Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
 
(46 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
 
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
  
==Appendix B: Quick Reference to OWASP Guides & Projects ==
+
__NOTOC__
  
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
+
=Appendix B: Quick Reference to OWASP Guides & Other Projects =
  
To do:
+
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
* Check cross-references back to other parts of guie and add links/anchors
+
* Check for other OWASP projects
+
  
 
{| class="prettytable FCK__ShowTableBorders" align="top"
 
{| class="prettytable FCK__ShowTableBorders" align="top"
Line 18: Line 16:
 
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 
| valign="top" width="10%" | Standards and Policies
 
| valign="top" width="10%" | Standards and Policies
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
+
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance I-3 "Information Security Standards, Policies and Compliance"]
 
| valign="top" width="25%" |  
 
| valign="top" width="25%" |  
* Development Guide - Policy Frameworks
+
* [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks]
* CLASP - Identify Global Security Policy
+
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
* SAMM - Policy & Compliance
+
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
* Code Review - Code Reviews and Compliance
+
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review Guide - Code Reviews and Compliance]
 
|-
 
|-
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Governance
 
| valign="top" | Governance
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance III-3 "Application Security Governance, Risk and Compliance"]
 
| valign="top" |  
 
| valign="top" |  
* SAMM - Governance
+
* [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance]
 +
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions]
 
|-
 
|-
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Security Engineering Processes
 
| valign="top" | Security Engineering Processes
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
 
| valign="top" |  
 
| valign="top" |  
* Development Guide
+
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
* Code Review Guide
+
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide]
* Secure Coding Practices Checklist
+
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices]
* Testing Guide
+
* [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide]
* CLASP
+
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
* SAMM
+
* [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts]
* Security Tools for Developers
+
* [http://www.opensamm.org/ Software Assurance Maturity Model (SAMM)]
* Application Security Verification Standards
+
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Guide - Tools]
 +
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)]
 
|-
 
|-
 
| valign="top" | Develop, articulate and implement a risk management strategy for applications
 
| valign="top" | Develop, articulate and implement a risk management strategy for applications
 
| valign="top" | Risk Strategy
 
| valign="top" | Risk Strategy
 
| valign="top" |  
 
| valign="top" |  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies Part I - Section 1.4.4 "Risk Management Strategies"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies I-4 "Risk Management Strategies"]
 +
 
 +
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II - "Criteria for Managing Application Security Risks"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy III-4 "Security Strategy"]
 
| valign="top" |  
 
| valign="top" |  
* SAMM - Strategy & Metrics
+
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
 +
* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Mitigation Strategies]
 
|-
 
|-
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Audit & Compliance
 
| valign="top" | Audit & Compliance
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements Part I - Section 1.3.2 "Capturing Application Security Requirements"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements I-3 "Capturing Application Security Requirements"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions Part III - Section 1.3 "Addressing CISO's Application Security Functions"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 
| valign="top" |  
 
| valign="top" |  
* Application Security Verification Standards  
+
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
* CLASP - Document Security-Relevant Requirements
+
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP - Capture Security Requirements]
* SAMM - Security Requirements
+
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
* Testing Guide - Security Requirements Test Derivation
+
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
* Cornucopia
+
* [https://www.owasp.org/index.php/OWASP_Cornucopia Project Cornucopia]
* Legal - Secure Software Contract Annex
+
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
 
|-
 
|-
 
| valign="top" | Measure and monitor security and risks of application assets within the organization
 
| valign="top" | Measure and monitor security and risks of application assets within the organization
 
| valign="top" | Risk Metrics & Monitoring
 
| valign="top" | Risk Metrics & Monitoring
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. IV "Selection of Metrics for Managing Risks & Application Security Investments"]
 
|  
 
|  
* Application Security Metrics
+
* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics]
* CLASP - Define and Monitor Metrics
+
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
* SAMM
+
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
 
|-
 
|-
| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions
+
| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions
 
| valign="top" | Risk Analysis & Management
 
| valign="top" | Risk Analysis & Management
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management Part I - Section 1.4 "Risk Management"]
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management I-4 "Risk Management"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]  
 
|   
 
|   
* OWASP Top Ten Risks
+
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks]
* Testing Guide - Threat Modelling
+
* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks]
* Development Guide - Threat Risk Modelling
+
* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks]
* Code Review Guide - Application Threat Modelling
+
* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities ASVS - Implementation of NIST Risk Management Verification Activities]
* Cornucopia
+
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 +
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
 +
* [https://www.owasp.org/index.php/Application_Threat_Modeling Application Threat Modelling]
 
|-
 
|-
 
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
 
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
 
| valign="top" | Procurement
 
| valign="top" | Procurement
| valign="top" | Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components III-4 "Assess Risks before Procurement of Third Party Components"]
 
| valign="top" |  
 
| valign="top" |  
* Legal - Secure Software Contract Annex
+
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
* Tools projects
+
* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts ASVS - Verification of Contract Requirements]
 
|-
 
|-
 
| valign="top" | Oversee the training on application security for development, operational and information security teams
 
| valign="top" | Oversee the training on application security for development, operational and information security teams
 
| valign="top" | Security Training
 
| valign="top" | Security Training
| valign="top" | Part III- Section 1.5.3 "People, Processes and Technology"
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology III-5 "People, Processes and Technology"]
 
|  
 
|  
* Education
+
* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs]
* Training Modules / Conference Videos
+
* [https://www.owasp.org/index.php/Category:OWASP_Education_Project Education Projects]
* Application Security FAQ
+
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos]
* CLASP - Institute Security Awareness Program
+
* [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos]
 +
* [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs]
 
|-
 
|-
 
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery
 
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery
 
| valign="top" | Business Continuity / Disaster Recovery
 
| valign="top" | Business Continuity / Disaster Recovery
| valign="top" | Part IV - Addressing CISO's Application Security Functions"
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 
| valign="top" |  
 
| valign="top" |  
* -
+
* [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency]
 
|-
 
|-
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
| valign="top" | Incident Response
+
| valign="top" | Vulnerability Management & Incident Response
| valign="top" | Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident I-4 "Addressing the Business Concerns after a Security Incident"]
 
| valign="top" |  
 
| valign="top" |  
* .NET Incident Response
+
* [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management]
* CLASP - Manage Security Issue Disclosure Process
+
* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 +
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
 
|}
 
|}
  
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
 +
[[Category:OWASP CISO Survey Project]]

Latest revision as of 16:25, 6 February 2014

< Back to the Application Security Guide For CISOs


Appendix B: Quick Reference to OWASP Guides & Other Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies I-3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance III-3 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"

III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

I-4 "Risk Management Strategies"

II "Criteria for Managing Application Security Risks"

III-4 "Security Strategy"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance I-3 "Capturing Application Security Requirements"

III-3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring IV "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions Risk Analysis & Management I-4 "Risk Management"

II "Criteria for Managing Application Security Risks"

Assess procurement of new application processes, services, technologies and security tools Procurement III-4 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training III-5 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery III-3 "Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response I-4 "Addressing the Business Concerns after a Security Incident"