OWASP Application Security Guide For CISOs Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Application Security Guide For CISOs
Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout this guide.

Introduction
The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk.

Objectives
The guide assists CISOs manage application security risks by considering the exposure from emerging threats and compliance requirements. The objectives of this guide are to help:
 * Make application security visible to CISOs
 * Assure compliance of applications with security regulations for privacy, data protection and information security
 * Prioritize vulnerability remediation based upon risk exposure to the business
 * Provide guidance for building and managing application security processes
 * Analyze cyber-threats against applications and identify countermeasures
 * Institute application security training for developers and managers
 * Measure and manage application security risks and processes

Licensing
The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Core Content
The CISO guide includes:


 * Part I: Reasons for Investing in Application Security
 * Part II: Criteria for Managing Application Security Risks
 * Part III: Application Security Program
 * Part IV: Metrics For Managing Risks & Application Security Investments

Presentation


[[Media:OWASP-NYC-CISO-Guidevs1.pptx|PPTX]] presentation given at OWASP NYC U.S.A. Chapter Meeting on 15 November 2012

Project Leader
Marco Morana

Related Projects

 * CISO Survey
 * Software Assurance Maturity Model


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Access

 * Application Security Guide For CISOs (v1.5 EN HTML)

News and Events

 * [20 Nov 2013] The CISO Guide will be at AppSec USA
 * [15 Oct 2013] Project pages refreshed
 * [01 Sep 2013] Review and editing underway
 * [16 Nov 2012] Presentation at OWASP Atlanta
 * [15 Nov 2012] Presentation at OWASP NYC
 * [02 Nov 2012] Presentation at Italy OWASP Day

In Print
This project can be purchased as a print on demand book from Lulu.com (in late November 2013)

Classifications

 * }

= Acknowledgements =

Volunteers
The Application Security Guide For CISOs Project was authored, edited and reviewed by a worldwide team of volunteers. The primary contributors to date have been:


 * Tobias Gondrom
 * Eoin Keary
 * Andy Lewis
 * Marco Morana
 * Stephanie Tan
 * Colin Watson

= Road Map and Getting Involved = As of 1 October 2013, the priorities are:
 * Review and edit dtaft text
 * Update references to CISO Survey data
 * Obtain help to create new diagrams
 * Convert into a printable book

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
 * Review the text
 * Graphical design for the book cover and diagrams

=Project About=