CISO AppSec Guide: Introduction
Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance and risk perspectives. This guide seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout this guide. OWASP is a non profit organization whose mission is "making application security visible and empowering application security stakeholders with the right information for managing application security risks".
This CISO guide is written to help CISOs that are responsible for managing application security programs from the information security and risk management perspectives. From the information security perspective, there is a need to protect the organization assets such as the citizen/client/customer sensitive data, the databases where this data is stored, the network infrastructure where the database servers reside and last but not least the applications and software used to access and process this data. Among the assets that CISOs seek to protect, besides business and user data there are also applications and software as a whole since these might provide business critical functions to customers that generate revenues for the organization. Examples include applications and software that provide customers with business services as well as applications and software that are sold as products to the clients. In the case when software application are considered information assets to protect. Since both directly or indirectly provide services to citizens/clients/customers, application security should receive a specific focus in human resources, training, processes, standards and tools. The scope of this guide is the security of software applications and the security of the related infrastructure such as the security of web servers, application servers and databases. This does not include other aspects of security that are not specifically related to the specific application, such as the security of the network infrastructure that supports the applications and constitutes a valued asset whose security properties such as confidentiality, integrity and availability need to be protected as well.
This guide helps CISOs manage application security risks by considering the exposure from emerging threats and compliance requirements. This guide helps:
- Make application security visible to CISOs
- Assure compliance of applications with security regulations for privacy, data protection and information security
- Prioritize vulnerability remediation based upon risk exposure to the business
- Provide guidance for building and managing application security processes
- Analyze cyber-threats against applications and identify countermeasures
- Institute application security training for developers and managers
- Measure and manage application security risks and processes
- Chief Information Security Officers (CISOs)
- Senior security management
- Senior technology management