OWASP Application Security Guide For CISOs Project v2
OWASP Application Security Guide For CISOs (Version 2 - 2018 Edition)
Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.
The purpose of this document is to guide CISOs and managers of security DevOps in managing application security from initial problem statement to delivery of the solution. We start this journey in part I by providing guidance on how to start an application security initiative such as with the creation of the business cases for investing in application security following with awareness of threats targeting applications. In part II we focus on how to create an application security program including the adoption of secure software development activities, application security tools and secure code training for developers. In part III we focus on managing application security from both program execution as well as from risk management strategy perspectives including the mitigation of the risk of vulnerabilities and the metrics and reporting them based upon risk and exposure. In part IV we focus on process improvements such as the use of software maturity models and the lesson learned from security incidents whose root causes might have been identified in exploit of application vulnerabilities.
The guide assists CISOs on how to manage application security through the phases of initiation, creation, management and process improvements. Tactical guidance is provided in the following aspects:
The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
© OWASP Foundation
The guide provide guidance to CISO to start, create, manage and improve Application Security Programs. The contents are articulated in (four) parts:
Presentation given at OWASP AppSec USA 2017 Project Meeting
News and Events
We are currently assembly a team of volunteers to author, edit and review the guide version 2. List of names will be updated soon
- We rebooted the project (at AppSec USA 2017 Project Summit) create new version 2, wiki, GitHub repository
- We reactivated OWASP CISO mailing list
- We have created the stub for version 2 and structured the contents in four parts
Next steps are:
- Develop the contents: as was discussed at OWASP Summit in London in June 2017
- Create a mini 2018 CISO Survey to socialize with CISOs at CISO summits using Survey Monkey lists
The main goal is to produce a draft by 30/3/2018 and a reviewed version by end of June 2018
Involvement in the development and promotion of the CISO Guide is actively encouraged. You do not have to be a security expert in order to contribute. Some of the ways you can help:
- Develop the new contents
- Update the old contents
- Review the text
- Help with graphical design for the book and the diagrams
- Help to create the mini CISO survey linked to the CISO web page
Please participate through the project's mailing list.
Pre 1.0 versions (alpha and betas) are in the wiki page history at https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs and sub-pages beginning in August 2011.
|what||is this project?|
|Name: OWASP Application Security Guide For CISOs Project (home page)|
Draft Version: More info about this project can be found in the introductory page of the guide Application Security Guide For CISOs
|License: Creative Commons Attribution Share Alike 3.0|
|who||is working on this project?|
| Project Leader(s):
|how||can you learn more?|
|Project Pamphlet: Not Yet Created|
|Project Presentation: View|
|Mailing list: Mailing List Archives|
|Project Roadmap: View|