Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

From OWASP
Jump to: navigation, search
Line 48: Line 48:
 
| valign="top" |  
 
| valign="top" |  
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies Part I - Section 1.4.4 "Risk Management Strategies"]
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies Part I - Section 1.4.4 "Risk Management Strategies"]
 
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II - "Criteria for Managing Application Security Risks"]
 
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II - "Criteria for Managing Application Security Risks"]
 +
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy Part III- Section 1.4.5 "Security Strategy"]
 
| valign="top" |  
 
| valign="top" |  
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
 
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]

Revision as of 03:34, 3 November 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies Part I - Section 1.3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"

Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

Part I - Section 1.4.4 "Risk Management Strategies" Part II - "Criteria for Managing Application Security Risks" Part III- Section 1.4.5 "Security Strategy"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance Part I - Section 1.3.2 "Capturing Application Security Requirements"

Part III - Section 1.3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions Risk Analysis & Management Part I - Section 1.4 "Risk Management"

Part II Criteria for Managing Application Security Risks

Assess procurement of new application processes, services, technologies and security tools Procurement [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"