CISO AppSec Guide: Quick Reference to OWASP Guides & Projects

From OWASP
Revision as of 13:08, 6 November 2013 by Clerkendweller (Talk | contribs)

Jump to: navigation, search

< Back to the Application Security Guide For CISOs


Appendix B: Quick Reference to OWASP Guides & Other Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies I-3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance III-3 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"

III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

I-4 "Risk Management Strategies"

II "Criteria for Managing Application Security Risks"

III-4 "Security Strategy"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance I-3 "Capturing Application Security Requirements"

III-3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring IV "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions Risk Analysis & Management I-4 "Risk Management"

II "Criteria for Managing Application Security Risks"

Assess procurement of new application processes, services, technologies and security tools Procurement Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training Part III- Section 1.5.3 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery Part IV - Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"