Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
Line 4: Line 4:
  
 
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
 
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
 
To do:
 
* Check cross-references back to other parts of guie and add links/anchors
 
* Check for other OWASP projects
 
  
 
{| class="prettytable FCK__ShowTableBorders" align="top"
 
{| class="prettytable FCK__ShowTableBorders" align="top"
Line 23: Line 19:
 
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
 
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
 
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
 
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Project Coding Guide - Code Reviews and Compliance]
+
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Coding Guide Project - Code Reviews and Compliance]
 
|-
 
|-
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Develop, implement and manage application security governance
Line 30: Line 26:
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/SAMM_-_Governance SAMM - Governance]
 
* [https://www.owasp.org/index.php/SAMM_-_Governance SAMM - Governance]
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition How to Write Job Requisitions]
+
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions]
 
|-
 
|-
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Develop and implement software security development and security testing processes
Line 43: Line 39:
 
* [https://www.owasp.org/index.php/OWASP_Testing_Project Project Testing Guide]
 
* [https://www.owasp.org/index.php/OWASP_Testing_Project Project Testing Guide]
 
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
 
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
* [https://www.owasp.org/index.php/CLASP_Concepts Project CLASP Concepts]
+
* [https://www.owasp.org/index.php/CLASP_Concepts Project Project CLASP Concepts]
 
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
 
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
 
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]
 
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]

Revision as of 02:57, 26 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - Section 1.3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"

Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

Part I - Section 1.4.4 "Risk Management Strategies"

Part II - "Criteria for Managing Application Security Risks"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part I - Section 1.3.2 "Capturing Application Security Requirements"

Part III - Section 1.3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - Section 1.4 "Risk Management"

Part II Criteria for Managing Application Security Risks

Assess procurement of new application processes, services, technologies and security tools Procurement [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"