Latest revision as of 21:25, 6 February 2014

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Other Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function	Security Domain	OWASP CISO Guide	OWASP Projects
Develop and implement policies, standards and guidelines for application security	Standards and Policies	I-3 "Information Security Standards, Policies and Compliance"	Development Guide - Policy Frameworks Project CLASP - Identify Global Security Policy Project SAMM - Policy & Compliance Code Review Guide - Code Reviews and Compliance
Develop, implement and manage application security governance	Governance	III-3 "Application Security Governance, Risk and Compliance"	Project SAMM - Governance Project ASVS - How to Write Job Requisitions
Develop and implement software security development and security testing processes	Security Engineering Processes	III-4 "Targeting Software Security Activities and S-SDLC Processes" III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"	Development Guide Code Review Guide Secure Coding Practices Testing Guide Comprehensive Lightweight Application Security Process (CLASP) Introduction CLASP Concepts Software Assurance Maturity Model (SAMM) Testing Guide - Tools Project Application Security Verification Standard Project (ASVS)
Develop, articulate and implement a risk management strategy for applications	Risk Strategy	I-4 "Risk Management Strategies" II "Criteria for Managing Application Security Risks" III-4 "Security Strategy"	SAMM - Strategy & Metrics Application Threat Modeling - Mitigation Strategies
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited	Audit & Compliance	I-3 "Capturing Application Security Requirements" III-3 "Addressing CISO's Application Security Functions"	Application Security Verification Standards CLASP - Capture Security Requirements SAMM - Security Requirements Testing Guide - Security Requirements Test Derivation Project Cornucopia Project Secure Software Contract Annex
Measure and monitor security and risks of application assets within the organization	Risk Metrics & Monitoring	IV "Selection of Metrics for Managing Risks & Application Security Investments"	CLASP - Define and Monitor Metrics SAMM - Strategy & Metrics Types of Application Security Metrics
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions	Risk Analysis & Management	I-4 "Risk Management" II "Criteria for Managing Application Security Risks"	Project Top Ten Web Application Risks Project Top Ten Mobile Application Risks Project Top Ten Cloud Risks ASVS - Implementation of NIST Risk Management Verification Activities Risk Rating Methodology Threat Risk Modelling Application Threat Modelling
Assess procurement of new application processes, services, technologies and security tools	Procurement	III-4 "Assess Risks before Procurement of Third Party Components"	Project Secure Software Contract Annex ASVS - Verification of Contract Requirements
Oversee the training on application security for development, operational and information security teams	Security Training	III-5 "People, Processes and Technology"	Project CLASP Institute Awareness Programs Education Projects Appsec Training Videos Conference Videos Application Security FAQs
Develop, articulate and implement continuity planning/disaster recovery	Business Continuity / Disaster Recovery	III-3 "Addressing CISO's Application Security Functions"	Cloud Business Continuity and Resiliency
Investigate and analyse suspected and actual application security incidents and recommend corrective actions	Vulnerability Management & Incident Response	I-4 "Addressing the Business Concerns after a Security Incident"	SAMM Vulnerability Management CLASP - Manage Security Issue Disclosure Process .NET Incident Response

@@ Line 1: / Line 1: @@
 [[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]]
-==Appendix B: Quick Reference to OWASP Guides & Projects ==
+__NOTOC__
+=Appendix B: Quick Reference to OWASP Guides & Other Projects =
 This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
-To do:
-* Check cross-references back to other parts of guie and add links/anchors
-* Check for other OWASP projects
 {| class="prettytable FCK__ShowTableBorders" align="top"
@@ Line 18: / Line 16: @@
 | valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security
 | valign="top" width="10%" | Standards and Policies
-| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
+| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance I-3 "Information Security Standards, Policies and Compliance"]
 | valign="top" width="25%" |
-* [https://www.owasp.org/index.php/Policy_Frameworks Project Development Guide - Policy Frameworks]
+* [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks]
 * [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
 * [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
-* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Project Coding Guide - Code Reviews and Compliance]
+* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review Guide - Code Reviews and Compliance]
 |-
 | valign="top" | Develop, implement and manage application security governance
 | valign="top" | Governance
-| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"]
+| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance III-3 "Application Security Governance, Risk and Compliance"]
 | valign="top" |
-* [https://www.owasp.org/index.php/SAMM_-_Governance SAMM - Governance]
+* [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance]
-* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition How to Write Job Requisitions]
+* [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions]
 |-
 | valign="top" | Develop and implement software security development and security testing processes
 | valign="top" | Security Engineering Processes
-| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"]
+| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"]
-[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
+[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"]
 | valign="top" |
 * [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
-* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Project Code Review Guide]
+* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide]
 * [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices]
-* [https://www.owasp.org/index.php/OWASP_Testing_Project Project Testing Guide]
+* [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide]
 * [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
-* [https://www.owasp.org/index.php/CLASP_Concepts Project CLASP Concepts]
+* [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts]
-* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
+* [http://www.opensamm.org/ Software Assurance Maturity Model (SAMM)]
-* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]
+* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Guide - Tools]
 * [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)]
 |-
@@ Line 51: / Line 49: @@
 | valign="top" | Risk Strategy
 | valign="top" |
-[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies Part I - Section 1.4.4 "Risk Management Strategies"]
+[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies I-4 "Risk Management Strategies"]
+[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]
-[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II - "Criteria for Managing Application Security Risks"]
+[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy III-4 "Security Strategy"]
 | valign="top" |
 * [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
-* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Risk Mitigation Strategies]
+* [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Mitigation Strategies]
 |-
 | valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 | valign="top" | Audit & Compliance
-| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements Part I - Section 1.3.2 "Capturing Application Security Requirements"]
+| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements I-3 "Capturing Application Security Requirements"]
-[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions Part III - Section 1.3 "Addressing CISO's Application Security Functions"]
+[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 | valign="top" |
 * [https://www.owasp.org/index.php/ASVS Application Security Verification Standards]
-* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements Capture Security Requirements]
+* [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP - Capture Security Requirements]
 * [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 * [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
-* [https://www.owasp.org/index.php/OWASP_Cornucopia Project OWASP Cornucopia]
+* [https://www.owasp.org/index.php/OWASP_Cornucopia Project Cornucopia]
-* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Legal - Secure Software Contract Annex]
+* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
 |-
 | valign="top" | Measure and monitor security and risks of application assets within the organization
 | valign="top" | Risk Metrics & Monitoring
-| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"]
+| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. IV "Selection of Metrics for Managing Risks & Application Security Investments"]
 |
+* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics]
+* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics]
 * [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
-* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics Project CLASP - Define and Monitor Metrics]
-* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics]
 |-
-| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions
+| valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions
 | valign="top" | Risk Analysis & Management
-| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management Part I - Section 1.4 "Risk Management"]
+| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management I-4 "Risk Management"]
-[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks]
+[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"]
 |
 * [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks]
 * [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks]
 * [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks]
-* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Project AVSV- Implementation of NIST Risk Management Verification Activities]
+* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities ASVS - Implementation of NIST Risk Management Verification Activities]
 * [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 * [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
@@ Line 95: / Line 95: @@
 | valign="top" | Assess procurement of new application processes, services, technologies and security tools
 | valign="top" | Procurement
-| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"]
+| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components III-4 "Assess Risks before Procurement of Third Party Components"]
 | valign="top" |
 * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
@@ Line 102: / Line 102: @@
 | valign="top" | Oversee the training on application security for development, operational and information security teams
 | valign="top" | Security Training
-| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"]
+| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology III-5 "People, Processes and Technology"]
 |
 * [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs]
@@ Line 109: / Line 109: @@
 * [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos]
 * [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs]
-* [https://www.owasp.org/index.php/Institute_security_awareness_program CLASP - Institute Security Awareness Program]
 |-
 | valign="top" | Develop, articulate and implement continuity planning/disaster recovery
 | valign="top" | Business Continuity / Disaster Recovery
-| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions Part IV - Addressing CISO's Application Security Functions"]
+| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"]
 | valign="top" |
 * [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency]
 |-
 | valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions
-| valign="top" | Incident Response
+| valign="top" | Vulnerability Management & Incident Response
-| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"]
+| valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident I-4 "Addressing the Business Concerns after a Security Incident"]
 | valign="top" |
+* [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management]
+* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 * [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response]
-* [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process]
 |}
 [[Category:OWASP_Application_Security_Guide_For_CISO_Project]]
+[[Category:OWASP CISO Survey Project]]

Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

Latest revision as of 21:25, 6 February 2014

Appendix B: Quick Reference to OWASP Guides & Other Projects

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools