OWASP Application Security Guide For CISOs Project v2

=Main=

 

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Application Security Guide For CISOs (Version 2 - 2018 Edition)
Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.

Introduction
The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey in part I by providing guidance on how to start an application security initiative such as with the creation of the business cases for investing in application security following with awareness of threats targeting applications. In part II we focus on how to create an application security program including the adoption of secure software development activities, application security tools and secure code training for developers. In part III we focus on managing application security from both program execution as well as from risk management strategy perspectives including the mitigation of the risk of vulnerabilities and the metrics and reporting them based upon risk and exposure. In part IV we focus on process improvements such as the use of software maturity models and the lesson learned from security incidents whose root causes might have been identified in exploit of application vulnerabilities.

Objectives
The guide assists CISOs on how to manage application security through the phases of initiation, creation, management and process improvements. Tactical guidance is provided in the following aspects:
 * Assure compliance of applications with security regulations for privacy, data protection and information security
 * Leverage OWASP resources such as project documentation and tools
 * Manage application security from perspective or people/training, processes and tools/technologies
 * Manage application vulnerability risks and remediation based upon risk exposure to the business
 * Create awareness on cyber-threats targeting applications to focus on countermeasures
 * Operationalise application security assessments and provide support to development teams for continuous software security development and testing
 * Integration of existing applications with emerging technologies such as API, micro-services, cloud, virtualisation, biometrics
 * Alignment of application security strategy with business and IT strategy
 * Focus on process automation and process improvements
 * Be an agent of change in challenging corporate environments and trigger appropriate responses
 * Asking the right questions to gain visibility across the organisation (who does what questions)
 * Proactive risk management strategies
 * Capture lesson learned from past security incidents/data breaches
 * Setting roadmaps for process improvements

Licensing
The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

&copy; OWASP Foundation


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Core Content
The guide provide guidance to CISO to start, create, manage and improve Application Security Programs. The contents are articulated in (four) parts:
 * Part I: "How To" Start
 * Part II: "How To" Create
 * Part III: "How To" Manage
 * Part IV: "How To" Improve

Presentation


[[Media:OWASP-NYC-CISO-Guidevs1.pptx|PPTX]] presentation given at 2017 OWASP AppSec U.S.A.

Project Leader
Marco Morana

Related Projects

 * CISO Survey
 * Software Assurance Maturity Model


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Access

 * Application Security Guide For CISOs v1.0 EN
 * HTML
 * PDF
 * Hardcopy

News and Events

 * [20 Nov 2013] The CISO Guide and CISO Survey 2013 will be presented at AppSec USA
 * [07 Nov 2013] Version 1.0 (stable) issued

In Print


This project can be purchased as a print on demand book from Lulu.com.

Classifications

 * }

= Acknowledgements =

Volunteers
The Application Security Guide For CISOs Project was authored, edited and reviewed by a worldwide team of volunteers. The primary contributors to date have been:


 * Tobias Gondrom
 * Eoin Keary
 * Andy Lewis
 * Marco Morana
 * Stephanie Tan
 * Colin Watson

= Road Map and Getting Involved = As of 8 November 2013, the priorities are:
 * Announce and promote v1.0 at AppSec USA
 * Gain support and additional contributors
 * Translate book

Involvement in the development and promotion of the CISO Guide is actively encouraged. You do not have to be a security expert in order to contribute. Some of the ways you can help:
 * Review the text
 * Graphical design for the book cover and diagrams

Please participate through the project's mailing list.

= Releases =

Current version
v1.0 (Stable)
 * EN
 * HTML
 * PDF
 * Hardcopy

Previous versions
Pre 1.0 versions (alpha and betas) are in the wiki page history at https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs and sub-pages beginning in August 2011.

= Project About =