This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Application Security Guide For CISOs Project v2"

From OWASP
Jump to: navigation, search
(Created page with "<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">link=OWASP_Project_Stages#tab.3DLab_Projects</div> <div style="border:0,margin:0;...")
 
Line 1: Line 1:
 +
=Main=
 +
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:CISO-Guide-header.jpg|link=]]</div>
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
<div style="border:0,margin:0;overflow: hidden;">
+
 
{{OWASP Defenders}} {{OWASP Book|5691953}}
 
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div>
 
</div>
 
=Code Review Guide=
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
==The Release Candidate for the OWASP Code Review Guide is now available!==
 
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource.
 
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.
 
  
Thank you,
+
==OWASP Application Security Guide For CISOs==
Larry Conklin, Gary Robinson
+
 
OWASP Code Review Guides Co-Leaders
+
Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.
 +
 
  
 
==Introduction==
 
==Introduction==
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.
 
  
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.
+
The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk.
 +
 
  
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.
+
==Objectives==
  
==Review of Code Review Guide 2.0==
+
The guide assists CISOs manage application security risks by considering the exposure from emerging threats and compliance requirements. The objectives of this guide are to help:
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to [email protected]. Private comments may be sent to [email protected] or [email protected] . All comments are welcome. All comments should indicate the specific relevant page and section.
+
* Make application security visible to CISOs
 +
* Assure compliance of applications with security regulations for privacy, data protection and information security
 +
* Prioritize vulnerability remediation based upon risk exposure to the business
 +
* Provide guidance for building and managing application security processes
 +
* Analyze cyber-threats against applications and identify countermeasures
 +
* Institute application security training for developers and managers
 +
* Measure and manage application security risks and processes
  
All feedback is critical to the continued success of the OWASP Code Review Guide.
 
  
 
==Licensing==
 
==Licensing==
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+
The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 +
 
 +
&copy; OWASP Foundation
  
  
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
== Project Leader ==
+
== Core Content ==
* Larry Conklin [mailto:larry.conklin@owasp.org]
+
 
* Gary Robinson [mailto:gary.robinson@owasp.org]
+
The CISO guide includes:
 +
 
 +
* Part I: Reasons for Investing in Application Security
 +
* Part II: Criteria for Managing Application Security Risks
 +
* Part III: Application Security Program
 +
* Part IV: Metrics For Managing Risks & Application Security Investments
 +
 
 +
 
 +
== Presentation ==
 +
 
 +
[[File:CISO-Guide-presentation-small.jpg|link=media:OWASP-NYC-CISO-Guidevs1.pptx]]
 +
 
 +
[[Media:OWASP-NYC-CISO-Guidevs1.pptx|PPTX]] presentation given at OWASP NYC U.S.A. Chapter Meeting on 15 November 2012
  
== Project Email ==
 
* Project Email [mailto:[email protected]]
 
  
==Classifications==
+
== Project Leader ==
[[File:Owasp-defenders-small.png|link=]]
 
  
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
Marco Morana
  
[[File:Project_Type_Files_DOC.jpg|link=]]
 
  
 
== Related Projects ==
 
== Related Projects ==
  
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]
+
* [[OWASP_CISO_Survey|CISO Survey]]
 +
* [[:Category:Software Assurance Maturity Model|Software Assurance Maturity Model]]
 +
 
  
  
 
| valign="top"  style="padding-left:25px;width:200px;" |  
 
| valign="top"  style="padding-left:25px;width:200px;" |  
  
== Quick Download ==
+
== Quick Access ==
* [https://www.owasp.org/index.php/File:OWASP_Code_Review_Guide_v2.pdf Code Review Guide 2.0]
+
 
 +
* Application Security Guide For CISOs v1.0 EN
 +
** [[Application Security Guide For CISOs |HTML]]
 +
** [https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf PDF]
 +
** [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html Hardcopy]
 +
 
 +
 
 +
== News and Events ==
 +
* [20 Nov 2013] The [http://appsecusa2013.sched.org/event/d4023831663d85d7fd87294e36e631ac?iframe=yes&w=990&sidebar=yes&bg=no#?iframe=yes&w=990&sidebar=yes&bg=no CISO Guide and CISO Survey 2013] will be presented at [https://appsecusa.org/ AppSec USA]
 +
* [07 Nov 2013] Version 1.0 (stable) issued
 +
 
  
 
== In Print ==
 
== In Print ==
Code Review Guide 2.0 will be available in Lulu in the near future.
 
  
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.
+
[[File:Ciso-guide-book-small.jpg|link=http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html]]
 +
 
 +
This project can be purchased as a [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html print on demand book] from Lulu.com.
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]] 
 +
  |}
 +
 
 
|}
 
|}
 +
  
 
= Acknowledgements =
 
= Acknowledgements =
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Dublin Founder and Chapter Lead.
+
==Volunteers==
 +
The Application Security Guide For CISOs Project was authored, edited and reviewed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 
 +
* Tobias Gondrom
 +
* Eoin Keary  
 +
* Andy Lewis
 +
* Marco Morana
 +
* Stephanie Tan
 +
* Colin Watson
 +
 
 +
 
 +
= Road Map and Getting Involved =
 +
As of 8 November 2013, the priorities are:
 +
* Announce and promote v1.0 at AppSec USA
 +
* Gain support and additional contributors
 +
* Translate book
 +
 
 +
Involvement in the development and promotion of the CISO Guide is actively encouraged.
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* Review the text
 +
* Graphical design for the book cover and diagrams
 +
 
 +
Please participate through the project's [https://lists.owasp.org/mailman/listinfo/owasp_application_security_guide_for_cisos mailing list].
 +
 
 +
= Releases =
 +
 
 +
== Current version ==
 +
 
 +
v1.0 (Stable)
 +
* EN
 +
** [[Application Security Guide For CISOs |HTML]]
 +
** [https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf PDF]
 +
** [http://www.lulu.com/shop/owasp-foundation/application-security-guide-for-cisos-v10-nov-2013/paperback/product-21288580.html Hardcopy]
 +
 
 +
 
 +
== Previous versions ==
  
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]
+
Pre 1.0 versions (alpha and betas) are in the wiki page history at https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs and sub-pages beginning in [https://www.owasp.org/index.php?title=Application_Security_Guide_For_CISOs&dir=prev&action=history August 2011].
  
+
= Project About =
 +
{{:Projects/OWASP_Application_Security_Guide_For_CISOs_Project | Project About}}
  
__NOTOC__ <headertabs />
+
__NOTOC__ <headertabs />  
  
[[Category:OWASP Project]]  [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]

Revision as of 19:04, 19 September 2017

CISO-Guide-header.jpg
Lab big.jpg

OWASP Application Security Guide For CISOs

Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The Application Security Guide For CISOs seeks to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.


Introduction

The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk.


Objectives

The guide assists CISOs manage application security risks by considering the exposure from emerging threats and compliance requirements. The objectives of this guide are to help:

  • Make application security visible to CISOs
  • Assure compliance of applications with security regulations for privacy, data protection and information security
  • Prioritize vulnerability remediation based upon risk exposure to the business
  • Provide guidance for building and managing application security processes
  • Analyze cyber-threats against applications and identify countermeasures
  • Institute application security training for developers and managers
  • Measure and manage application security risks and processes


Licensing

The OWASP Application Security Guide For CISOs is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


Core Content

The CISO guide includes:

  • Part I: Reasons for Investing in Application Security
  • Part II: Criteria for Managing Application Security Risks
  • Part III: Application Security Program
  • Part IV: Metrics For Managing Risks & Application Security Investments


Presentation

CISO-Guide-presentation-small.jpg

PPTX presentation given at OWASP NYC U.S.A. Chapter Meeting on 15 November 2012


Project Leader

Marco Morana


Related Projects

Quick Access


News and Events


In Print

Ciso-guide-book-small.jpg

This project can be purchased as a print on demand book from Lulu.com.


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg


Volunteers

The Application Security Guide For CISOs Project was authored, edited and reviewed by a worldwide team of volunteers. The primary contributors to date have been:

  • Tobias Gondrom
  • Eoin Keary
  • Andy Lewis
  • Marco Morana
  • Stephanie Tan
  • Colin Watson


As of 8 November 2013, the priorities are:

  • Announce and promote v1.0 at AppSec USA
  • Gain support and additional contributors
  • Translate book

Involvement in the development and promotion of the CISO Guide is actively encouraged. You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Review the text
  • Graphical design for the book cover and diagrams

Please participate through the project's mailing list.

Current version

v1.0 (Stable)


Previous versions

Pre 1.0 versions (alpha and betas) are in the wiki page history at https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs and sub-pages beginning in August 2011.

what is this project?
Name: OWASP Application Security Guide For CISOs Project (home page)
Purpose:
  • The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks,the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk.

Draft Version: More info about this project can be found in the introductory page of the guide Application Security Guide For CISOs

License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
  • Marco Morana @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Marco Morana @ to contribute to this project
  • Contact Marco Morana @ to review or sponsor this project


Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Application_Security_Guide_For_CISOs_Project_v2&oldid=233489"