Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
 
(20 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
 
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
  
==Appendix B: Quick Reference to OWASP Guides & Projects ==
+
__NOTOC__
  
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
+
=Appendix B: Quick Reference to OWASP Guides & Other Projects =
  
To do:
+
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
* Check cross-references back to other parts of guie and add links/anchors
+
* Check for other OWASP projects
+
  
 
{| class="prettytable FCK__ShowTableBorders" align="top"
 
{| class="prettytable FCK__ShowTableBorders" align="top"
Line 18: Line 16:
 
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 
| valign="top" width="10%" | Standards and Policies
 
| valign="top" width="10%" | Standards and Policies
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
+
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance I-3 "Information Security Standards, Policies and Compliance"]
 
| valign="top" width="25%" |  
 
| valign="top" width="25%" |  
* [https://www.owasp.org/index.php/Policy_Frameworks OWASP Development Guide - Policy Frameworks]
+
* [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks]
* [https://www.owasp.org/index.php/Identify_global_security_policy CLASP - Identify Global Security Policy]
+
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 SAMM - Policy & Compliance]
+
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Code Reviews and Compliance]
+
* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review Guide - Code Reviews and Compliance]
 
|-
 
|-
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Develop, implement and manage application security governance
 
| valign="top" | Governance
 
| valign="top" | Governance
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance III-3 "Application Security Governance, Risk and Compliance"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/SAMM_-_Governance SAMM - Governance]
+
* [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance]
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition How to Write Job Requisitions]
+
* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions]
 
|-
 
|-
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Develop and implement software security development and security testing processes
 
| valign="top" | Security Engineering Processes
 
| valign="top" | Security Engineering Processes
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
 
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
Line 44: Line 42:
 
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
 
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
 
* [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts]
 
* [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts]
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
+
* [http://www.opensamm.org/ Software Assurance Maturity Model (SAMM)]
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]
+
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Guide - Tools]
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]
+
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)]
 
|-
 
|-
 
| valign="top" | Develop, articulate and implement a risk management strategy for applications
 
| valign="top" | Develop, articulate and implement a risk management strategy for applications
 
| valign="top" | Risk Strategy
 
| valign="top" | Risk Strategy
 
| valign="top" |  
 
| valign="top" |  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies Part I - Section 1.4.4 "Risk Management Strategies"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies I-4 "Risk Management Strategies"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II - "Criteria for Managing Application Security Risks"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]
 +
 
 +
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy III-4 "Security Strategy"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Risk Mitigation Strategies]
+
* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Mitigation Strategies]
 
|-
 
|-
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 
| valign="top" | Audit & Compliance
 
| valign="top" | Audit & Compliance
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements Part I - Section 1.3.2 "Capturing Application Security Requirements"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements I-3 "Capturing Application Security Requirements"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions Part III - Section 1.3 "Addressing CISO's Application Security Functions"]
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
 
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements Capture Security Requirements]
+
* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP - Capture Security Requirements]
 
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
 
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
* [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia]
+
* [https://www.owasp.org/index.php/OWASP_Cornucopia Project Cornucopia]
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Legal - Secure Software Contract Annex]
+
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
 
|-
 
|-
 
| valign="top" | Measure and monitor security and risks of application assets within the organization
 
| valign="top" | Measure and monitor security and risks of application assets within the organization
 
| valign="top" | Risk Metrics & Monitoring
 
| valign="top" | Risk Metrics & Monitoring
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. IV "Selection of Metrics for Managing Risks & Application Security Investments"]
 
|  
 
|  
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
 
 
* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics]
 
* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics]
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics]
+
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
 +
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
 
|-
 
|-
| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions
+
| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions
 
| valign="top" | Risk Analysis & Management
 
| valign="top" | Risk Analysis & Management
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management Part I - Section 1.4 "Risk Management"]
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management I-4 "Risk Management"]
  
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks]  
+
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]  
 
|   
 
|   
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Top Ten Web Application Risks]
+
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks]
* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Top Ten Mobile Application Risks]
+
* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks]
* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Top Ten Cloud Risks]
+
* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks]
* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Implementation of NIST Risk Management Verification Activities]
+
* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities ASVS - Implementation of NIST Risk Management Verification Activities]
 
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
 
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
Line 95: Line 95:
 
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
 
| valign="top" | Assess procurement of new application processes, services, technologies and security tools
 
| valign="top" | Procurement
 
| valign="top" | Procurement
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components III-4 "Assess Risks before Procurement of Third Party Components"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Secure Software Contract Annex]
+
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts Verification of Contract Requirements]
+
* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts ASVS - Verification of Contract Requirements]
 
|-
 
|-
 
| valign="top" | Oversee the training on application security for development, operational and information security teams
 
| valign="top" | Oversee the training on application security for development, operational and information security teams
 
| valign="top" | Security Training
 
| valign="top" | Security Training
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"]
+
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology III-5 "People, Processes and Technology"]
 
|  
 
|  
* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs]
+
* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs]
 
* [https://www.owasp.org/index.php/Category:OWASP_Education_Project Education Projects]
 
* [https://www.owasp.org/index.php/Category:OWASP_Education_Project Education Projects]
 
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos]
 
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos]
 
* [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos]
 
* [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos]
 
* [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs]
 
* [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs]
* [https://www.owasp.org/index.php/Institute_security_awareness_program CLASP - Institute Security Awareness Program]
 
 
|-
 
|-
 
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery
 
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery
 
| valign="top" | Business Continuity / Disaster Recovery
 
| valign="top" | Business Continuity / Disaster Recovery
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions Part IV - Addressing CISO's Application Security Functions"]
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency]
 
* [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency]
 
|-
 
|-
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
 
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
| valign="top" | Incident Response
+
| valign="top" | Vulnerability Management & Incident Response
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"]
+
| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident I-4 "Addressing the Business Concerns after a Security Incident"]
 
| valign="top" |  
 
| valign="top" |  
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
+
* [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management]
 
* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 
* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 +
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
 
|}
 
|}
  
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
 
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
 +
[[Category:OWASP CISO Survey Project]]

Latest revision as of 16:25, 6 February 2014

< Back to the Application Security Guide For CISOs


Appendix B: Quick Reference to OWASP Guides & Other Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies I-3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance III-3 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"

III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

I-4 "Risk Management Strategies"

II "Criteria for Managing Application Security Risks"

III-4 "Security Strategy"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance I-3 "Capturing Application Security Requirements"

III-3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring IV "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions Risk Analysis & Management I-4 "Risk Management"

II "Criteria for Managing Application Security Risks"

Assess procurement of new application processes, services, technologies and security tools Procurement III-4 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training III-5 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery III-3 "Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response I-4 "Addressing the Business Concerns after a Security Incident"