Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
Line 97: Line 97:
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"]
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Legal - Secure Software Contract Annex]
+
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Secure Software Contract Annex]
* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts - Verification of Contract Requirements]
+
* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts Verification of Contract Requirements]
 
|-
 
|-
 
| valign="top" | Oversee the training on application security for development, operational and information security teams
 
| valign="top" | Oversee the training on application security for development, operational and information security teams
Line 119: Line 119:
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
 
| valign="top" | Incident Response
 
| valign="top" | Incident Response
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"]
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
 
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]

Revision as of 02:46, 26 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

To do:

  • Check cross-references back to other parts of guie and add links/anchors
  • Check for other OWASP projects
CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - Section 1.3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"

Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

Part I - Section 1.4.4 "Risk Management Strategies"

Part II - "Criteria for Managing Application Security Risks"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part I - Section 1.3.2 "Capturing Application Security Requirements"

Part III - Section 1.3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - Section 1.4 "Risk Management"

Part II Criteria for Managing Application Security Risks

Assess procurement of new application processes, services, technologies and security tools Procurement [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"