the buck applied to software failure costs vs. assumption costs it is therefore fair to assume that you get the most of security by spending 37% of what your software failure costs are. Assume for example software security failures costs are $ 10 ML it would be reasonable for an organization to spend as much as $ 3.7 ML in acquiring software security tools and technology, develop new software security process as well as in new software security training activities.
  • #19 Per un business case piu significativo e’ quantificare le perdite come ONERI per ogni perdita di dati sensibili
  • #20 E’ possibile correlare tali perdite a dati statistici sugli attachi
  • #21 E sulle vulnerabilita.
  • #22 Usando questi dati e’ possibile stimare per esempio il costo in termini di impatto di una perdita di dati sensibilie (carte di credito) via SQL injection A similar math can be factored using Van Geer data of 4.5% of data loss probability (FTC 2003 data) x 655 $/person cost Can we correlate this losses somehow, the cost for loss with the fact that among all breaches 13 % are from wbe and 19% use SQL injection attack vectors you can come out with 0.025 that is 2.5 % as the probability that an identify theft will occurr through the web channel because of a SQL injection attack. The cost is the cost per incident x record loss for internal (pokemon is 200 $) or you can just factor the cost per re-issance of the card This multipled for the cost per incident/records you can came out with 241 ML for 14 million records for 130 ML is 2.5 BILLION According to the case in NJ SQL injection is considered cause of Hannaford http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf http://www.securecomputing.net.au/Tools/Print.aspx?CIID=103302 Assume that according that 2003 FTC data the potential loss per identity theft incident is $ 655 per incident. Assume you are serving via your web site a population of 4 million customers, the potential loss of losing your customer data such as credit card accounts for example would be of $ 2,6 Billion and with probability of identity theft occurrence of 4.6 % (also FTC data) the projected loss for your company could be $ 120 ML for which 14% or $ 16 ML would be the cost of data losses via the web channel alone. Assume that according that 2003 FTC data the potential loss per identity theft incident is $ 655 per incident. Assume you are serving via your web site a population of 4 million customers, the potential loss of losing your customer data such as credit card accounts for example would be of $ 2,6 Billion and with probability of identity theft occurrence of 4.6 % (also FTC data) the projected loss for your company could be $ 120 ML for which 14% or $ 16 ML would be the cost of data losses via the web channel alone. With these assumptions based upon publicly disclosed data losses, a security program (that include both information and application security) that cost as much as $ 16 ML would be justified for a company with a customer base of 4 million on-line customers for example.
  • #23 Come numeri siamo vicini…. http://findarticles.com/p/articles/mi_m0EIN/is_2007_August_14/ai_n27342542/
  • #24 Un fattore che non si stima sono le perdite indirette intangibili per esempio sulle azioni in conseguenza alla pubblicazione di un incidente si tenga presente che nel caso di HPY l’exploit citiato nei procdeeednigns rigrairda SQL inection che e’ diretta consegienza di unsecure software
  • #25 Un altra metodologia consiste nel valutare le perdite annue come fattore di esposizione alle perdite all;occorenza dell’ evento e dell’impatto dell evento (SLE)
  • #26 Nel caso in esame e’ possibile stimare SLE e ALE per SQL injection tenendo conto della probabilita stimata 2.5 % di un evento per un sito che serve 3 millioni di utenti A quantitative risk assessment can also be used to determine the extent on which a software security initiative can reduce risk from potential losses. The correlation has to take into account the probability of the event and the loss that the event can cause. This is difficult to quantify in general for software security issues since assumes a cause-effect between vulnerability exploit and financial impact. Nevertheless it can be used for rough estimates. Assume a web application that delivers banking services for example and that the loss caused by an event such as denial of service impact on-line transactions for 3 million customers with an average of $ 20 per transaction: the loss per single DOS event (SLE) is $ 60 ML. Assume that the probability that a new SQL injection vulnerability would cause a denial of service is 30% (Annualized Rate of Occurrence) then the Annual Loss Expected (ALE) is $ 1.8 ML. If the cost of the new security countermeasures that will stop the security incident is less than $ 1.8 M than the organization should implement it.
  • #27 Un altro fattore molto discusso a livello di esecutives e’ il ROSI che quantifica in termini di investimento in sicurezza il ritorno come risparmio. Secondo studi e’ possibile stimare il risparmio delle attivita di security engineering nelle diverse fasi per esempio
  • #28 Un altra stima usando la formula di risparmi sul impatto delle perdite dopo che la soluzione di secure software e stata addottata in riferimento al cost della soluzione stessa. Un ROSI negativo non e’ giustificabile mentre uno positivo lo e’ wuanto sia giustificabile ha valore comparativo rispetto a diverse attivita.
  • #29 Da punto di vista dei busienss cases un metrica in supporto e la PAGELLA BILANCIATA il cui goal e’ allineare software security ad altri obbiettivi aziendali come finanza clienti, processi e capacita interne di formazione etc. Alcuni obbiettivi di questa metrica scorecard sono mostrati qui It is used by companies to assess performance of a target process against factors that are outside the traditional time and effort costing. There are different views: the financial view tries to answer the question, to succeed financially, how should we appear to our shareholders Background The balanced scorecard is a strategic planning and management system that is used extensively in business and industry, government, and nonprofit organizations worldwide to align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization performance against strategic goals. It was originated by Drs. Robert Kaplan (Harvard Business School) and David Norton as a performance measurement framework that added strategic non-financial performance measures to traditional financial metrics to give managers and executives a more &apos;balanced&apos; view of organizational performance. 
  • #30 Per ogni area ci sono tre metriche: costi tecnici di software security engineering, costi di trends costi relativi al budget allocato etc
  • #31 In analisi se si ha una methologia si puo’ vendere il giaccio agli eskimesi
  • #32 I plan to start at 2.30 and finish at 3 PM
  • #33 most of software is tested after being build