Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
(Removed old image / Text alignment in table / Removed section numbers in CISO Guide references)
(Changed I-A and I-B to just A and B)
Line 1: Line 1:
 
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
 
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
  
==Appendix I-D: Quick Reference to OWASP Guides & Projects ==
+
==Appendix B: Quick Reference to OWASP Guides & Projects ==
  
 
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
 
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

Revision as of 09:19, 20 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

To do:

  • Check cross-references back to other parts of guie and add links/anchors
  • Check for other OWASP projects
CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - "Application Security Standards, Policies and Compliance"
  • Development Guide - Policy Frameworks
  • CLASP - Identify Global Security Policy
  • SAMM - Policy & Compliance
  • Code Review - Code Reviews and Compliance
Develop, implement and manage application security governance Governance Part III - "Application Security Governance, Risk and Compliance"
  • SAMM - Governance
Develop and implement software security development and security testing processes Security Engineering Processes Part III - "Targeting Software Security Activities and S-SDLC processes"

Part III - "How to Choose the Right OWASP projects and Tools for Your Organization"

  • Development Guide
  • Code Review Guide
  • Secure Coding Practices Checklist
  • Testing Guide
  • CLASP
  • SAMM
  • Security Tools for Developers
  • Application Security Verification Standards
Develop, articulate and implement a risk management strategy for applications Risk Strategy Part I - "Risk Assessment and Measurement"
  • SAMM - Strategy & Metrics
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part II - "Capturing Application Security Requirements"

Part III - "Addressing CISO's Application Security Functions"

  • Application Security Verification Standards
  • CLASP - Document Security-Relevant Requirements
  • SAMM - Security Requirements
  • Testing Guide - Security Requirements Test Derivation
  • Cornucopia
  • Legal - Secure Software Contract Annex
Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
  • Application Security Metrics
  • CLASP - Define and Monitor Metrics
  • SAMM
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - "Risk Assessment and Management"

Part II "Selection of Application Security Measures"

Part III Selection of Application Security Processes"

  • OWASP Top Ten Risks
  • Testing Guide - Threat Modelling
  • Development Guide - Threat Risk Modelling
  • Code Review Guide - Application Threat Modelling
  • Cornucopia
Assess procurement of new application processes, services, technologies and security tools Procurement Part III - "Integrating Risk Management as part of the SDLC"
  • Legal - Secure Software Contract Annex
  • Tools projects
Oversee the training on application security for development, operational and information security teams Security Training Part III - "Security in SDLC Methodologies"

Part IV Section "Software Assurance Maturity Models"

  • Education
  • Training Modules / Conference Videos
  • Application Security FAQ
  • CLASP - Institute Security Awareness Program
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
  • -
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Incident Response Part IV - "Addressing CISO's Application Security Functions"
  • .NET Incident Response
  • CLASP - Manage Security Issue Disclosure Process