OWASP - User contributions [en]

Application Security Program Quick Start Guide

2018-03-27T23:15:51Z

Gabrielgumbs: /* Audience */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, product managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions (and examples of answers) that should be asked by those who are in accountable for the application security program in your organization, along with those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2018-03-27T23:15:06Z

Gabrielgumbs: /* Audience */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, product managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions (and examples of answers) that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2018-03-27T23:13:11Z

Gabrielgumbs: /* Credits */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, product managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2018-03-27T23:02:29Z

Gabrielgumbs: /* The Application Security Program Quick Start Guide */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Help Secure Owasp assests

2016-02-13T14:30:58Z

Gabrielgumbs:

=Draft=
This is a draft proposal, Noithing should be concluded until this is discussed by OWASP management and the Board

==Vendor Neutrality==
About the OWASP Foundation: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You'll find everything about OWASP linked from our wiki and current information on our OWASP Blog.

'''OWASP does not endorse or recommend any product or service This allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.'''

https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines

==Goals==
Find volunteers/companies willing to help with a proactive security plan for protecting OWASP applications such as
* Wiki
* Mailman
* Any other OWASP publicly accessible assets

==Contributions==
This can be in the form of:

* Security assessment of OWASP web applications
* Pen testing
* Remediation and patching
* Coordinating and Assisting in Bug Bounty Program for OWASP (TBD)

===Sponsorship Barter deals Bug Bounty Management Services ===

Kelly SantaLucia, Josh Sokol and Claudia are leading this effort, Johanna as adviser (Bug Bounty for projects)

Goal: to find a Bug Bounty Management Services willing to sponsorship OWASP in barter deal contract

Details are still being discussed

Status:
* BugCrowd proposal==> In progress, Proposal received
* HackerOne ==> made contact , no proposal received yet

==Volunteers/Companies==
Please add your name here or contact Johanna Curiel or Claudia Aviles- Casanovas to add your name in case you have no access to the wiki

Set please the following info:
*Company/name volunteer
* Kind of contribution:
* Bug validation - [[user:Frank.catucci|Frank Catucci]]
* Bug/Researcher Disclosure and Coordination - [[user:Frank.catucci|Frank Catucci]] , [[user:Gabrielgumbs|Gabriel Gumbs]] ,
* Pen testing - [[user:cchamberland|CJ Chamberland]] and [[user:Frank.catucci|Frank Catucci]]
* UAT
* Patching wiki
* Patching mailman - [[user:achim|Achim]]

==Proposals==
This will be discussed during the Board meeting on February 17th 2016

Help Secure Owasp assests

2016-02-13T14:29:58Z

Gabrielgumbs:

=Draft=
This is a draft proposal, Noithing should be concluded until this is discussed by OWASP management and the Board

==Vendor Neutrality==
About the OWASP Foundation: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You'll find everything about OWASP linked from our wiki and current information on our OWASP Blog.

'''OWASP does not endorse or recommend any product or service This allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.'''

https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines

==Goals==
Find volunteers/companies willing to help with a proactive security plan for protecting OWASP applications such as
* Wiki
* Mailman
* Any other OWASP publicly accessible assets

==Contributions==
This can be in the form of:

* Security assessment of OWASP web applications
* Pen testing
* Remediation and patching
* Coordinating and Assisting in Bug Bounty Program for OWASP (TBD)

===Sponsorship Barter deals Bug Bounty Management Services ===

Kelly SantaLucia, Josh Sokol and Claudia are leading this effort, Johanna as adviser (Bug Bounty for projects)

Goal: to find a Bug Bounty Management Services willing to sponsorship OWASP in barter deal contract

Details are still being discussed

Status:
* BugCrowd proposal==> In progress, Proposal received
* HackerOne ==> made contact , no proposal received yet

==Volunteers/Companies==
Please add your name here or contact Johanna Curiel or Claudia Aviles- Casanovas to add your name in case you have no access to the wiki

Set please the following info:
*Company/name volunteer
* Kind of contribution:
* Bug validation - [[user:Frank.catucci|Frank Catucci]]
* Bug/Researcher Disclosure and Coordination - [[user:Frank.catucci|Frank Catucci]] , [[user:GabrielGumbs|Gabriel Gumbs]] ,
* Pen testing - [[user:cchamberland|CJ Chamberland]] and [[user:Frank.catucci|Frank Catucci]]
* UAT
* Patching wiki
* Patching mailman - [[user:achim|Achim]]

==Proposals==
This will be discussed during the Board meeting on February 17th 2016

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:22:23Z

Gabrielgumbs: /* Core Content */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*[[Day 1]] - Landscape Evaluation
*[[Day 2]] - Assets & Communication Plans
*[[Day 3]] - Assessments
*[[Day 4]] - Metrics
*[[Day 5]] - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:21:15Z

Gabrielgumbs: /* Core Content */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*[[Day 1]] - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Application Security Program Quick Start Guide

2015-01-06T20:19:27Z

Gabrielgumbs: /* Application Security Program Quick Start Guide */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:18:08Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



*[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
*[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:08:54Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:08:20Z

Gabrielgumbs:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]
[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:08:01Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]



== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:05:47Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]
[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:05:10Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]
[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:04:58Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]



== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:04:29Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]
* [https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Application Security Program Quick Start Guide Project

2015-01-06T20:04:13Z

Gabrielgumbs: /* Quick Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]
[https://www.owasp.org/images/9/97/OWASP_Quick_Start_Guide_v.1.0.docx Word Document]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

File:OWASP Quick Start Guide v.1.0.docx

2015-01-06T20:01:17Z

Gabrielgumbs: The OWASP Application Security Program Quick Start Guide - WORD DOC

The OWASP Application Security Program Quick Start Guide - WORD DOC

OWASP Application Security Program Quick Start Guide Project

2015-01-05T23:14:21Z

Gabrielgumbs: /* Project lead and authors */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]
* [mailto:matt@whitehatsec.com Matt Johansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Application Security Program Quick Start Guide

2015-01-05T23:13:32Z

Gabrielgumbs: /* Project lead and authors */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T23:12:45Z

Gabrielgumbs: /* Project lead and authors */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [https://twitter.com/GabrielGumbs Gabriel Gumbs]
* [https://twitter.com/jeremiahg Jeremiah Grossman]]
* [https://twitter.com/RSnake Robert Hansen]
* [https://twitter.com/jerryhoff|Jerry Hoff]
* [https://twitter.com/mattjay Matt Johansen]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T23:06:47Z

Gabrielgumbs: /* Credits */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]
* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T23:06:39Z

Gabrielgumbs: /* Project lead and authors */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]
* [[User: MattJohansen| '''Matt Johansen''']]
* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T23:06:30Z

Gabrielgumbs:

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]
* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

User:Gabrielgumbs

2015-01-05T22:55:00Z

Gabrielgumbs:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]

* [https://twitter.com/GabrielGumbs @GabrielGumbs]

* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project OWASP Projects]

My passion is strategic Information Security management and problem solving. 16 years since I began working in security that passion is stronger than ever. I use that passion to make the digital world a safer place to work and transact business.

I am an accomplished senior level security professional, IT director and Web App Penetration Tester, GIAC GWAPT Certified, with 16 years of experience spanning multiple disciplines. I thrive on leveraging data to make informed decisions and am involved in researching the patterns and behaviors that make a measurable impact on information security.

Currently, I am the Managing Director, Research and Products at WhiteHat Security. In this role, I conduct ongoing research and analysis of the web application security industry along with providing guidance to enterprise customers, driving their business, organizational and internal program development and evolution.

User:Gabrielgumbs

2015-01-05T22:49:16Z

Gabrielgumbs:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]

* [https://twitter.com/GabrielGumbs @GabrielGumbs]

My passion is strategic Information Security management and problem solving. 16 years since I began working in security that passion is stronger than ever. I use that passion to make the digital world a safer place to work and transact business.

I am an accomplished senior level security professional, IT director and Web App Penetration Tester, GIAC GWAPT Certified, with 16 years of experience spanning multiple disciplines. I thrive on leveraging data to make informed decisions and am involved in researching the patterns and behaviors that make a measurable impact on information security.

Currently, I am the Managing Director, Research and Products at WhiteHat Security. In this role, I conduct ongoing research and analysis of the web application security industry along with providing guidance to enterprise customers, driving their business, organizational and internal program development and evolution.

User:Gabrielgumbs

2015-01-05T22:48:31Z

Gabrielgumbs:

* [mailto:gabriel@rfc1122.com Gabriel [at] RFC1122 [dot] com Gabriel Gumbs]

* [https://twitter.com/GabrielGumbs @GabrielGumbs]

My passion is strategic Information Security management and problem solving. 16 years since I began working in security that passion is stronger than ever. I use that passion to make the digital world a safer place to work and transact business.

I am an accomplished senior level security professional, IT director and Web App Penetration Tester, GIAC GWAPT Certified, with 16 years of experience spanning multiple disciplines. I thrive on leveraging data to make informed decisions and am involved in researching the patterns and behaviors that make a measurable impact on information security.

Currently, I am the Managing Director, Research and Products at WhiteHat Security. In this role, I conduct ongoing research and analysis of the web application security industry along with providing guidance to enterprise customers, driving their business, organizational and internal program development and evolution.

User:Gabrielgumbs

2015-01-05T22:47:35Z

Gabrielgumbs:

User:Gabrielgumbs

2015-01-05T22:46:20Z

Gabrielgumbs:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]

My passion is strategic Information Security management and problem solving. 16 years since I began working in security that passion is stronger than ever. I use that passion to make the digital world a safer place to work and transact business.

I am an accomplished senior level security professional, IT director and Web App Penetration Tester, GIAC GWAPT Certified, with 16 years of experience spanning multiple disciplines. I thrive on leveraging data to make informed decisions and am involved in researching the patterns and behaviors that make a measurable impact on information security.

Currently, I am the Managing Director, Research and Products at WhiteHat Security. In this role, I conduct ongoing research and analysis of the web application security industry along with providing guidance to enterprise customers, driving their business, organizational and internal program development and evolution.

OWASP Application Security Program Quick Start Guide Project

2015-01-05T22:46:02Z

Gabrielgumbs: /* Project lead and authors */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |



==The OWASP Application Security Program Quick Start Guide Project==



This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program . The intended goal of the AppSec program is to implement measures throughout the code's life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but not limited to:

*The number of vulnerabilities present in an application
*The time to fix vulnerabilities
*The remediation rate of vulnerabilities
*The time vulnerabilities remain open.

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

==Audience==

The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

==Licensing==

Creative Commons Attribution-NonCommercial-ShareAlike

==Project Sponsor==
The OWASP Application Security Program Quick Start Guide Project is sponsored by [https://whitehatsec.com/ WhiteHat Security Inc.].

[[File:WhiteHatSecurity-logo-small.png | link=https://whitehatsec.com/]]


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Core Content ==

Broken out into non-calendar days. The guide prioritizes the activities needed to measure and improve the relative security of web applications under the same authority. Included are additional resources to the related task, such as asset management and security policies.

Table of Contents

*Day 1 - Landscape Evaluation
*Day 2 - Assets & Communication Plans
*Day 3 - Assessments
*Day 4 - Metrics
*Day 5 - Controls & Prioritization

The complete TOC along with the HTML content can be found on the [https://www.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide Project Page.].

== Presentation ==



Placeholder


== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Related Projects ==









| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==



[https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]


== Project Mailing List ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== News and Events ==


Initial release pending

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:CC-BY-NC-SA-4.0.png|link=http://creativecommons.org/licenses/by-nc-sa/4.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=FAQs=



Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'


==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

==Contributors==

The first contributors to the project were:

* [mailto:gabriel@rfc1122.com Gabriel Gumbs]
* [mailto:jeremiah@whitehatsec.com Jeremiah Grossman]
* [mailto:jerry.hoff@whitehatsec.com Jerry Hoff]
* [mailto:robert.hansen@whitehatsec.com Robert Hansen]

= Road Map and Getting Involved =

The roadmap will consists of updates to remain relevant with updated technologies and processes. The deliverable will be a 'living' wiki along with several PDF downloads.

=Project About=



This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project


{{:Projects/OWASP_Example_Project_About_Page}}


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Day 5

2015-01-05T22:44:28Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

== Key activities ==
*Implement compensating controls & mitigation controls
*Remediation Prioritization


== Compensating Controls ==
*Implement compensating controls to limit the likelihood of successful attacks; for example, deploy web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks.


== Mitigating Controls ==
*Implement mitigating controls to discover and prevent mistakes that may lead to the introduction of vulnerabilities; for example, Control 6 of the CSIS 20 Critical Security Controls – Application Software Security. Build security into the development life cycle.


== Remediation Prioritization ==
*Implement remediation prioritization driven by financial calculations. Compare the cost of fixing specific

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

Day 4

2015-01-05T22:44:10Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

= Key Activities ==
*Measure and improve assessment service delivery.


== Measured Metrics ==
* Compare against industry metrics and interdepartmental metrics.
* Compare behaviors to measured metrics to identify which initiatives drive improvement of metrics and security program.
== Metric Definition ==

{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"
!Metric
!Definition
|-
|Number of Vulnerabilities
|The total count of vulnerabilities during the analysis period; valuable as a metric over time. Time Open This value represents the number of partial days since the vulnerability was opened as of the specific evaluation date. It only includes open vulnerabilities and not vulnerabilities that were closed. It is computed as the evaluation date less the open date for the vulnerability.
|-
|Time-to-Fix
|The Time-to-Fix is the number of partial days required to close a vulnerability. It is based on the vulnerabilities that were closed during the analysis period.
|-
|Remediation Rate
|The Remediation Rate is the ratio of the number of vulnerabilities closed over the number of vulnerabilities opened over a given period of time. A vulnerability is considered closed if it closed during the analysis period. A vulnerability is considered open if it was open at some time during the analysis period. Therefore, vulnerability could be counted as open and closed.
|-
|Vulnerability Class
|Likelihood Vulnerability Class Likelihood is the percentage of active applications that have at least one open vulnerability in a given vulnerability class over a given period of time. It is determined by counting the number of applications that have at least one open vulnerability in a given vulnerability class over the number of active applications.
|}

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

Day 3

2015-01-05T22:43:54Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

== Key Activities ==
*Measure current vulnerability posture.
*Initiate vulnerability testing.
*Triage vulnerabilities.


== Vulnerability Assessments ==
To determine what sort of vulnerability assessment is most appropriate, consider your current status and resources:

{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"
!Scenario
!Appropriate Assessments
|-
|Resources and support for immediate unlimited continuous assessments
|Perform assessments across all discovered assets
|-
|Limited resources or appetite for unlimited continuous assessments
|At a minimum frequency of testing should keep or exceed rate of change in asset
|-
|Application currently exist in production environment:
|Begin dynamic* assessments for these existing applications
|-
|Source Code of your application(s) is available on the internet (Freely available, stolen, etc.)
|Begin Static Analysis assessments
|-
|Business is subject to compliance mandate requiring Static Analysis
|Begin Static Analysis assessments
|-
|New development project of an application Begin Static Analysis assessments
|Dynamic assessments completed and application security program in continuous improvement cycle
|-
|Begin Static Analysis assessments
|Begin Dynamic Analysis in QA/Staging
|}

Other scenarios to consider Static Analysis as the first assessment type or in parallel with Dynamic Analysis:
*High developer attrition rate
*Known internal bad actors
*Disgruntled current or former employee with access to source code
*Outsourced code

== Static Analysis ==
Static Code Analysis (also known as Source Code Analysis or Static Application Security Testing (SAST)) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

== Dynamic Analysis ==
Dynamic Application Security Testing (DAST), also referred to as “black-box” testing, identifies vulnerabilities in running web applications – testing of the application from the outside in.


== Vulnerability Delivery ==
To deliver valuable vulnerability information to your business, you must:
*Document vulnerability delegation and vulnerability lifecycle process
*Feed issues into existing tracking systems where possible to preserve the existing workflow
*Triage vulnerabilities prior to feeding them into your defect management systems
*Ensure only true positives are fed to development teams
*Track re-testing of vulnerabilities via new incident/ticket or update existing incident/ticket.
*Define which issues are important to the business
*Create a baseline of the issues that are important to the business
*Align vulnerability remediation strategy with loss exposure versus resources available to fix
*Create a knowledge base of common issues and their solutions
*Dedicate resource(s) to developer interactions, including educating developers on security topics
*Publish aggregate metrics internally
*Match or outpace release cycles in detecting and responding to vulnerabilities.

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

Day 2

2015-01-05T22:43:36Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

== Key Activities ==
*Become intimately familiar with what you are meant to protect and at what level.
*Define processes, procedures, and checklists to align assessment strategies to business needs.
*Effectively communicate the introduction and goals of the Application Security assessment program.
*Provide a single point of contact for the program.


== Asset Discovery ==
*Gather Internal, External and Hosted IP ranges.
*Catalogue known domains and subdomains.
*Identify asset meta-data locations. (CMDBs, GRCs, etc.).
*Identify site owners, where those are not already known.
*Gather assessment credentials, including multiple roles for horizontal and vertical testing.
*Identify the rate of application change (e.g. monthly, weekly, etc.…)


== Asset Risk Prioritization ==
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on
impact to confidentiality, integrity and availability (C.I.A.). (See: [http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf])

POTENTIAL IMPACT

{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"
!SECURITY OBJECTIVE
!LOW
!MODERATE
!HIGH
|-
|Confidentiality
Preserving authorized restrictions on information
access and disclosure, including means for protecting
personal privacy and proprietary information. [44 U.S.C., SEC. 3542]
|The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
|The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
|The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
|-
|Integrity
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation
and authenticity. [44 U.S.C., SEC. 3542]
|The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
|The unauthorized modification or destruction of information could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.
|The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
|-
|Availability
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]
|The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
|The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
|The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
|}

*Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool

For example:
#Tier 1 = Targeted Govt./State sponsor.
#Tier 2 = Hactivism
#Tier 3 = Random Opportunistic

*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.


== Communication Plan ==
*Set expectations of assessment program for all interested parties.
*Alert Operations team of upcoming activities.
*Gather written buy-in from application stakeholders for the assessment activities.
*Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

Day 1

2015-01-05T22:43:11Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

== Key Activities ==
=== Evaluation ===
*Dedicate time to understanding the “lay of the land” and the key players, along with their objectives and motivations.
*Spend time with the parts of the organization that you are least familiar with.
*Identify the security mandate as defined by the business/management.
*Identify how IT Operations align with the security mandate.
*Be alert to your existing biases.

== Key Questions ==


=== Management ===
'''''Has the business defined an internal security mandate?'''''
Business drivers may originate from legal or industry compliance obligations, internal policy, or customer or partner
requirements. All actions and activities in the Application Security program should tie back to specific business
obligations. If there is no business mandate, a case must be made to the business that an application security program is necessary. There are a number of industry statistical reports and benchmarks available that address what other, similar organizations have implemented and why.

'''''What are the current and planned human and financial resources dedicated to Application Security?'''''
If resources are currently dedicated to ensuring the integrity of applications, examine the current allocation of those resources against their outcomes. The goal is to ensure that in a world of limited resources, each activity is measured for actual efficacy.

If there are few or no resources allocated to ensuring the integrity of applications, the case must be made by
leveraging data relevant to the organization that can be quantified in financial terms. Building a formal business case is the most effective way to approach the problem. The case must address the needs as they apply to existing business objectives. This is not the time for expounding on the virtues of security. You must translate the business benefit of reallocating financial resources. Simply asking for X number of dollars to reduce Y number of vulnerabilities is typically ineffective.

'''''What are the IT & Business priorities?'''''
IT is both an enabler and supporter of the business. Security is no different in this respect; however, it has the added challenge of needing to be transparent where it can be, and be a part of the ordinary workflow, or be perceived as a roadblock. Once the business priorities have been identified, the application security goals must be aligned with
those priorities. If the business priorities are to release new functionality at a rapid pace, then application testing must keep pace; if the priorities are to maintain the user experience over a long period of time, a pplication testing must be rigorous before the user is ever exposed to the application.

=== Security ===

'''''What is the overall security budget and the priorities of that budget?'''''
'''''What percentage of that budget is allocated to Application Security?'''''
Most departments will feel under budget to some degree. Examine the overall security budget (including cyberinsurance
budget if possible, as it likely falls outside of the security budget) to understand what receives financial priority and how the Application Security program could benefit from those activities. If there is significant spend on security infrastructure, ensure that they are leveraging controls to protect applications -- for example, alerting on the lack or improper use of security headers.

'''''Which of your assets are most frequently attacked?'''''
Not all attacks are equal, and not all attacks are opportunistic. Careful examination of attack frequency and velocity
can identify the assets requiring additional testing to ensure resiliency. Often, low(er) priority assets will be targeted for exploitation as they tend not be as resilient to attacks.

'''''What security tools and/or services do you as a company currently own/use?'''''
Query other parts of the security organization to understand what tools and services they already have access to. Software and services are often bundled in contracts but not used as they were not the primary purpose for purchase.
If the QA team already has access to security tools that were bundled as part of their QA software acquisition there are opportunities to leverage that existing financial commitment and even allow for native integration.

=== IT Operations ===

'''''What are your assets?'''''
Include assets you own and assets hosted or owned by third parties. Unknown or unmanaged assets cannot be protected. It is also difficult to fix issues if the person or team responsible for those assets is unknown. Developing an accurate and update-to-date asset inventory can be challenging, however, for the purpose of this exercise we will be focusing on web-based assets. The narrowed scope can be aggressively targeted and maintained.

'''''How are web assets isolated and distributed throughout the infrastructure?'''''
If an attacker were able to compromise a machine (say a webserver, or a database server) what would prevent them from pivoting and hacking into other nearby machines? Are they physically isolated, logically isolated, or do they share similar credentials, etc?

'''''How frequently do you perform network and server vulnerability scans?'''''
Addressing web application vulnerabilities on a server that never patches its operating system is a waste of resources. Understand how often infrastructure is assessed and patched – this should match or exceed the pac e of attack frequency.

'''''What is your tolerance around production safety?'''''
Some environments are more sensitive to production testing, as there is always some likelihood of impact; the goal is to get the likelihood of impact as close to zero as possible. As the likelihood of impact approaches zero, the frequency of testing should be increased. Ultimately, production systems are the primary targets of our adversaries – they should be tested as often as possible; at a minimum, at least as frequently as the application itself is changed or updated.


=== Engineering Groups (including QA and Software Development) ===
'''''According to the software development group’s understanding of the current processes, whose responsibility is application security?'''''
Security lives in our corporate cultures and psyche. Developers are ultimately responsible for their code; understand
whether they also believe they are responsible for the integrity of that code. Security is not the sole responsibility of either the developer community or the security department. Foster a healthy environment of mutual responsibility and accountability from all stakeholders. Begin by sharing information in a non-aggressive manner.

'''''Where does Security fit into the software development lifecycle?'''''
If a development lifecycle does not exist, the first priority is to demonstrate the business value of having a defined process. Most organizations will have some process in place, even if it is an immature one. The absence of a development process could also prove to be an opportunity to ensure security is built into a process from the start.

Roughly, the steps to building or updating software can be generalized as:
#Planning / Analysis
#Design
#Implementation
#Testing
#Maintain
#Decommission

Let’s break down each step and discuss basic security activities that are often considered to reduce risk.

'''Planning / Analysis:''' Ensure business analysts and stakeholders have considered and can detail the security needs and risk tolerance of an application. This may reference internal data classification policies to describe the data sensitivity. Threat modeling may also help clarify the potential threat agents who may be motivated to attack the proposed application.

'''Design:''' A security architecture review may reveal security design flaws in key areas such as authentication, access control, or separation of concerns, and of course may identify missing categorical security controls.

'''Implementation:''' The implementation process normally consists of the coding and development of the overall architecture design formulated in the previous phase. Developers should be receiving continuous security feedback to ensure all security issues are being identified and mitigated in conformance with the organization’s risk tolerance.

'''Testing:''' Testing should include security tests as well as functional tests. Areas of concentration should be on vulnerabilities that would not have been uncovered during the implementation phase, such as business logic vulnerabilities.

'''Maintenance:''' Once the application is promoted to production, continuous testing of security issues should be ongoing throughout the life of the application. As vulnerability vectors and attacks evolve, the application should be tested to ensure defensibility against these new attacks.

'''''How are software defects documented, trended, and prioritized?'''''
The key to adoption of an Application Security program is alignment with and transparency to current workflows. Identify how application defects are documented, trended and prioritized, and plan to insert the application security defects into these existing documents and processes.

'''''Are developers encouraged to develop secure code?'''''
Positive incentive programs foster ownership and accountability for output. Corporate culture varies from each organization; tapping into that culture to offer incentives for producing rugged code will create a natural momentum for finding and fixing security issues. Some cultures will value access to otherwise less accessible personnel, such as lunch with the CTO; others will be motivated by gifts that they might not have purchased for themselves, such as a robotics kit. Take the time to understand the culture of your organization and tap into the inherent desire most people have to be rewarded. Remember that money does not motivate everyone, and can even be demotivating in some cases.

'''''Are abuse and misuse cases part of test scripts?'''''
Test scripts are often developed for the sole purpose of ensuring the application performs the intended functionality.
Introduce test scripts that could identify the misuse of intended functionality, such as the ability to execute similar functionality a user should not be able to access.

'''''Is everyone in the organization expected to have general software security knowledge or is there a team/individual
tasked with being the "Security Deputy"?''''
Security deputy programs are a good approach to disseminating application security information to non-security
focused departments; they also have the added bonus of fostering a two-way relationship.

Implement a deputy program that:
*is focused on the goals of the application developers and application security testers
*is aimed at achieving results beyond simple security awareness
*can address the points throughout the development cycle where vulnerabilities are introduced – at the time the code is written

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

Day 1

2015-01-05T22:41:58Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

__NOTOC__

== Key Activities ==
=== Evaluation ===
*Dedicate time to understanding the “lay of the land” and the key players, along with their objectives and motivations.
*Spend time with the parts of the organization that you are least familiar with.
*Identify the security mandate as defined by the business/management.
*Identify how IT Operations align with the security mandate.
*Be alert to your existing biases.

== Key Questions ==


=== Management ===
'''''Has the business defined an internal security mandate?'''''
Business drivers may originate from legal or industry compliance obligations, internal policy, or customer or partner
requirements. All actions and activities in the Application Security program should tie back to specific business
obligations. If there is no business mandate, a case must be made to the business that an application security program is necessary. There are a number of industry statistical reports and benchmarks available that address what other, similar organizations have implemented and why.

'''''What are the current and planned human and financial resources dedicated to Application Security?'''''
If resources are currently dedicated to ensuring the integrity of applications, examine the current allocation of those resources against their outcomes. The goal is to ensure that in a world of limited resources, each activity is measured for actual efficacy.

If there are few or no resources allocated to ensuring the integrity of applications, the case must be made by
leveraging data relevant to the organization that can be quantified in financial terms. Building a formal business case is the most effective way to approach the problem. The case must address the needs as they apply to existing business objectives. This is not the time for expounding on the virtues of security. You must translate the business benefit of reallocating financial resources. Simply asking for X number of dollars to reduce Y number of vulnerabilities is typically ineffective.

'''''What are the IT & Business priorities?'''''
IT is both an enabler and supporter of the business. Security is no different in this respect; however, it has the added challenge of needing to be transparent where it can be, and be a part of the ordinary workflow, or be perceived as a roadblock. Once the business priorities have been identified, the application security goals must be aligned with
those priorities. If the business priorities are to release new functionality at a rapid pace, then application testing must keep pace; if the priorities are to maintain the user experience over a long period of time, a pplication testing must be rigorous before the user is ever exposed to the application.

=== Security ===

'''''What is the overall security budget and the priorities of that budget?'''''
'''''What percentage of that budget is allocated to Application Security?'''''
Most departments will feel under budget to some degree. Examine the overall security budget (including cyberinsurance
budget if possible, as it likely falls outside of the security budget) to understand what receives financial priority and how the Application Security program could benefit from those activities. If there is significant spend on security infrastructure, ensure that they are leveraging controls to protect applications -- for example, alerting on the lack or improper use of security headers.

'''''Which of your assets are most frequently attacked?'''''
Not all attacks are equal, and not all attacks are opportunistic. Careful examination of attack frequency and velocity
can identify the assets requiring additional testing to ensure resiliency. Often, low(er) priority assets will be targeted for exploitation as they tend not be as resilient to attacks.

'''''What security tools and/or services do you as a company currently own/use?'''''
Query other parts of the security organization to understand what tools and services they already have access to. Software and services are often bundled in contracts but not used as they were not the primary purpose for purchase.
If the QA team already has access to security tools that were bundled as part of their QA software acquisition there are opportunities to leverage that existing financial commitment and even allow for native integration.

=== IT Operations ===

'''''What are your assets?'''''
Include assets you own and assets hosted or owned by third parties. Unknown or unmanaged assets cannot be protected. It is also difficult to fix issues if the person or team responsible for those assets is unknown. Developing an accurate and update-to-date asset inventory can be challenging, however, for the purpose of this exercise we will be focusing on web-based assets. The narrowed scope can be aggressively targeted and maintained.

'''''How are web assets isolated and distributed throughout the infrastructure?'''''
If an attacker were able to compromise a machine (say a webserver, or a database server) what would prevent them from pivoting and hacking into other nearby machines? Are they physically isolated, logically isolated, or do they share similar credentials, etc?

'''''How frequently do you perform network and server vulnerability scans?'''''
Addressing web application vulnerabilities on a server that never patches its operating system is a waste of resources. Understand how often infrastructure is assessed and patched – this should match or exceed the pac e of attack frequency.

'''''What is your tolerance around production safety?'''''
Some environments are more sensitive to production testing, as there is always some likelihood of impact; the goal is to get the likelihood of impact as close to zero as possible. As the likelihood of impact approaches zero, the frequency of testing should be increased. Ultimately, production systems are the primary targets of our adversaries – they should be tested as often as possible; at a minimum, at least as frequently as the application itself is changed or updated.


=== Engineering Groups (including QA and Software Development) ===
'''''According to the software development group’s understanding of the current processes, whose responsibility is application security?'''''
Security lives in our corporate cultures and psyche. Developers are ultimately responsible for their code; understand
whether they also believe they are responsible for the integrity of that code. Security is not the sole responsibility of either the developer community or the security department. Foster a healthy environment of mutual responsibility and accountability from all stakeholders. Begin by sharing information in a non-aggressive manner.

'''''Where does Security fit into the software development lifecycle?'''''
If a development lifecycle does not exist, the first priority is to demonstrate the business value of having a defined process. Most organizations will have some process in place, even if it is an immature one. The absence of a development process could also prove to be an opportunity to ensure security is built into a process from the start.

Roughly, the steps to building or updating software can be generalized as:
#Planning / Analysis
#Design
#Implementation
#Testing
#Maintain
#Decommission

Let’s break down each step and discuss basic security activities that are often considered to reduce risk.

'''Planning / Analysis:''' Ensure business analysts and stakeholders have considered and can detail the security needs and risk tolerance of an application. This may reference internal data classification policies to describe the data sensitivity. Threat modeling may also help clarify the potential threat agents who may be motivated to attack the proposed application.

'''Design:''' A security architecture review may reveal security design flaws in key areas such as authentication, access control, or separation of concerns, and of course may identify missing categorical security controls.

'''Implementation:''' The implementation process normally consists of the coding and development of the overall architecture design formulated in the previous phase. Developers should be receiving continuous security feedback to ensure all security issues are being identified and mitigated in conformance with the organization’s risk tolerance.

'''Testing:''' Testing should include security tests as well as functional tests. Areas of concentration should be on vulnerabilities that would not have been uncovered during the implementation phase, such as business logic vulnerabilities.

'''Maintenance:''' Once the application is promoted to production, continuous testing of security issues should be ongoing throughout the life of the application. As vulnerability vectors and attacks evolve, the application should be tested to ensure defensibility against these new attacks.

'''''How are software defects documented, trended, and prioritized?'''''
The key to adoption of an Application Security program is alignment with and transparency to current workflows. Identify how application defects are documented, trended and prioritized, and plan to insert the application security defects into these existing documents and processes.

'''''Are developers encouraged to develop secure code?'''''
Positive incentive programs foster ownership and accountability for output. Corporate culture varies from each organization; tapping into that culture to offer incentives for producing rugged code will create a natural momentum for finding and fixing security issues. Some cultures will value access to otherwise less accessible personnel, such as lunch with the CTO; others will be motivated by gifts that they might not have purchased for themselves, such as a robotics kit. Take the time to understand the culture of your organization and tap into the inherent desire most people have to be rewarded. Remember that money does not motivate everyone, and can even be demotivating in some cases.

'''''Are abuse and misuse cases part of test scripts?'''''
Test scripts are often developed for the sole purpose of ensuring the application performs the intended functionality.
Introduce test scripts that could identify the misuse of intended functionality, such as the ability to execute similar functionality a user should not be able to access.

'''''Is everyone in the organization expected to have general software security knowledge or is there a team/individual
tasked with being the "Security Deputy"?''''
Security deputy programs are a good approach to disseminating application security information to non-security
focused departments; they also have the added bonus of fostering a two-way relationship.

Implement a deputy program that:
*is focused on the goals of the application developers and application security testers
*is aimed at achieving results beyond simple security awareness
*can address the points throughout the development cycle where vulnerabilities are introduced – at the time the code is written

[[Application Security Program Quick Start Guide|< Back to The Application_Security_Program_Quick_Start_Guide]]

__NOTOC__

Day 1

2015-01-05T22:41:32Z

Gabrielgumbs:

Day 1

2015-01-05T22:41:02Z

Gabrielgumbs:

[[Application Security Program Quick Start Guide|< Application_Security_Program_Quick_Start_Guide]]

__NOTOC__

== Key Activities ==
=== Evaluation ===
*Dedicate time to understanding the “lay of the land” and the key players, along with their objectives and motivations.
*Spend time with the parts of the organization that you are least familiar with.
*Identify the security mandate as defined by the business/management.
*Identify how IT Operations align with the security mandate.
*Be alert to your existing biases.

== Key Questions ==


=== Management ===
'''''Has the business defined an internal security mandate?'''''
Business drivers may originate from legal or industry compliance obligations, internal policy, or customer or partner
requirements. All actions and activities in the Application Security program should tie back to specific business
obligations. If there is no business mandate, a case must be made to the business that an application security program is necessary. There are a number of industry statistical reports and benchmarks available that address what other, similar organizations have implemented and why.

'''''What are the current and planned human and financial resources dedicated to Application Security?'''''
If resources are currently dedicated to ensuring the integrity of applications, examine the current allocation of those resources against their outcomes. The goal is to ensure that in a world of limited resources, each activity is measured for actual efficacy.

If there are few or no resources allocated to ensuring the integrity of applications, the case must be made by
leveraging data relevant to the organization that can be quantified in financial terms. Building a formal business case is the most effective way to approach the problem. The case must address the needs as they apply to existing business objectives. This is not the time for expounding on the virtues of security. You must translate the business benefit of reallocating financial resources. Simply asking for X number of dollars to reduce Y number of vulnerabilities is typically ineffective.

'''''What are the IT & Business priorities?'''''
IT is both an enabler and supporter of the business. Security is no different in this respect; however, it has the added challenge of needing to be transparent where it can be, and be a part of the ordinary workflow, or be perceived as a roadblock. Once the business priorities have been identified, the application security goals must be aligned with
those priorities. If the business priorities are to release new functionality at a rapid pace, then application testing must keep pace; if the priorities are to maintain the user experience over a long period of time, a pplication testing must be rigorous before the user is ever exposed to the application.

=== Security ===

'''''What is the overall security budget and the priorities of that budget?'''''
'''''What percentage of that budget is allocated to Application Security?'''''
Most departments will feel under budget to some degree. Examine the overall security budget (including cyberinsurance
budget if possible, as it likely falls outside of the security budget) to understand what receives financial priority and how the Application Security program could benefit from those activities. If there is significant spend on security infrastructure, ensure that they are leveraging controls to protect applications -- for example, alerting on the lack or improper use of security headers.

'''''Which of your assets are most frequently attacked?'''''
Not all attacks are equal, and not all attacks are opportunistic. Careful examination of attack frequency and velocity
can identify the assets requiring additional testing to ensure resiliency. Often, low(er) priority assets will be targeted for exploitation as they tend not be as resilient to attacks.

'''''What security tools and/or services do you as a company currently own/use?'''''
Query other parts of the security organization to understand what tools and services they already have access to. Software and services are often bundled in contracts but not used as they were not the primary purpose for purchase.
If the QA team already has access to security tools that were bundled as part of their QA software acquisition there are opportunities to leverage that existing financial commitment and even allow for native integration.

=== IT Operations ===

'''''What are your assets?'''''
Include assets you own and assets hosted or owned by third parties. Unknown or unmanaged assets cannot be protected. It is also difficult to fix issues if the person or team responsible for those assets is unknown. Developing an accurate and update-to-date asset inventory can be challenging, however, for the purpose of this exercise we will be focusing on web-based assets. The narrowed scope can be aggressively targeted and maintained.

'''''How are web assets isolated and distributed throughout the infrastructure?'''''
If an attacker were able to compromise a machine (say a webserver, or a database server) what would prevent them from pivoting and hacking into other nearby machines? Are they physically isolated, logically isolated, or do they share similar credentials, etc?

'''''How frequently do you perform network and server vulnerability scans?'''''
Addressing web application vulnerabilities on a server that never patches its operating system is a waste of resources. Understand how often infrastructure is assessed and patched – this should match or exceed the pac e of attack frequency.

'''''What is your tolerance around production safety?'''''
Some environments are more sensitive to production testing, as there is always some likelihood of impact; the goal is to get the likelihood of impact as close to zero as possible. As the likelihood of impact approaches zero, the frequency of testing should be increased. Ultimately, production systems are the primary targets of our adversaries – they should be tested as often as possible; at a minimum, at least as frequently as the application itself is changed or updated.


=== Engineering Groups (including QA and Software Development) ===
'''''According to the software development group’s understanding of the current processes, whose responsibility is application security?'''''
Security lives in our corporate cultures and psyche. Developers are ultimately responsible for their code; understand
whether they also believe they are responsible for the integrity of that code. Security is not the sole responsibility of either the developer community or the security department. Foster a healthy environment of mutual responsibility and accountability from all stakeholders. Begin by sharing information in a non-aggressive manner.

'''''Where does Security fit into the software development lifecycle?'''''
If a development lifecycle does not exist, the first priority is to demonstrate the business value of having a defined process. Most organizations will have some process in place, even if it is an immature one. The absence of a development process could also prove to be an opportunity to ensure security is built into a process from the start.

Roughly, the steps to building or updating software can be generalized as:
#Planning / Analysis
#Design
#Implementation
#Testing
#Maintain
#Decommission

Let’s break down each step and discuss basic security activities that are often considered to reduce risk.

'''Planning / Analysis:''' Ensure business analysts and stakeholders have considered and can detail the security needs and risk tolerance of an application. This may reference internal data classification policies to describe the data sensitivity. Threat modeling may also help clarify the potential threat agents who may be motivated to attack the proposed application.

'''Design:''' A security architecture review may reveal security design flaws in key areas such as authentication, access control, or separation of concerns, and of course may identify missing categorical security controls.

'''Implementation:''' The implementation process normally consists of the coding and development of the overall architecture design formulated in the previous phase. Developers should be receiving continuous security feedback to ensure all security issues are being identified and mitigated in conformance with the organization’s risk tolerance.

'''Testing:''' Testing should include security tests as well as functional tests. Areas of concentration should be on vulnerabilities that would not have been uncovered during the implementation phase, such as business logic vulnerabilities.

'''Maintenance:''' Once the application is promoted to production, continuous testing of security issues should be ongoing throughout the life of the application. As vulnerability vectors and attacks evolve, the application should be tested to ensure defensibility against these new attacks.

'''''How are software defects documented, trended, and prioritized?'''''
The key to adoption of an Application Security program is alignment with and transparency to current workflows. Identify how application defects are documented, trended and prioritized, and plan to insert the application security defects into these existing documents and processes.

'''''Are developers encouraged to develop secure code?'''''
Positive incentive programs foster ownership and accountability for output. Corporate culture varies from each organization; tapping into that culture to offer incentives for producing rugged code will create a natural momentum for finding and fixing security issues. Some cultures will value access to otherwise less accessible personnel, such as lunch with the CTO; others will be motivated by gifts that they might not have purchased for themselves, such as a robotics kit. Take the time to understand the culture of your organization and tap into the inherent desire most people have to be rewarded. Remember that money does not motivate everyone, and can even be demotivating in some cases.

'''''Are abuse and misuse cases part of test scripts?'''''
Test scripts are often developed for the sole purpose of ensuring the application performs the intended functionality.
Introduce test scripts that could identify the misuse of intended functionality, such as the ability to execute similar functionality a user should not be able to access.

'''''Is everyone in the organization expected to have general software security knowledge or is there a team/individual
tasked with being the "Security Deputy"?''''
Security deputy programs are a good approach to disseminating application security information to non-security
focused departments; they also have the added bonus of fostering a two-way relationship.

Implement a deputy program that:
*is focused on the goals of the application developers and application security testers
*is aimed at achieving results beyond simple security awareness
*can address the points throughout the development cycle where vulnerabilities are introduced – at the time the code is written

Application Security Program Quick Start Guide

2015-01-05T22:36:03Z

Gabrielgumbs: /* Day 5 */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' Key activities: '''''
*[[Day_5#Compensating Controls|Compensating Controls]]
*[[Day_5#Mitigating Controls|Mitigating Controls]]
*[[Day_5#Remediation Prioritization|Remediation Prioritization]]

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Day 5

2015-01-05T22:36:00Z

Gabrielgumbs:

== Key activities ==
*Implement compensating controls & mitigation controls
*Remediation Prioritization


== Compensating Controls ==
*Implement compensating controls to limit the likelihood of successful attacks; for example, deploy web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks.


== Mitigating Controls ==
*Implement mitigating controls to discover and prevent mistakes that may lead to the introduction of vulnerabilities; for example, Control 6 of the CSIS 20 Critical Security Controls – Application Software Security. Build security into the development life cycle.


== Remediation Prioritization ==
*Implement remediation prioritization driven by financial calculations. Compare the cost of fixing specific

Application Security Program Quick Start Guide

2015-01-05T22:34:07Z

Gabrielgumbs: /* Day 4 */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' Key Activities: '''''
*[[Day_4#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' **Key activities: '''''
*Compensating Controls
*Mitigating Controls
*Remediation Prioritization

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T22:33:50Z

Gabrielgumbs:

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' **Key Activities: '''''
*[[Day_3#Measured Metrics|Measured Metrics]]

== [[Day 5]] ==
''''' **Key activities: '''''
*Compensating Controls
*Mitigating Controls
*Remediation Prioritization

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Day 4

2015-01-05T22:33:13Z

Gabrielgumbs:

= Key Activities ==
*Measure and improve assessment service delivery.


== Measured Metrics ==
* Compare against industry metrics and interdepartmental metrics.
* Compare behaviors to measured metrics to identify which initiatives drive improvement of metrics and security program.
== Metric Definition ==

{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"
!Metric
!Definition
|-
|Number of Vulnerabilities
|The total count of vulnerabilities during the analysis period; valuable as a metric over time. Time Open This value represents the number of partial days since the vulnerability was opened as of the specific evaluation date. It only includes open vulnerabilities and not vulnerabilities that were closed. It is computed as the evaluation date less the open date for the vulnerability.
|-
|Time-to-Fix
|The Time-to-Fix is the number of partial days required to close a vulnerability. It is based on the vulnerabilities that were closed during the analysis period.
|-
|Remediation Rate
|The Remediation Rate is the ratio of the number of vulnerabilities closed over the number of vulnerabilities opened over a given period of time. A vulnerability is considered closed if it closed during the analysis period. A vulnerability is considered open if it was open at some time during the analysis period. Therefore, vulnerability could be counted as open and closed.
|-
|Vulnerability Class
|Likelihood Vulnerability Class Likelihood is the percentage of active applications that have at least one open vulnerability in a given vulnerability class over a given period of time. It is determined by counting the number of applications that have at least one open vulnerability in a given vulnerability class over the number of active applications.
|}

Application Security Program Quick Start Guide

2015-01-05T22:32:23Z

Gabrielgumbs: /* Day 3 */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability Delivery|Vulnerability Delivery]]

== [[Day 4]] ==
''''' **Key Activities: '''''
*Measured Metrics
== [[Day 5]] ==
''''' **Key activities: '''''
*Compensating Controls
*Mitigating Controls
*Remediation Prioritization

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Day 3

2015-01-05T22:31:56Z

Gabrielgumbs:

== Key Activities ==
*Measure current vulnerability posture.
*Initiate vulnerability testing.
*Triage vulnerabilities.


== Vulnerability Assessments ==
To determine what sort of vulnerability assessment is most appropriate, consider your current status and resources:

{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"
!Scenario
!Appropriate Assessments
|-
|Resources and support for immediate unlimited continuous assessments
|Perform assessments across all discovered assets
|-
|Limited resources or appetite for unlimited continuous assessments
|At a minimum frequency of testing should keep or exceed rate of change in asset
|-
|Application currently exist in production environment:
|Begin dynamic* assessments for these existing applications
|-
|Source Code of your application(s) is available on the internet (Freely available, stolen, etc.)
|Begin Static Analysis assessments
|-
|Business is subject to compliance mandate requiring Static Analysis
|Begin Static Analysis assessments
|-
|New development project of an application Begin Static Analysis assessments
|Dynamic assessments completed and application security program in continuous improvement cycle
|-
|Begin Static Analysis assessments
|Begin Dynamic Analysis in QA/Staging
|}

Other scenarios to consider Static Analysis as the first assessment type or in parallel with Dynamic Analysis:
*High developer attrition rate
*Known internal bad actors
*Disgruntled current or former employee with access to source code
*Outsourced code

== Static Analysis ==
Static Code Analysis (also known as Source Code Analysis or Static Application Security Testing (SAST)) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

== Dynamic Analysis ==
Dynamic Application Security Testing (DAST), also referred to as “black-box” testing, identifies vulnerabilities in running web applications – testing of the application from the outside in.


== Vulnerability Delivery ==
To deliver valuable vulnerability information to your business, you must:
*Document vulnerability delegation and vulnerability lifecycle process
*Feed issues into existing tracking systems where possible to preserve the existing workflow
*Triage vulnerabilities prior to feeding them into your defect management systems
*Ensure only true positives are fed to development teams
*Track re-testing of vulnerabilities via new incident/ticket or update existing incident/ticket.
*Define which issues are important to the business
*Create a baseline of the issues that are important to the business
*Align vulnerability remediation strategy with loss exposure versus resources available to fix
*Create a knowledge base of common issues and their solutions
*Dedicate resource(s) to developer interactions, including educating developers on security topics
*Publish aggregate metrics internally
*Match or outpace release cycles in detecting and responding to vulnerabilities.

Application Security Program Quick Start Guide

2015-01-05T22:31:15Z

Gabrielgumbs: /* Day 3 */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' Key Activities: '''''
*[[Day_3#Vulnerability Assessments|Vulnerability Assessments]]
*[[Day_3#Vulnerability delivery|Vulnerability delivery]]

== [[Day 4]] ==
''''' **Key Activities: '''''
*Measured Metrics
== [[Day 5]] ==
''''' **Key activities: '''''
*Compensating Controls
*Mitigating Controls
*Remediation Prioritization

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T22:27:56Z

Gabrielgumbs: /* Day 2 */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' **Key Activities: '''''
*Vulnerability Assessments
*Vulnerability delivery
== [[Day 4]] ==
''''' **Key Activities: '''''
*Measured Metrics
== [[Day 5]] ==
''''' **Key activities: '''''
*Compensating Controls
*Mitigating Controls
*Remediation Prioritization

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Application Security Program Quick Start Guide

2015-01-05T22:27:24Z

Gabrielgumbs: /* Day 2 */

__NOTOC__

{| width="100%" cellspacing="0" cellpadding="10"
|- valign="top"
| width="70%" style="background:#d9e9f9" |

= The Application Security Program Quick Start Guide =

=== Preface ===

This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:
#The number of vulnerabilities present in an application
#The time to fix vulnerabilities
#The remediation rate of vulnerabilities
#The time vulnerabilities remain open

The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.

=== Audience ===
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

== [[Day 1]] ==
''''' Key Activities: '''''
*[[Day_1#Management|Management]]
*[[Day_1#Security|Security]]
*[[Day_1#IT Operations|IT Operations]]
*[[Day_1#Engineering Groups|Engineering Groups]]

== [[Day 2]] ==
''''' **Key Activities: '''''
*[[Day_2#Asset Discovery|Asset Discovery]]
*[[Day_2#Asset Risk Prioritization|Asset Risk Prioritization]]
*[[Day_2#Communication Plan|Communication Plan]]

== [[Day 3]] ==
''''' **Key Activities: '''''
*Vulnerability Assessments
*Vulnerability delivery
== [[Day 4]] ==
''''' **Key Activities: '''''
*Measured Metrics
== [[Day 5]] ==
''''' **Key activities: '''''
*Compensating Controls
*Mitigating Controls
*Remediation Prioritization

== Conclusion ==
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.

== Licensing ==

The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].
You are free to:
*Share — copy and redistribute the material in any medium or format
*Adapt — remix, transform, and build upon the material for non-commercial use

The licensor cannot revoke these freedoms as long as you follow the license terms.

| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |

| width="30%" style="background:#eeeeee" |

=Credits =

== Project lead and authors ==

* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]
* [[User:Rsnake| '''Robert Hansen''']]
* [[User:Jerryhoff|'''Jerry Hoff''']]

== Other contributors ==

Co-authors, contributors and reviewers:

* [[User: MattJohansen| '''Matt Johansen''']]

== Further Information ==
[https://lists.owasp.org/mailman/listinfo/owasp-application-security-program-quick-start-guide Project Mailing List]

== Application Security Program Quick Start Guide ==

The OWASP Application Security Program Quick Start Guide is also available as
* [https://www.owasp.org/images/5/53/OWASP_Quick_Start_Guide.pdf Free downloadable PDF]

For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]

|}

Day 2

2015-01-05T22:26:38Z

Gabrielgumbs:

== Key Activities ==
*Become intimately familiar with what you are meant to protect and at what level.
*Define processes, procedures, and checklists to align assessment strategies to business needs.
*Effectively communicate the introduction and goals of the Application Security assessment program.
*Provide a single point of contact for the program.


== Asset Discovery ==
*Gather Internal, External and Hosted IP ranges.
*Catalogue known domains and subdomains.
*Identify asset meta-data locations. (CMDBs, GRCs, etc.).
*Identify site owners, where those are not already known.
*Gather assessment credentials, including multiple roles for horizontal and vertical testing.
*Identify the rate of application change (e.g. monthly, weekly, etc.…)


== Asset Risk Prioritization ==
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on
impact to confidentiality, integrity and availability (C.I.A.). (See: [http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf])

POTENTIAL IMPACT

{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"
!SECURITY OBJECTIVE
!LOW
!MODERATE
!HIGH
|-
|Confidentiality
Preserving authorized restrictions on information
access and disclosure, including means for protecting
personal privacy and proprietary information. [44 U.S.C., SEC. 3542]
|The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
|The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
|The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
|-
|Integrity
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation
and authenticity. [44 U.S.C., SEC. 3542]
|The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
|The unauthorized modification or destruction of information could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.
|The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
|-
|Availability
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]
|The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
|The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
|The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
|}

*Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool

For example:
#Tier 1 = Targeted Govt./State sponsor.
#Tier 2 = Hactivism
#Tier 3 = Random Opportunistic

*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.


== Communication Plan ==
*Set expectations of assessment program for all interested parties.
*Alert Operations team of upcoming activities.
*Gather written buy-in from application stakeholders for the assessment activities.
*Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)