Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
m (Appendix B: Quick Reference to OWASP Guides & Other Projects: Page name)
m (Appendix B: Quick Reference to OWASP Guides & Other Projects: Names and numbering)
Line 16: Line 16:
 
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 
| valign="top" width="10%" | Standards and Policies
 
| valign="top" width="10%" | Standards and Policies
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
+
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance I-3 "Information Security Standards, Policies and Compliance"]
 
| valign="top" width="25%" |  
 
| valign="top" width="25%" |  
 
* [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks]
 
* [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks]
Line 25: Line 25:
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Governance
 
| valign="top" | Governance
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance III-3 "Application Security Governance, Risk and Compliance"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance]
 
* [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance]
Line 32: Line 32:
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Security Engineering Processes
 
| valign="top" | Security Engineering Processes
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
 
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
Line 49: Line 49:
 
| valign="top" | Risk Strategy
 
| valign="top" | Risk Strategy
 
| valign="top" |  
 
| valign="top" |  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies Part I - Section 1.4.4 "Risk Management Strategies"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies I-4 "Risk Management Strategies"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II - "Criteria for Managing Application Security Risks"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy Part III- Section 1.4.5 "Security Strategy"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy III-4 "Security Strategy"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
Line 60: Line 60:
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Audit & Compliance
 
| valign="top" | Audit & Compliance
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements Part I - Section 1.3.2 "Capturing Application Security Requirements"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements I-3 "Capturing Application Security Requirements"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions Part III - Section 1.3 "Addressing CISO's Application Security Functions"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
 
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP- Capture Security Requirements]
+
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP - Capture Security Requirements]
 
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
 
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
* [https://www.owasp.org/index.php/OWASP_Cornucopia Project OWASP Cornucopia]
+
* [https://www.owasp.org/index.php/OWASP_Cornucopia Project Cornucopia]
 
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
 
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
 
|-
 
|-

Revision as of 13:01, 6 November 2013

< Back to the Application Security Guide For CISOs


Appendix B: Quick Reference to OWASP Guides & Other Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies I-3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance III-3 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"

III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

I-4 "Risk Management Strategies"

II "Criteria for Managing Application Security Risks"

III-4 "Security Strategy"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance I-3 "Capturing Application Security Requirements"

III-3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - Section 1.4 "Risk Management"

Part II Criteria for Managing Application Security Risks

Assess procurement of new application processes, services, technologies and security tools Procurement Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"