Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
Line 16: Line 16:
 
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
 
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
 
| valign="top" width="25%" |  
 
| valign="top" width="25%" |  
* [https://www.owasp.org/index.php/Policy_Frameworks Project Development Guide - Policy Frameworks]
+
* [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks]
 
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
 
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
 
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
 
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Coding Guide Project - Code Reviews and Compliance]
+
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Coding Guide - Code Reviews and Compliance]
 
|-
 
|-
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Develop, implement and manage application security governance
Line 25: Line 25:
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
 
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/SAMM_-_Governance SAMM - Governance]
+
* [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance]
 
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions]
 
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions]
 
|-
 
|-
Line 35: Line 35:
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
 
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Project Code Review Guide]
+
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide]
 
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices]
 
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices]
* [https://www.owasp.org/index.php/OWASP_Testing_Project Project Testing Guide]
+
* [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide]
 
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
 
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
* [https://www.owasp.org/index.php/CLASP_Concepts Project Project CLASP Concepts]
+
* [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts]
 
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
 
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]
+
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools Guide]
 
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)]
 
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)]
 
|-
 
|-
Line 61: Line 61:
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
 
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements Capture Security Requirements]
+
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP- Capture Security Requirements]
 
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
 
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
 
* [https://www.owasp.org/index.php/OWASP_Cornucopia Project OWASP Cornucopia]
 
* [https://www.owasp.org/index.php/OWASP_Cornucopia Project OWASP Cornucopia]
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Legal - Secure Software Contract Annex]
+
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
 
|-
 
|-
 
| valign="top" | Measure and monitor security and risks of application assets within the organization
 
| valign="top" | Measure and monitor security and risks of application assets within the organization
Line 72: Line 72:
 
|  
 
|  
 
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
 
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics Project CLASP - Define and Monitor Metrics]
+
* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics]
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics]
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics]
 
|-
 
|-
Line 84: Line 84:
 
* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks]
 
* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks]
 
* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks]
 
* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks]
* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Project AVSV- Implementation of NIST Risk Management Verification Activities]
+
* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities ASVS - Implementation of NIST Risk Management Verification Activities]
 
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
 
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
Line 114: Line 114:
 
|-
 
|-
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
| valign="top" | Incident Response
+
| valign="top" | Vulnerability Management & Incident Response
 
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"]
 
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
+
* [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management]
 
* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 
* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 +
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
 
|}
 
|}
  
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]

Revision as of 02:11, 26 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - Section 1.3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"

Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

Part I - Section 1.4.4 "Risk Management Strategies"

Part II - "Criteria for Managing Application Security Risks"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part I - Section 1.3.2 "Capturing Application Security Requirements"

Part III - Section 1.3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - Section 1.4 "Risk Management"

Part II Criteria for Managing Application Security Risks

Assess procurement of new application processes, services, technologies and security tools Procurement [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"