This cheat sheet for CISO is intended for an executive audience and for application security program assessors. It contains a list / taxonomy of application security program weaknesses that intended to be built out over time, similar to the presentation and content of MITRE's CWE for software weaknesses. The list of weaknesses is called the OWASP Common Program Weakness Enumeration (CPWE) and spans both topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. One example use case is an organization having a SAMM or BSIMM assessment done, but the findings are mapped to CPWE, in a similar fashion as one can generally configure assessment tools to map findings to CWE or Top Ten, so that one can compare apples to apples regardless of if SAMM or e.g. BSIMM or what have you are used. Long-term goals may include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".
Common Program Weakness Enumeration
The comprehensive CPWE dictionary is below. Its presentation builds upon conventions used in the MITRE CWE project for consistency.
.. initial, then e.g. (make a pass through sp) .....some top-level generic using sp, 5 generic, e.g. missing or inadequate implementation phase activities ... risky or dangerous vendor service .. risky or dangerous application or service integration ((split all these 'ors' into separate ones)) .. missing policy .. missing standards .. missing systems development activity .. missing systems development gate .. failure to track compliance activities .. failure to track security bugs .. failure to protect source code from theft ... missing or inadequate developer training .. no reusable common security control libraries .. no secure coding standards .. no minimum lifecycle activities .. failure to address implicit contractual or regulatory requirements .. failure to address explicit contractual or regulatory requirements .. inappropriate or inadequate secure development lifecycle activity .. portfolio posture blindness .. application posture blindness .. potentially material event (add ref to draft guidance)
- Description Summary
- Extended Description
- Time of Introduction
- Modes of Introduction
- Common Consequences
- Potential Mitigations
- Initiation Phase: ...
- Development/Acquisition Phase: ...
- Implementation/Assessment Phase: ...
- Operations & Maintenance Phase: ...
- Disposal Phase: ...
- NIST SP 800-64, ...
- OWASP OpenSAMM, ...
- BSIMM, ...
- DISA ASD STIG, APPxxxx
Authors and Primary Editors
Mike Boberski - boberski_michael [at] bah.com
OWASP Cheat Sheets Project Homepage
Developer Cheat Sheets (Builder)
- Authentication Cheat Sheet
- Choosing and Using Security Questions Cheat Sheet
- Clickjacking Defense Cheat Sheet
- C-Based Toolchain Hardening Cheat Sheet
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Cryptographic Storage Cheat Sheet
- DOM based XSS Prevention Cheat Sheet
- Forgot Password Cheat Sheet
- HTML5 Security Cheat Sheet
- Input Validation Cheat Sheet
- JAAS Cheat Sheet
- Logging Cheat Sheet
- .NET Security Cheat Sheet
- OWASP Top Ten Cheat Sheet
- Password Storage Cheat Sheet
- Pinning Cheat Sheet
- Query Parameterization Cheat Sheet
- Ruby on Rails Cheatsheet
- REST Security Cheat Sheet
- Session Management Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- Transport Layer Protection Cheat Sheet
- Unvalidated Redirects and Forwards Cheat Sheet
- User Privacy Protection Cheat Sheet
- Web Service Security Cheat Sheet
- XSS (Cross Site Scripting) Prevention Cheat Sheet
Assessment Cheat Sheets (Breaker)
Mobile Cheat Sheets
OpSec Cheat Sheets (Defender)
Draft Cheat Sheets
- Access Control Cheat Sheet
- Application Security Architecture Cheat Sheet
- Business Logic Security Cheat Sheet
- PHP Security Cheat Sheet
- Secure Coding Cheat Sheet
- Secure SDLC Cheat Sheet
- Threat Modeling Cheat Sheet
- Web Application Security Testing Cheat Sheet
- Grails Secure Code Review Cheat Sheet
- IOS Application Security Testing Cheat Sheet
- Key Management Cheat Sheet
- Insecure Direct Object Reference Prevention Cheat Sheet
- Content Security Policy Cheat Sheet