Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
m (Appendix I-D: Quick Reference to OWASP Guides & Projects: Typo correction)
(Removed old image / Text alignment in table / Removed section numbers in CISO Guide references)
Line 9: Line 9:
 
* Check for other OWASP projects
 
* Check for other OWASP projects
  
{| class="prettytable FCK__ShowTableBorders"
+
{| class="prettytable FCK__ShowTableBorders" align="top"
 
|-
 
|-
 
! CISO Function
 
! CISO Function
Line 16: Line 16:
 
! OWASP Projects
 
! OWASP Projects
 
|-
 
|-
| Develop and implement policies, standards and guidelines for application security
+
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
| Standards and Policies
+
| valign="top" width="10%" | Standards and Policies
| Part I - Section 4.2 "Application Security Standards, Policies and Compliance"
+
| valign="top" width="40%" | Part I - "Application Security Standards, Policies and Compliance"
|  
+
| valign="top" width="25%" |  
 
* Development Guide - Policy Frameworks
 
* Development Guide - Policy Frameworks
 
* CLASP - Identify Global Security Policy
 
* CLASP - Identify Global Security Policy
Line 25: Line 25:
 
* Code Review - Code Reviews and Compliance
 
* Code Review - Code Reviews and Compliance
 
|-
 
|-
| Develop, implement and manage application security governance
+
| valign="top" | Develop, implement and manage application security governance
| Governance
+
| valign="top" | Governance
| Part III - Section 6.2.1 "Application Security Governance, Risk and Compliance"
+
| valign="top" | Part III - "Application Security Governance, Risk and Compliance"
|
+
| valign="top" |  
 
* SAMM - Governance
 
* SAMM - Governance
 
|-
 
|-
| Develop and implement software security development and security testing processes
+
| valign="top" | Develop and implement software security development and security testing processes
| Security Engineering Processes
+
| valign="top" | Security Engineering Processes
| Part III - Section 6.3 "Targeting Software Security Activities and S-SDLC processes"
+
| valign="top" | Part III - "Targeting Software Security Activities and S-SDLC processes"
  
Part III - Section 6.4 "How to Choose the Right OWASP projects and Tools for Your Organization"
+
Part III - "How to Choose the Right OWASP projects and Tools for Your Organization"
|  
+
| valign="top" |  
 
* Development Guide
 
* Development Guide
 
* Code Review Guide
 
* Code Review Guide
Line 46: Line 46:
 
* Application Security Verification Standards
 
* Application Security Verification Standards
 
|-
 
|-
| Develop, articulate and implement a risk management strategy for applications
+
| valign="top" | Develop, articulate and implement a risk management strategy for applications
| Risk Strategy
+
| valign="top" | Risk Strategy
| Part I - Section 4.3 "Risk Assessment and Measurement"
+
| valign="top" | Part I - "Risk Assessment and Measurement"
|  
+
| valign="top" |  
 
* SAMM - Strategy & Metrics
 
* SAMM - Strategy & Metrics
 
|-
 
|-
| Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
+
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
| Audit & Compliance
+
| valign="top" | Audit & Compliance
| Part II - Section 4.2.2 "Capturing Application Security Requirements"
+
| valign="top" | Part II - "Capturing Application Security Requirements"
  
Part III - Section 6.2 "Addressing CISO's Application Security Functions"
+
Part III - "Addressing CISO's Application Security Functions"
|  
+
| valign="top" |  
* Application Security Verification Standards - All
+
* Application Security Verification Standards  
 
* CLASP - Document Security-Relevant Requirements
 
* CLASP - Document Security-Relevant Requirements
 
* SAMM - Security Requirements
 
* SAMM - Security Requirements
 
* Testing Guide - Security Requirements Test Derivation
 
* Testing Guide - Security Requirements Test Derivation
* Cornucopia - All
+
* Cornucopia
 
* Legal - Secure Software Contract Annex
 
* Legal - Secure Software Contract Annex
 
|-
 
|-
| Measure and monitor security and risks of application assets within the organization
+
| valign="top" | Measure and monitor security and risks of application assets within the organization
| Risk Metrics & Monitoring
+
| valign="top" | Risk Metrics & Monitoring
| Part IV - Section 7 "Selection of Metrics for Managing Risks & Application Security Investments"
+
| valign="top" | Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
 
|  
 
|  
* Applications Security Metrics - All
+
* Application Security Metrics
 
* CLASP - Define and Monitor Metrics
 
* CLASP - Define and Monitor Metrics
 +
* SAMM
 
|-
 
|-
| Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions
+
| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions
| Risk Analysis & Management
+
| valign="top" | Risk Analysis & Management
| Part I - Section 4.3 "Risk Assessment and Management"
+
| valign="top" | Part I - "Risk Assessment and Management"
  
Part II Section 5 "Selection of Application Security Measures"
+
Part II "Selection of Application Security Measures"
  
Part III Section 6 "Selection of Application Security Processes"
+
Part III Selection of Application Security Processes"
|  
+
| valign="top" |  
 
* OWASP Top Ten Risks
 
* OWASP Top Ten Risks
 
* Testing Guide - Threat Modelling
 
* Testing Guide - Threat Modelling
 
* Development Guide - Threat Risk Modelling
 
* Development Guide - Threat Risk Modelling
 
* Code Review Guide - Application Threat Modelling
 
* Code Review Guide - Application Threat Modelling
* Cornucopia - All
+
* Cornucopia
 
|-
 
|-
| Assess procurement of new application processes, services, technologies and security tools
+
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
|Procurement
+
| valign="top" | Procurement
| Part III - Section 6.3.2 "Integrating Risk Management as part of the SDLC"
+
| valign="top" | Part III - "Integrating Risk Management as part of the SDLC"
|  
+
| valign="top" |  
 
* Legal - Secure Software Contract Annex
 
* Legal - Secure Software Contract Annex
 
* Tools projects
 
* Tools projects
 
|-
 
|-
| Oversee the training on application security for development, operational and information security teams
+
| valign="top" | Oversee the training on application security for development, operational and information security teams
| Security Training
+
| valign="top" | Security Training
| Part III Section 6.3.3 "Security in SDLC Methodologies"
+
| valign="top" | Part III - "Security in SDLC Methodologies"
  
Part IV Section 6.3.4 "Software Assurance Maturity Models"
+
Part IV Section "Software Assurance Maturity Models"
|  
+
| valign="top" |  
 
* Education
 
* Education
 
* Training Modules / Conference Videos
 
* Training Modules / Conference Videos
Line 104: Line 105:
 
* CLASP - Institute Security Awareness Program
 
* CLASP - Institute Security Awareness Program
 
|-
 
|-
| Develop, articulate and implement continuity planning/disaster recovery
+
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery
| Business Continuity / Disaster Recovery
+
| valign="top" | Business Continuity / Disaster Recovery
| Part IV Section 6.2 "Addressing CISO's Application Security Functions"
+
| valign="top" | Part IV - Addressing CISO's Application Security Functions"
|
+
| valign="top" |
 +
* -
 
|-
 
|-
| Investigate and analyse suspected and actual application security incidents and recommend corrective actions
+
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
| Incident Response
+
| valign="top" | Incident Response
| Part IV Section 6.2 "Addressing CISO's Application Security Functions"
+
| valign="top" | Part IV - "Addressing CISO's Application Security Functions"
|  
+
| valign="top" |  
 
* .NET Incident Response
 
* .NET Incident Response
 
* CLASP - Manage Security Issue Disclosure Process
 
* CLASP - Manage Security Issue Disclosure Process
 
|}
 
|}
 
[[ File:CISO_OWASP_role_mapping.jpg]]
 
  
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]

Revision as of 09:15, 20 October 2013

< Back to the Application Security Guide For CISOs

Appendix I-D: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

To do:

  • Check cross-references back to other parts of guie and add links/anchors
  • Check for other OWASP projects
CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - "Application Security Standards, Policies and Compliance"
  • Development Guide - Policy Frameworks
  • CLASP - Identify Global Security Policy
  • SAMM - Policy & Compliance
  • Code Review - Code Reviews and Compliance
Develop, implement and manage application security governance Governance Part III - "Application Security Governance, Risk and Compliance"
  • SAMM - Governance
Develop and implement software security development and security testing processes Security Engineering Processes Part III - "Targeting Software Security Activities and S-SDLC processes"

Part III - "How to Choose the Right OWASP projects and Tools for Your Organization"

  • Development Guide
  • Code Review Guide
  • Secure Coding Practices Checklist
  • Testing Guide
  • CLASP
  • SAMM
  • Security Tools for Developers
  • Application Security Verification Standards
Develop, articulate and implement a risk management strategy for applications Risk Strategy Part I - "Risk Assessment and Measurement"
  • SAMM - Strategy & Metrics
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part II - "Capturing Application Security Requirements"

Part III - "Addressing CISO's Application Security Functions"

  • Application Security Verification Standards
  • CLASP - Document Security-Relevant Requirements
  • SAMM - Security Requirements
  • Testing Guide - Security Requirements Test Derivation
  • Cornucopia
  • Legal - Secure Software Contract Annex
Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
  • Application Security Metrics
  • CLASP - Define and Monitor Metrics
  • SAMM
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - "Risk Assessment and Management"

Part II "Selection of Application Security Measures"

Part III Selection of Application Security Processes"

  • OWASP Top Ten Risks
  • Testing Guide - Threat Modelling
  • Development Guide - Threat Risk Modelling
  • Code Review Guide - Application Threat Modelling
  • Cornucopia
Assess procurement of new application processes, services, technologies and security tools Procurement Part III - "Integrating Risk Management as part of the SDLC"
  • Legal - Secure Software Contract Annex
  • Tools projects
Oversee the training on application security for development, operational and information security teams Security Training Part III - "Security in SDLC Methodologies"

Part IV Section "Software Assurance Maturity Models"

  • Education
  • Training Modules / Conference Videos
  • Application Security FAQ
  • CLASP - Institute Security Awareness Program
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
  • -
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Incident Response Part IV - "Addressing CISO's Application Security Functions"
  • .NET Incident Response
  • CLASP - Manage Security Issue Disclosure Process