Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP,...
Transcript of Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP,...
![Page 1: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/1.jpg)
Measuring and Maturing an AppSec Program
![Page 2: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/2.jpg)
Presenter Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company Contact: bcj at hp dot com
2 (ISC)2 e-Symposium
![Page 3: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/3.jpg)
Agenda
• Why Measure
• Preparing to Measure
• What to Measure
3 (ISC)2 e-Symposium
![Page 4: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/4.jpg)
Why Measure
4 (ISC)2 e-Symposium
![Page 5: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/5.jpg)
Why Measure Humans have a natural tendency to want to measure
5 (ISC)2 e-Symposium
![Page 6: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/6.jpg)
Why Measure We have been measuring (and comparing) since ancient times
6 (ISC)2 e-Symposium
Source: wikipedia.org/wiki/Cubit
Source: www.theguardian.com
![Page 7: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/7.jpg)
Why Measure Numerous guides, standards, and frameworks speak to measurement
7 (ISC)2 e-Symposium
2005 2006 2008* 2010 2010 2013
*OpenSAMM update scheduled for CY2015
![Page 8: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/8.jpg)
Why Measure Bottom line: Decision Support
8 (ISC)2 e-Symposium
Bruce
Source: HP Fortify on Demand
![Page 9: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/9.jpg)
Why Measure Views about the priority of security in custom software development
9 (ISC)2 e-Symposium
Source: Osterman Research White Paper, Jan 2015
![Page 10: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/10.jpg)
Why Measure Views about the priority of security in custom software development
10 (ISC)2 e-Symposium
Source: Osterman Research White Paper, Jan 2015
![Page 11: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/11.jpg)
Preparing to Measure
11 (ISC)2 e-Symposium
![Page 12: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/12.jpg)
Preparing to Measure First some basic definitions
12 (ISC)2 e-Symposium
![Page 13: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/13.jpg)
Preparing to Measure First some basic definitions
13 (ISC)2 e-Symposium
goal long-term aims that you want to accomplish
![Page 14: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/14.jpg)
Preparing to Measure Goals often are broad or lofty and long term; Example Personal Goal: Be taller
14 (ISC)2 e-Symposium
![Page 15: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/15.jpg)
Preparing to Measure First some basic definitions
15 (ISC)2 e-Symposium
objective concrete attainments achieved by following a certain number of steps; time-constrained, measurable goals
goal long-term aims that you want to accomplish
![Page 16: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/16.jpg)
Preparing to Measure Objectives are concrete, measurable and time-constrained achievements on the path to reaching a particular goal
16 (ISC)2 e-Symposium
Obtain medieval-certified rack by 2015-05-31
Complete medieval rack Train-the-Trainer program by 2015-09-18
Train and certify four rack operators by 2015-12-31
Complete Phase I Stretching Program by 2016-04-01
![Page 17: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/17.jpg)
Preparing to Measure First some basic definitions
17 (ISC)2 e-Symposium
objective
metric
concrete attainments achieved by following a certain number of steps; time-constrained, measurable goals
a quantitative measure
goal long-term aims that you want to accomplish
![Page 18: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/18.jpg)
Preparing to Measure First some basic definitions
18 (ISC)2 e-Symposium
objective
metric
concrete attainments achieved by following a certain number of steps; time-constrained, measurable goals
a quantitative measure
KPI Key Performance Indicator (KPI) is used to evaluate the success of an organization or of a particular activity
goal long-term aims that you want to accomplish
![Page 19: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/19.jpg)
Preparing to Measure First some basic definitions
19 (ISC)2 e-Symposium
objective
metric
concrete attainments achieved by following a certain number of steps; time-constrained, measurable goals
a quantitative measure
KPI Key Performance Indicator (KPI) is used to evaluate the success of an organization or of a particular activity
goal long-term aims that you want to accomplish
![Page 20: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/20.jpg)
Preparing to Measure Sidebar: Top challenges in achieving software security goals*
20 (ISC)2 e-Symposium
Source: Gatepoint Research Pulse Report, Oct 2014 n = 300 executives
*Read as: software security assurance (SSA) program goals
![Page 21: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/21.jpg)
Preparing to Measure Sidebar: Top challenges in achieving software security goals*
21 (ISC)2 e-Symposium
Source: Gatepoint Research Pulse Report, Oct 2014 n = 300 executives
*Read as: software security assurance (SSA) program goals
![Page 22: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/22.jpg)
Preparing to Measure
“It is necessary that people work together in unison toward common objectives and avoid working at cross purposes at all levels if the ultimate in efficiency and achievement is to be obtained.”
22 (ISC)2 e-Symposium
Dave Packard Co-founder, Hewlett-Packard
![Page 23: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/23.jpg)
Preparing to Measure Sidebar: Sound software security assurance (SSA) programs are based on business needs
23 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
![Page 24: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/24.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity
24 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
• Establish security-related goals that are directly tied to the firm’s mission
![Page 25: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/25.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity Example: Hewlett-Packard Co.
25 (ISC)2 e-Symposium
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to Employees
Leadership Capability
Global Citizenship
Hewlett-Packard
See HP’s Corporate Objectives at http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
![Page 26: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/26.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity Example: Hewlett-Packard Co.
26 (ISC)2 e-Symposium
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to Employees
Leadership Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
... ...
Goal n
HP Software ...
Goal 1 ...
Goal n
Fortify
Goal 1
... ...
...
Ent. Security
...
Goal n
…
Security Goal 1
…
…
…
Security Group
Security Goal n
See HP’s Corporate Objectives at http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
![Page 27: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/27.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity Example: Hewlett-Packard Co.
27 (ISC)2 e-Symposium
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to Employees
Leadership Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
... ...
Goal n
HP Software
Goal 1
... ...
...
Ent. Security ...
Goal 1 ...
Goal n
Fortify
…
Security Goal 1
…
…
…
Security Group
...
Goal n Security Goal n
See HP’s Corporate Objectives at http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
![Page 28: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/28.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity Example: Hewlett-Packard Co.
28 (ISC)2 e-Symposium
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to Employees
Leadership Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
... ...
Goal n
HP Software
Goal 1
... ...
...
Ent. Security ...
Goal 1 ...
Goal n
Fortify
…
Security Goal 1
…
…
…
Security Group
...
Goal n Security Goal n
See HP’s Corporate Objectives at http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
![Page 29: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/29.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity Example: Hewlett-Packard Co.
29 (ISC)2 e-Symposium
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to Employees
Leadership Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
... ...
Goal n
HP Software
Goal 1
... ...
...
Ent. Security ...
Goal 1 ...
Goal n
Fortify
…
Security Goal 1
…
…
…
Security Group
...
Goal n Security Goal n
See HP’s Corporate Objectives at http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
![Page 30: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/30.jpg)
Preparing to Measure Example goal for anchoring security program (real-world Financial)
30 (ISC)2 e-Symposium
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
![Page 31: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/31.jpg)
Preparing to Measure Example goal for anchoring security program (real-world Financial)
31 (ISC)2 e-Symposium
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
![Page 32: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/32.jpg)
Preparing to Measure Example goal for anchoring security program (real-world Financial)
32 (ISC)2 e-Symposium
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
![Page 33: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/33.jpg)
Preparing to Measure Example goal for anchoring security program (real-world Financial)
33 (ISC)2 e-Symposium
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
Proactively identify security risk in
Business Critical applications
![Page 34: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/34.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity
34 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
• Establish security-related goals that are directly tied to the firm’s mission
![Page 35: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/35.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity
35 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
• Establish security-related goals that are directly tied to the firm’s mission
• Develop a security strategy that is designed to support achievement of the security goal(s)
![Page 36: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/36.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity
36 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
• Establish security-related goals that are directly tied to the firm’s mission
• Develop a security strategy that is designed to support achievement of the security goal(s)
• Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives
*portfolio is known, classified and risk-ranked
![Page 37: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/37.jpg)
Preparing to Measure Use security goals to establish SSA program direction, achieve stakeholder unity
37 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
• Establish security-related goals that are directly tied to the firm’s mission
• Develop a security strategy that is designed to support achievement of the security goal(s)
• Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives
• Only choose metrics and construct KPI’s that show progress toward meeting the objectives; nothing else
*portfolio is known, classified and risk-ranked
![Page 38: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/38.jpg)
What to Measure
38 (ISC)2 e-Symposium
![Page 39: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/39.jpg)
What to Measure Revisited: Example goal for anchoring security program Focus: Security Objectives
39 (ISC)2 e-Symposium
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
Proactively identify security risk in
Business Critical applications
![Page 40: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/40.jpg)
What to Measure Revisited: Example goal for anchoring security program Focus: Security Objectives
40 (ISC)2 e-Symposium
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
Proactively identify security risk in
Business Critical applications
![Page 41: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/41.jpg)
What to Measure
(ISC)2 e-Symposium 41
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Mission Critical applications no later than FY15Q2 ST-3.1.1 Conduct baseline static scans of all Mission Critical apps no later than FY15Q2 ST-3.1.2 Conduct baseline dynamic scans of all Mission Critical apps no later than FY15Q2
SM-3.1.1 Number of static scans remaining [w] SM-3.1.2 Number of dynamic scans remaining [w]
*implemented in accordance with the SSA program strategy
![Page 42: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/42.jpg)
What to Measure
(ISC)2 e-Symposium 42
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 ST-3.1.1 Conduct baseline static scans of all Mission Critical apps no later than FY15Q2 ST-3.1.2 Conduct baseline dynamic scans of all Mission Critical apps no later than FY15Q2
SM-3.1.1 Number of static scans remaining [w] SM-3.1.2 Number of dynamic scans remaining [w]
*implemented in accordance with the SSA program strategy
![Page 43: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/43.jpg)
What to Measure
(ISC)2 e-Symposium 43
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 ST-3.1.1 Conduct baseline static scans of all Mission Critical apps no later than FY15Q2 ST-3.1.2 Conduct baseline dynamic scans of all Mission Critical apps no later than FY15Q2
SM-3.1.1 Number of static scans remaining [w] SM-3.1.2 Number of dynamic scans remaining [w]
*implemented in accordance with the SSA program strategy
![Page 44: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/44.jpg)
What to Measure
(ISC)2 e-Symposium 44
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 ST-3.1.1 Conduct baseline static scans of all Mission Critical apps no later than FY15Q2 ST-3.1.2 Conduct baseline dynamic scans of all Mission Critical apps no later than FY15Q2
SM-3.1.1 Number of static scans remaining [w] SM-3.1.2 Number of dynamic scans remaining [w]
*implemented in accordance with the SSA program strategy
![Page 45: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/45.jpg)
# of Scans Remaining by Week Ref. SM-3.1.1, SM-3.1.2
(ISC)2 e-Symposium 45
![Page 46: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/46.jpg)
What to Measure
(ISC)2 e-Symposium 46
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills amongst application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q3 SO-3.5 Evaluate risk exposure of all Mission Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 47: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/47.jpg)
What to Measure
(ISC)2 e-Symposium 47
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills among application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q3 SO-3.5 Evaluate risk exposure of all Mission Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 48: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/48.jpg)
What to Measure
(ISC)2 e-Symposium 48
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills among application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q3 SO-3.5 Evaluate risk exposure of all Mission Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 49: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/49.jpg)
What to Measure
(ISC)2 e-Symposium 49
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills among application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q4 SO-3.5 Evaluate risk exposure of all Mission Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 50: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/50.jpg)
What to Measure
(ISC)2 e-Symposium 50
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills among application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q4 SO-3.5 Evaluate risk exposure of all Business Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 51: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/51.jpg)
What to Measure
(ISC)2 e-Symposium 51
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills among application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q4 SO-3.5 Evaluate risk exposure of all Business Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 52: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/52.jpg)
What to Measure
(ISC)2 e-Symposium 52
Security Goals Security Objectives & Tasks* Metrics [measurement frequency]
SG-3 Proactively identify security risk in Business Critical applications
SO-3.1 Reveal baseline risk exposure of all Business Critical applications no later than FY15Q2 SO-3.2 Identify security skills among application Architects, Developers and Testers no later than FY15Q2 SO-3.3 Qualify gap between application risk exposure and security skills no later than FY15Q3 SO-3.4 Implement training program to address security skills gap no later than FY15Q4 SO-3.5 Evaluate risk exposure of all Business Critical applications on a quarterly basis
SM-3.5.1 # of Critical findings [q] SM-3.5.2 # of High findings [q]
*implemented in accordance with the SSA program strategy
![Page 53: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/53.jpg)
What to Measure Consolidated dashboards are effective at providing the status of key metrics (Key Performance Indicators)
53 (ISC)2 e-Symposium
Bruce
Source: HP Fortify on Demand
![Page 54: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/54.jpg)
What to Measure Use security goals to establish SSA program direction, achieve stakeholder unity
54 (ISC)2 e-Symposium
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
• Establish security-related goals that are directly tied to the firm’s mission
• Develop a security strategy that is designed to support achievement of the security goal(s)
• Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives
• Only choose metrics and construct KPI’s that show progress toward meeting the objectives; nothing else
*portfolio is known, classified and risk-ranked
![Page 55: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/55.jpg)
Summary • Anchor your security program to the business
55 (ISC)2 e-Symposium
![Page 56: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/56.jpg)
Summary • Anchor your security program to the business • Develop security goals that directly support the business goals
56 (ISC)2 e-Symposium
![Page 57: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/57.jpg)
Summary • Anchor your security program to the business • Develop security goals that directly support the business goals • Strategies are used to achieve goals; develop a strategy
57 (ISC)2 e-Symposium
![Page 58: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/58.jpg)
Summary • Anchor your security program to the business • Develop security goals that directly support the business goals • Strategies are used to achieve goals; develop a strategy • Goals must have supporting objectives; some may be long-lived
58 (ISC)2 e-Symposium
![Page 59: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/59.jpg)
Summary • Anchor your security program to the business • Develop security goals that directly support the business goals • Strategies are used to achieve goals; develop a strategy • Goals must have supporting objectives; some may be long-lived • Never use a metric that does not support an objective; it will be
interesting at best, but will not add value to your program
59 (ISC)2 e-Symposium
![Page 60: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/60.jpg)
Summary • Anchor your security program to the business • Develop security goals that directly support the business goals • Strategies are used to achieve goals; develop a strategy • Goals must have supporting objectives; some may be long-lived • Never use a metric that does not support an objective; it will be
interesting at best, but will not add value to your program • Report your progress to maintain program justification & budget
60 (ISC)2 e-Symposium
![Page 61: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/61.jpg)
Summary • Anchor your security program to the business • Develop security goals that directly support the business goals • Strategies are used to achieve goals; develop a strategy • Goals must have supporting objectives; some may be long-lived • Never use a metric that does not support an objective; it will be
interesting at best, but will not add value to your program • Report your progress to maintain program justification & budget • Adjust the strategy as business goals, threats and risks change
61 (ISC)2 e-Symposium
![Page 62: Measuring and Maturing an AppSec Program · 2015-04-21 · Presenter . Bruce C Jenkins CISSP, CSSLP, CISM Fortify Security Lead & AppSec Program Strategist Hewlett-Packard Company](https://reader034.fdocuments.in/reader034/viewer/2022042317/5f05cfa57e708231d414d336/html5/thumbnails/62.jpg)
hp.com/go/fortifyssa
Q&A