Revision as of 20:41, 29 August 2012 by Mike.boberski (Talk | contribs)

Jump to: navigation, search


This OWASP cheat sheet for CISO is intended for an executive audience and for application security program assessors. It contains a list / taxonomy of application security program weaknesses that is intended to be built out over time, similar to MITRE's CWE for software weaknesses. This list of program not software weaknesses is called the Common Program Weakness Enumeration (CPWE) and spans topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. One example use case is an organization having a SAMM or BSIMM assessment done, with the findings are mapped to CPWE, in a similar fashion as one can generally configure software vulnerability assessment tools to map findings to CWE or Top Ten, so that one can compare apples to apples regardless of if SAMM or e.g. BSIMM or what have you are used. Long-term goals potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".

Common Program Weakness Enumeration

The comprehensive CPWE dictionary is below. Its presentation builds upon conventions used in the MITRE CWE project for consistency.

.. initial, then e.g. (make a pass through sp) .....some top-level generic using sp, 5 generic, e.g. missing or inadequate implementation phase activities ... risky or dangerous vendor service .. risky or dangerous application or service integration ((split all these 'ors' into separate ones)) .. missing policy .. missing standards .. missing systems development activity .. missing systems development gate .. failure to track compliance activities .. failure to track security bugs .. failure to protect source code from theft ... missing or inadequate developer training .. no reusable common security control libraries .. no secure coding standards .. no minimum lifecycle activities .. failure to address implicit contractual or regulatory requirements .. failure to address explicit contractual or regulatory requirements .. inappropriate or inadequate secure development lifecycle activity .. portfolio posture blindness .. application posture blindness .. potentially material event (add ref to draft guidance)

CPWE-xx: ...

  • Description
    • Description Summary
    • Extended Description
  • Severity?????????
  • Time of Introduction
  • Modes of Introduction
  • Common Consequences
  • Potential Mitigations
    • Initiation Phase: ...
    • Development/Acquisition Phase: ...
    • Implementation/Assessment Phase: ...
    • Operations & Maintenance Phase: ...
    • Disposal Phase: ...
  • References
    • NIST SP 800-64, ...
    • OWASP OpenSAMM, ...
    • BSIMM, ...
    • DISA ASD STIG, APPxxxx

CPWE-xx: ...

CPWE-xx: ...

Authors and Primary Editors

Mike Boberski - boberski_michael [at] bah.com

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets