This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP ISO IEC 27034 Application Security Controls Project"

From OWASP
Jump to: navigation, search
m (Volunteers)
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
=Main=
 
=Main=
  
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
+
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div>
 
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
Line 39: Line 38:
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
== What is XXX? ==
+
== What this project provides? ==
  
OWASP XXX  provides:
+
OWASP ISO/IEC 27034 Application Security Controls Project provides:
 
 
* xxx
 
* xxx
 
  
 +
* XML files following the schema and guidelines provided by ISO/IEC 27034-5.1
 +
* Ways to formally comply with OWASP best practices such as the Top 10
  
 
== Presentation ==
 
== Presentation ==
  
Link to presentation
+
[https://speakerdeck.com/owaspmontreal/iec-27034-securite-des-applications-par-luc-poulin-et-jonathan-marcil Slides in English on SpeakerDeck]
  
 +
Presentation in French, English version will be available soon:
 +
{{#ev:youtube|ZxrpIvUJ40g}}
  
 +
[http://www.youtube.com/watch?v=AAHG_oB9iEU#t=478 Introduction to ISO 27034 also in French on YouTube]
  
  
Line 70: Line 71:
 
== Quick Download ==
 
== Quick Download ==
  
* Link to page/download
+
Files will be available on GitHub.
 
 
 
 
  
 
== News and Events ==
 
== News and Events ==
* [20 Nov 2013] News 2
+
* [6 Jan 2014] First wiki drafts
* [30 Sep 2013] News 1
+
* [17 Dec 2013] Official OWASP Project created
 
+
* [2 Dec 2013] Kick off on the project at OWASP Montreal
 
 
== In Print ==
 
This project can be purchased as a print on demand book from Lulu.com
 
 
 
  
 
==Classifications==
 
==Classifications==
Line 88: Line 83:
 
   |-
 
   |-
 
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
+
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=https://www.owasp.org/index.php/Category:OWASP_Builders]]
  |-
 
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 
 
   |-
 
   |-
   | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center"  | [[File:lgplv3-147x51.png|link=http://www.gnu.org/licenses/lgpl.html]]
 
   |-
 
   |-
 
   | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 
   | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
Line 101: Line 94:
 
=FAQs=
 
=FAQs=
  
; Q1
+
; Is this a contribution on the ISO/IEC standard?
: A1
+
: Not at all. It is using the standard in order to make available OWASP content in a formal format and logically compatible way with 27034.
 +
 
 +
; As OWASP members, can we get access to the standard for free?
 +
: No, but the team is there to support anyone who wants to contribute by giving their insight about the standard. Note that no OWASP content will be directly refered in the standard, it's really at an implementation level that this project applies.
 +
 
  
; Q2
 
: A2
 
  
 
= Acknowledgements =
 
= Acknowledgements =
 
==Volunteers==
 
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:
+
OWASP ISO/IEC 27034 Application Security Controls project is developed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 
 +
* Bruno Guay
 +
* Daniel Sinnig
 +
* Luc Poulin
 +
* Jonathan Marcil
 +
* Tom Brennan
 +
* _________________
  
* xxx
+
==Supporting organizations==
* xxx
 
  
==Others==
+
* Cogentas
* xxx
+
* Desjardins
* xxx
+
* Nurun
 +
* OWASP Montreal
  
 
= Road Map and Getting Involved =
 
= Road Map and Getting Involved =
As of XXX, the priorities are:
 
* xxx
 
* xxx
 
* xxx
 
  
Involvement in the development and promotion of XXX is actively encouraged!
+
{{:Projects/OWASP_ISO_IEC_27034_Application_Security_Controls_Project/Roadmap}}
You do not have to be a security expert in order to contribute.
+
 
 +
 
 +
 
 +
Involvement in the development and promotion of OWASP ISO/IEC 27034 Application Security Controls Project is actively encouraged!
 +
 
 
Some of the ways you can help:
 
Some of the ways you can help:
* xxx
+
* Give your opinion on how we should implement controls
* xxx
+
* Use the ASCs in order to implements OWASP best practices and give feedback
 +
* Participate in the elaboration of ASCs
  
 +
You can use our official mailing list to reach us or to be in touch with updates:
 +
https://lists.owasp.org/mailman/listinfo/owasp_iso_iec_27034_application_security_controls_project
  
  
Line 137: Line 142:
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]  [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]

Latest revision as of 16:27, 9 December 2015

OWASP Inactive Banner.jpg

OWASP ISO/IEC 27034 Application Security Controls Project

OWASP ISO/IEC 27034 Application Security Controls Project is an effort to do the conversion of OWASP related documentations and best practices, such as the OWASP Top 10, in Application Security Controls (ASCs) as defined in ISO/IEC 27034. This will enable 27034 stakeholders to use formal structure of OWASP content.

Introduction to ISO/IEC 27034

ISO/IEC 27034 offers guidance on information security to those specifying, designing/programming or procuring, implementing and using application systems, in other words business and IT managers, developers and auditors, and ultimately the end-users of application systems. The aim is to ensure that computer applications deliver the desired/necessary level of security in support of the organization’s Information Security Management System.

It is aimed at architects, analysts, programmers, testers, IT Team, DBA, Admins, etc., who need to know what and when Application Security Controls should be applied, integrate Application Security Controls in their activities, meet the requirements of the Application Security Controls associated measurements, get access to tools and best practices and facilitate peer review.

It can also be used by auditors, in order to know the scope and process of verification measurements for the corresponding Application Security Controls, make audit results repeatable, identify a list of verification measurements which can generate supporting evidence to demonstrate that the application has reached the required level of trust authorized by the management and standardize the application security verification.

27034 is based upon the following key principles:

  • Security is a requirement
  • Application security is context-dependent
  • Appropriate investment for application security
  • Application security must be demonstrated

http://www.iso27001security.com/html/27034.html

Description of the OWASP project

ISO/IEC 27034 do not propose any Application Security Controls by itself, nor any coding/testing best practices. OWASP is a good match to 27034 because it is proposing many best practices and technical details that can be used to create ASCs.

At the beginning of our roadmap, the focus will be upon the conversion of the latest OWASP Top 10 into ASCs.


Licensing

OWASP ISO/IEC 27034 Application Security Controls are free to use. It is licensed under the GNU LGPL v3 License (http://www.gnu.org/licenses/lgpl.html) that is similar to GPL but modified for use with libraries that may be called by other proprietary programs.


What this project provides?

OWASP ISO/IEC 27034 Application Security Controls Project provides:

  • XML files following the schema and guidelines provided by ISO/IEC 27034-5.1
  • Ways to formally comply with OWASP best practices such as the Top 10

Presentation

Slides in English on SpeakerDeck

Presentation in French, English version will be available soon:

Introduction to ISO 27034 also in French on YouTube


Project Co-Leaders

  • Luc Poulin
  • Jonathan Marcil


Related Projects

Quick Download

Files will be available on GitHub.

News and Events

  • [6 Jan 2014] First wiki drafts
  • [17 Dec 2013] Official OWASP Project created
  • [2 Dec 2013] Kick off on the project at OWASP Montreal

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Lgplv3-147x51.png
Project Type Files CODE.jpg

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ISO_IEC_27034_Application_Security_Controls_Project&oldid=204955"