Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

Jump to: navigation, search
Line 48: Line 48:
| valign="top" | Develop, articulate and implement a risk management strategy for applications
| valign="top" | Develop, articulate and implement a risk management strategy for applications
| valign="top" | Risk Strategy
| valign="top" | Risk Strategy
| valign="top" | Part I - 1.4 "Risk Management"
| valign="top" | Part I - 1.4.4 "Risk Management Strategies"  
| valign="top" |  
| valign="top" |  
* SAMM - Strategy & Metrics
* SAMM - Strategy & Metrics

Revision as of 15:32, 23 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

To do:

  • Check cross-references back to other parts of guie and add links/anchors
  • Check for other OWASP projects
CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - Section 1.3 "Information Security Standards, Policies and Compliance"
  • Development Guide - Policy Frameworks
  • CLASP - Identify Global Security Policy
  • SAMM - Policy & Compliance
  • Code Review - Code Reviews and Compliance
Develop, implement and manage application security governance Governance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"
  • SAMM - Governance
Develop and implement software security development and security testing processes Security Engineering Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"

Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

  • Development Guide
  • Code Review Guide
  • Secure Coding Practices Checklist
  • Testing Guide
  • SAMM
  • Security Tools for Developers
  • Application Security Verification Standards
Develop, articulate and implement a risk management strategy for applications Risk Strategy Part I - 1.4.4 "Risk Management Strategies"
  • SAMM - Strategy & Metrics
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part I - Section 1.3.2 "Capturing Application Security Requirements"

Part III - "Addressing CISO's Application Security Functions"

  • Application Security Verification Standards
  • CLASP - Document Security-Relevant Requirements
  • SAMM - Security Requirements
  • Testing Guide - Security Requirements Test Derivation
  • Cornucopia
  • Legal - Secure Software Contract Annex
Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
  • Application Security Metrics
  • CLASP - Define and Monitor Metrics
  • SAMM
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - "Risk Assessment and Management"

Part II "Selection of Application Security Measures"

Part III Selection of Application Security Processes"

  • OWASP Top Ten Risks
  • Testing Guide - Threat Modelling
  • Development Guide - Threat Risk Modelling
  • Code Review Guide - Application Threat Modelling
  • Cornucopia
Assess procurement of new application processes, services, technologies and security tools Procurement Part III - "Integrating Risk Management as part of the SDLC"
  • Legal - Secure Software Contract Annex
  • Tools projects
Oversee the training on application security for development, operational and information security teams Security Training Part III - "Security in SDLC Methodologies"

Part IV Section "Software Assurance Maturity Models"

  • Education
  • Training Modules / Conference Videos
  • Application Security FAQ
  • CLASP - Institute Security Awareness Program
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
  • -
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Incident Response Part IV - "Addressing CISO's Application Security Functions"
  • .NET Incident Response
  • CLASP - Manage Security Issue Disclosure Process