This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Application Security Guide For CISOs Project v2"

From OWASP
Jump to: navigation, search
 
(41 intermediate revisions by the same user not shown)
Line 5: Line 5:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
 
==OWASP Application Security Guide For CISOs (Version 2 - 2018 Edition)==
 
==OWASP Application Security Guide For CISOs (Version 2 - 2018 Edition)==
  
 
Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.
 
Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.
 
  
 
==Introduction==
 
==Introduction==
  
The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey in part I by providing guidance on how to start an application security initiative such as with the creation of the business cases for investing in application security following with awareness of threats targeting applications. In part II we focus on how to create an application security program including the adoption of secure software development activities, application security tools and secure code training for developers. In part III we focus on managing application security from both program execution as well as from risk management strategy perspectives including the mitigation of the risk of vulnerabilities and the metrics and reporting them based upon risk and exposure. In part IV we focus on process improvements such as the use of software maturity models and the lesson learned from security incidents whose root causes might have been identified in exploit of application vulnerabilities.
+
The purpose of this document is to guide CISOs and managers of security DevOps in managing application security from initial problem statement to delivery of the solution. We start this journey in part I by providing guidance on how to start an application security initiative such as with the creation of the business cases for investing in application security following with awareness of threats targeting applications. In part II we focus on how to create an application security program including the adoption of secure software development activities, application security tools and secure code training for developers. In part III we focus on managing application security from both program execution as well as from risk management strategy perspectives including the mitigation of the risk of vulnerabilities and the metrics and reporting them based upon risk and exposure. In part IV we focus on process improvements such as the use of software maturity models and the lesson learned from security incidents whose root causes might have been identified in exploit of application vulnerabilities.
 
 
  
 
==Objectives==
 
==Objectives==
Line 37: Line 35:
  
 
==Licensing==
 
==Licensing==
 +
 
The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
 
© OWASP Foundation
 
© OWASP Foundation
  
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
 
== Core Content ==
 
== Core Content ==
Line 54: Line 53:
 
== Presentation ==
 
== Presentation ==
  
[[File:https://www.owasp.org/index.php/File:2017-CISO-Guide-Reboot-Morana_AppSec_USA_Short.pdf]]
+
[[File:CISO_AppSec_Guide_USA_2017_Small.jpg|link=https://www.owasp.org/images/b/bf/2017-CISO-Guide-Reboot-Morana_AppSec_USA_Short.pdf]]
  
[[Media:OWASP-NYC-CISO-Guidevs1.pptx|PPTX]] presentation given at 2017 OWASP AppSec U.S.A.
+
Presentation given at OWASP AppSec USA 2017 Project Meeting
  
 
== Project Leader ==
 
== Project Leader ==
  
Marco Morana
+
[https://www.owasp.org/index.php/Marco_Morana Marco Morana]
 
 
  
 
== Related Projects ==
 
== Related Projects ==
Line 68: Line 66:
 
* [[:Category:Software Assurance Maturity Model|Software Assurance Maturity Model]]
 
* [[:Category:Software Assurance Maturity Model|Software Assurance Maturity Model]]
  
 +
| valign="top" style="padding-left:25px;width:200px;" |
  
 +
== Quick Access ==
  
| valign="top"  style="padding-left:25px;width:200px;" |
+
* Application Security Guide For CISOs v2.0 EN (Work in Progress)
 +
** [[Application Security Guide For CISOsVs2|HTML]]
  
== Quick Access ==
+
* Application Security Guide For CISOs v1.0 EN (Release Edition)
 
 
* Application Security Guide For CISOs v1.0 EN
 
 
** [[Application Security Guide For CISOs |HTML]]
 
** [[Application Security Guide For CISOs |HTML]]
 
** [https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf PDF]
 
** [https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf PDF]
 
** [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html Hardcopy]
 
** [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html Hardcopy]
  
 +
* Versión Uno en español
 +
** La [[Guía de Seguridad en Aplicaciones para CISOs]] (Español) fue editada y corregida por Mauro Gioino, Mauro Graziosi y [[User:Cristian_Borghello|Cristian Borghello]].
  
 
== News and Events ==
 
== News and Events ==
* [20 Nov 2013] The [http://appsecusa2013.sched.org/event/d4023831663d85d7fd87294e36e631ac?iframe=yes&w=990&sidebar=yes&bg=no#?iframe=yes&w=990&sidebar=yes&bg=no CISO Guide and CISO Survey 2013] will be presented at [https://appsecusa.org/ AppSec USA]
+
* [19-22 Sep 2017] The [https://2017.appsecusa.org/schedule/ CISO Guide Version 2 Reboot] was presented at [https://2017.appsecusa.org AppSec USA]
* [07 Nov 2013] Version 1.0 (stable) issued
+
* [12-16 June 2017] [https://github.com/OWASP/owasp-summits/blob/master/Outcomes/CISO/Application-Security-Guide-for-CISO.md Outcomes Of Discussions For CISO Guide Version 2] at [https://owaspsummit.org 2017 OWASP Summit in UK]
 
 
 
 
== In Print ==
 
 
 
[[File:Ciso-guide-book-small.jpg|link=http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html]]
 
 
 
This project can be purchased as a [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html print on demand book] from Lulu.com.
 
 
 
  
 
==Classifications==
 
==Classifications==
Line 96: Line 89:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
+
   | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]   
+
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
+
   | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]   
+
   | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]   
 
   |}
 
   |}
  
 
|}
 
|}
 
  
 
= Acknowledgements =
 
= Acknowledgements =
 
==Volunteers==
 
==Volunteers==
The Application Security Guide For CISOs Project was authored, edited and reviewed by a worldwide team of volunteers. The primary contributors to date have been:
+
We are currently assembly a team of volunteers to author, edit and review the guide version 2. List of names will be updated soon
  
* Tobias Gondrom
+
= Road Map and Getting Involved =
* Eoin Keary
 
* Andy Lewis
 
* Marco Morana
 
* Stephanie Tan
 
* Colin Watson
 
  
 +
* We rebooted the project (at AppSec USA 2017 Project Summit) create new version 2, wiki, GitHub repository
 +
* We reactivated OWASP CISO mailing list
 +
* We have created the stub for version 2 and structured the contents in four parts
  
= Road Map and Getting Involved =
+
Next steps are:
As of 8 November 2013, the priorities are:
+
* Develop the contents: as was discussed at OWASP Summit in London in June 2017
* Announce and promote v1.0 at AppSec USA
+
* Create a mini 2018 CISO Survey to socialize with CISOs at CISO summits using Survey Monkey lists
* Gain support and additional contributors
+
 
* Translate book
+
The main goal is to produce a draft by 30/3/2018 and a reviewed version by end of June 2018
  
 
Involvement in the development and promotion of the CISO Guide is actively encouraged.
 
Involvement in the development and promotion of the CISO Guide is actively encouraged.
 
You do not have to be a security expert in order to contribute.
 
You do not have to be a security expert in order to contribute.
 
Some of the ways you can help:
 
Some of the ways you can help:
 +
* Develop the new contents
 +
* Update  the old contents
 
* Review the text
 
* Review the text
* Graphical design for the book cover and diagrams
+
* Help with graphical design for the book and the diagrams
 +
* Help to create the mini CISO survey linked to the CISO web page
  
 
Please participate through the project's [https://lists.owasp.org/mailman/listinfo/owasp_application_security_guide_for_cisos mailing list].
 
Please participate through the project's [https://lists.owasp.org/mailman/listinfo/owasp_application_security_guide_for_cisos mailing list].
  
= Releases =
+
= Stable Releases =
  
 
== Current version ==
 
== Current version ==
Line 144: Line 137:
 
** [https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf PDF]
 
** [https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf PDF]
 
** [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html Hardcopy]
 
** [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html Hardcopy]
 
  
 
== Previous versions ==
 
== Previous versions ==
Line 151: Line 143:
  
 
= Project About =
 
= Project About =
{{:Projects/OWASP_Application_Security_Guide_For_CISOs_Project | Project About}}
 
  
__NOTOC__ <headertabs />  
+
{{:Projects/OWASP_Application_Security_Guide_For_CISOs_Project | Project About }}
 +
 
 +
__NOTOC__ <headertabs></headertabs>  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]   
 +
[[Category:OWASP_Builders]]  
 +
[[Category:OWASP_Defenders]]   
 +
[[Category:OWASP_Document]]

Latest revision as of 09:14, 4 November 2017

CISO-Guide-header.jpg
Lab big.jpg

OWASP Application Security Guide For CISOs (Version 2 - 2018 Edition)

Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.

Introduction

The purpose of this document is to guide CISOs and managers of security DevOps in managing application security from initial problem statement to delivery of the solution. We start this journey in part I by providing guidance on how to start an application security initiative such as with the creation of the business cases for investing in application security following with awareness of threats targeting applications. In part II we focus on how to create an application security program including the adoption of secure software development activities, application security tools and secure code training for developers. In part III we focus on managing application security from both program execution as well as from risk management strategy perspectives including the mitigation of the risk of vulnerabilities and the metrics and reporting them based upon risk and exposure. In part IV we focus on process improvements such as the use of software maturity models and the lesson learned from security incidents whose root causes might have been identified in exploit of application vulnerabilities.

Objectives

The guide assists CISOs on how to manage application security through the phases of initiation, creation, management and process improvements. Tactical guidance is provided in the following aspects:

  • Assure compliance of applications with security regulations for privacy, data protection and information security
  • Leverage OWASP resources such as project documentation and tools
  • Manage application security from perspective or people/training, processes and tools/technologies
  • Manage application vulnerability risks and remediation based upon risk exposure to the business
  • Create awareness on cyber-threats targeting applications to focus on countermeasures
  • Operationalise application security assessments and provide support to development teams for continuous software security development and testing
  • Integration of existing applications with emerging technologies such as API, micro-services, cloud, virtualisation, biometrics
  • Alignment of application security strategy with business and IT strategy
  • Focus on process automation and process improvements
  • Be an agent of change in challenging corporate environments and trigger appropriate responses
  • Asking the right questions to gain visibility across the organisation (who does what questions)
  • Proactive risk management strategies
  • Capture lesson learned from past security incidents/data breaches
  • Setting roadmaps for process improvements

Licensing

The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

Core Content

The guide provide guidance to CISO to start, create, manage and improve Application Security Programs. The contents are articulated in (four) parts:

  • Part I: "How To" Start
  • Part II: "How To" Create
  • Part III: "How To" Manage
  • Part IV: "How To" Improve

Presentation

CISO AppSec Guide USA 2017 Small.jpg

Presentation given at OWASP AppSec USA 2017 Project Meeting

Project Leader

Marco Morana

Related Projects

Quick Access

  • Application Security Guide For CISOs v2.0 EN (Work in Progress)
  • Application Security Guide For CISOs v1.0 EN (Release Edition)

News and Events

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Volunteers

We are currently assembly a team of volunteers to author, edit and review the guide version 2. List of names will be updated soon

  • We rebooted the project (at AppSec USA 2017 Project Summit) create new version 2, wiki, GitHub repository
  • We reactivated OWASP CISO mailing list
  • We have created the stub for version 2 and structured the contents in four parts

Next steps are:

  • Develop the contents: as was discussed at OWASP Summit in London in June 2017
  • Create a mini 2018 CISO Survey to socialize with CISOs at CISO summits using Survey Monkey lists

The main goal is to produce a draft by 30/3/2018 and a reviewed version by end of June 2018

Involvement in the development and promotion of the CISO Guide is actively encouraged. You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Develop the new contents
  • Update the old contents
  • Review the text
  • Help with graphical design for the book and the diagrams
  • Help to create the mini CISO survey linked to the CISO web page

Please participate through the project's mailing list.

Current version

v1.0 (Stable)

Previous versions

Pre 1.0 versions (alpha and betas) are in the wiki page history at https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs and sub-pages beginning in August 2011.

what is this project?
Name: OWASP Application Security Guide For CISOs Project (home page)
Purpose:
  • The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks,the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk.

Draft Version: More info about this project can be found in the introductory page of the guide Application Security Guide For CISOs

License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
  • Marco Morana @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Marco Morana @ to contribute to this project
  • Contact Marco Morana @ to review or sponsor this project


Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Application_Security_Guide_For_CISOs_Project_v2&oldid=235004"