CISO AppSec Guide v2: Introduction

< Back to the Application Security Guide For CISOs V2

= Introduction =

Chief Information Security Officers (CISOs) and SecDevOps managers that look for guidance for the initiation, creation and management of new application security programs and initiatives within their organisation as well as for improvements of existing processes, standards, training and tools can benefit by reading this guide.

OWASP resources such as documentation the can be used for creating standards, conduct application security assessments, develop training modules for software developers as well as tools for security testing of web application vulnerabilities are referenced throughout this guide.

This guide is written in alignment of OWASP mission main goal that is "making application security visible and empowering application security stakeholders with the right information for managing application security risks".

Scope
The scope of this guide is application security and the security of the components of the application architecture such as clients, servers, databases, services, software components and libraries. This scope of this guide does not cover other aspects that are essential to the security of the application such as network and infrastructure security.

Objectives
The guide assists CISOs and SecDevOps in managing application security through the phases of the application program life-cycle that are initiation, creation, management and process improvements. Tactical guidance is provided in the following aspects:
 * Assure compliance of applications with security regulations for privacy, data protection and information security
 * Leverage OWASP resources such as project documentation and tools
 * Manage application security from perspective or people/training, processes and tools/technologies
 * Manage application vulnerability risks and remediation based upon risk exposure to the business
 * Create awareness on cyber-threats targeting applications to focus on countermeasures
 * Operationalise application security assessments and provide support to development teams for continuous software security development and testing
 * Integration of existing applications with emerging technologies such as API, micro-services, cloud, virtualisation, biometrics
 * Alignment of application security strategy with business and IT strategy
 * Focus on process automation and process improvements
 * Be an agent of change in challenging corporate environments and trigger appropriate responses
 * Asking the right questions to gain visibility across the organisation (who does what questions)
 * Proactive risk management strategies
 * Capture lesson learned from past security incidents/data breaches
 * Setting roadmaps for process improvements

Target Audience

 * Chief Information Security Officers (CISOs)
 * Security Development Operation (SecDevOps) Managers