CISO AppSec Guide v2: Introduction - Revision history

Marco-cincy at 01:35, 7 November 2017

2017-11-07T01:35:12Z

Marco-cincy at 01:34, 7 November 2017

2017-11-07T01:34:52Z

Marco-cincy at 01:25, 7 November 2017

2017-11-07T01:25:40Z

Marco-cincy at 09:24, 4 November 2017

2017-11-04T09:24:12Z

Marco-cincy at 09:23, 4 November 2017

2017-11-04T09:23:38Z

Marco-cincy at 09:23, 4 November 2017

2017-11-04T09:23:02Z

Marco-cincy at 09:20, 4 November 2017

2017-11-04T09:20:58Z

Marco-cincy at 09:19, 4 November 2017

2017-11-04T09:19:18Z

Marco-cincy at 09:17, 4 November 2017

2017-11-04T09:17:56Z

Marco-cincy at 09:16, 4 November 2017

2017-11-04T09:16:49Z

← Older revision		Revision as of 01:35, 7 November 2017
Line 1:		Line 1:
	[[Application Security Guide For CISOsVs2\|< Back to the Application Security Guide For CISOs V2]]		[[Application Security Guide For CISOsVs2\|< Back to the Application Security Guide For CISOs V2]]
−	~~__NOTOC__~~

	= Introduction =		= Introduction =

@@ Line 4: / Line 4: @@
 = Introduction =
-Chief Information Security Officers (CISOs) and SecDevOps managers that look for guidance for the initiation, creation and management of new application security programs and initiatives within their organisation as well as for improvements of existing processes, standards, training and tools can benefit by reading this guide.
+The intent of this guide is to help Chief Information Security Officers (CISOs) and SecDevOps managers in the initiation, creation and management of new application security programs and initiatives within their organisation as well as for improvements of existing application security processes, standards, training and tools.
-OWASP resources such as documentation the can be used for creating standards, conduct application security assessments, develop training modules for software developers as well as tools for security testing of web application vulnerabilities are referenced throughout this guide.
+OWASP resources such as projects are referenced throughout this guide. These resources can be used by CISOs and SecDevOps managers for creating standards, conduct application security assessments, develop training modules for software developers.  OWASP free tools for security testing of web application vulnerabilities are also referenced in this guide.
 == Scope ==
@@ Line 16: / Line 14: @@
 ==Objectives==
-The guide assists CISOs and SecDevOps in managing application security through the phases of the application program life-cycle that are initiation, creation, management and process improvements.
+This guide is written in alignment of OWASP mission main goal that is "making application security visible and empowering application security stakeholders with the right information for managing application security risks". Specifically we seek to provide guidance on the following aspects of the application security program:
-Tactical guidance is provided in the following aspects:
+* Assuring compliance of applications with security regulations for privacy, data protection and information security
-* Assure compliance of applications with security regulations for privacy, data protection and information security
+* Leveraging OWASP resources such as project documentation and tools
-* Leverage OWASP resources such as project documentation and tools
+* Managing application security from perspective or people/training, processes and tools/technologies
-* Manage application security from perspective or people/training, processes and tools/technologies
+* Managing application vulnerability risks and remediation based upon risk exposure to the business
-* Manage application vulnerability risks and remediation based upon risk exposure to the business
+* Creating awareness on cyber-threats targeting applications to focus on countermeasures
-* Create awareness on cyber-threats targeting applications to focus on countermeasures
+* Operationalisation  of application security assessments
-* Operationalise application security assessments and provide support to development teams for continuous software security development and testing
+* Supporting development teams for continuous software security development and testing
 * Integration of existing applications with emerging technologies such as API, micro-services, cloud, virtualisation, biometrics
-* Alignment of application security strategy with business and IT strategy
+* Creation of an application security strategy in alignment with business and IT strategy
-* Focus on process automation and process improvements
+* Focusing on process automation and process improvements
-* Be an agent of change in challenging corporate environments and trigger appropriate responses
+* Helping CISOs and SecDevOps managers to be an agent of change in challenging corporate environments and trigger appropriate responses
-* Asking the right questions to gain visibility across the organisation (who does what questions)
+* Help CISOs and SecDevOps to ask the right questions to gain visibility across the organisation (who does what questions)
-* Proactive risk management strategies
+* Capturing the lesson learned from past security incidents/data breaches
 * Setting roadmaps for process improvements

@@ Line 4: / Line 4: @@
 = Introduction =
-Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance and risk perspectives. This guide seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives and needs.
+Chief Information Security Officers (CISOs) and SecDevOps managers that look for guidance for the initiation, creation and management of new application security programs and initiatives within their organisation as well as for improvements of existing processes, standards, training and tools can benefit by reading this guide.
-This guide is also written for CISOs and managers responsible for implementing security in DevOps practices including initiating, creating and managing application security programs from the initial problem statement to delivery of the solution.
+OWASP resources such as documentation the can be used for creating standards, conduct application security assessments, develop training modules for software developers as well as tools for security testing of web application vulnerabilities are referenced throughout this guide.
-Application security best practices and OWASP resources are referenced throughout this guide. OWASP is a non profit organization whose mission is "making application security visible and empowering application security stakeholders with the right information for managing application security risks".
+This guide is written in alignment of OWASP mission main goal that is "making application security visible and empowering application security stakeholders with the right information for managing application security risks".
 == Scope ==
-The scope of this guide is application security that is the security of applications and the security of the components of the application architecture such as web clients, web servers, application servers, databases and services as well as the security of software components and libraries that are either developed or integrated  with the application. This does not include other aspects of security such as the security of the network infrastructure that supports the applications and constitutes a valued asset whose security properties such as confidentiality, integrity and availability need to be protected as well
+The scope of this guide is application security and the security of the components of the application architecture such as clients, servers, databases, services, software components and libraries. This scope of this guide does not cover other aspects that are essential to the security of the application such as network and infrastructure security.
 ==Objectives==
-The guide assists CISOs and SecDevOps in managing application security through the phases of initiation, creation, management and process improvements.
+The guide assists CISOs and SecDevOps in managing application security through the phases of the application program life-cycle that are initiation, creation, management and process improvements.
 Tactical guidance is provided in the following aspects:
 * Assure compliance of applications with security regulations for privacy, data protection and information security

@@ Line 35: / Line 35: @@
 == Target Audience ==
 * Chief Information Security Officers (CISOs)
-* Chief Security Officers (CSO)
+* Security Development Operation (SecDevOps) Managers
 [[Category:OWASP Application Security Guide For CISO Project]]

@@ Line 16: / Line 16: @@
 ==Objectives==
-The guide assists CISOs in managing application security through the phases of initiation, creation, management and process improvements.
+The guide assists CISOs and SecDevOps in managing application security through the phases of initiation, creation, management and process improvements.
 Tactical guidance is provided in the following aspects:
 * Assure compliance of applications with security regulations for privacy, data protection and information security

← Older revision		Revision as of 09:16, 4 November 2017
Line 1:		Line 1:
	[[Application Security Guide For CISOsVs2\|< Back to the Application Security Guide For CISOs V2]]		[[Application Security Guide For CISOsVs2\|< Back to the Application Security Guide For CISOs V2]]
−
	__NOTOC__		__NOTOC__