Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
Line 21: Line 21:
 
| valign="top" width="25%" |  
 
| valign="top" width="25%" |  
 
* [https://www.owasp.org/index.php/Policy_Frameworks OWASP Development Guide - Policy Frameworks]
 
* [https://www.owasp.org/index.php/Policy_Frameworks OWASP Development Guide - Policy Frameworks]
* [https://www.owasp.org/index.php/Identify_global_security_policy OWASP CLASP - Identify Global Security Policy]
+
* [https://www.owasp.org/index.php/Identify_global_security_policy CLASP - Identify Global Security Policy]
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 OWASP SAMM - Policy & Compliance]
+
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 SAMM - Policy & Compliance]
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance OWASP Code Review - Code Reviews and Compliance]
+
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Code Reviews and Compliance]
 
|-
 
|-
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Develop, implement and manage application security governance
Line 29: Line 29:
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/SAMM_-_Governance OWASP SAMM - Governance]
+
* [https://www.owasp.org/index.php/SAMM_-_Governance OSAMM - Governance]
 
|-
 
|-
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Develop and implement software security development and security testing processes
Line 37: Line 37:
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide]
+
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Guide]
+
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide]
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices]
+
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices]
* [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide]
+
* [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide]
* [https://www.owasp.org/index.php/Category:OWASP_CLASP_Project OWASP Comprehensive Lightweight Application Security Process (CLASP)]
+
* [https://www.owasp.org/index.php/Category:OWASP_CLASP_Project Comprehensive Lightweight Application Security Process (CLASP)]
* [http://www.opensamm.org/ OWASP Software Assurance Maturity Model(SAMM)]
+
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools OWASP Testing Tools]
+
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
+
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]
 
|-
 
|-
 
| valign="top" | Develop, articulate and implement a risk management strategy for applications
 
| valign="top" | Develop, articulate and implement a risk management strategy for applications
Line 54: Line 54:
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 OWASP SAMM - Strategy & Metrics]
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 OWASP SAMM - Strategy & Metrics]
* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies OWASP - Application Threat Modeling - Risk Mitigation Strategies]
+
* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Risk Mitigation Strategies]
 
|-
 
|-
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
Line 83: Line 83:
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks]
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks]
 
|   
 
|   
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks]
+
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Top Ten Risks]
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology]
+
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
* [https://www.owasp.org/index.php/Threat_Risk_Modeling OWASP Threat Risk Modelling]
+
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
* [https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Application Threat Modelling]
+
* [https://www.owasp.org/index.php/Application_Threat_Modeling Application Threat Modelling]
 
|-
 
|-
 
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
 
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
Line 99: Line 99:
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"]
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"]
 
|  
 
|  
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series OWASP Appsec Training Videos]
+
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos]
* [https://www.owasp.org/index.php/Category:OWASP_Video OWASP Conference Videos]
+
* [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos]
 
* Application Security FAQ
 
* Application Security FAQ
 
* CLASP - Institute Security Awareness Program
 
* CLASP - Institute Security Awareness Program

Revision as of 01:34, 26 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

To do:

  • Check cross-references back to other parts of guie and add links/anchors
  • Check for other OWASP projects
CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - Section 1.3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"

Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

Part I - Section 1.4.4 "Risk Management Strategies"

Part II - "Criteria for Managing Application Security Risks"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part I - Section 1.3.2 "Capturing Application Security Requirements"

Part III - Section 1.3 "Addressing CISO's Application Security Functions"

  • Application Security Verification Standards
  • CLASP - Document Security-Relevant Requirements
  • SAMM - Security Requirements
  • Testing Guide - Security Requirements Test Derivation
  • Cornucopia
  • Legal - Secure Software Contract Annex
Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
  • Application Security Metrics
  • CLASP - Define and Monitor Metrics
  • SAMM
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - Section 1.4 "Risk Management"

Part II Criteria for Managing Application Security Risks

Assess procurement of new application processes, services, technologies and security tools Procurement [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
  • Legal - Secure Software Contract Annex
  • Tools projects
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
  • -
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"
  • .NET Incident Response
  • CLASP - Manage Security Issue Disclosure Process