This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"
From OWASP
Marco-cincy (talk | contribs) |
|||
(19 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
[[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]] | [[Application Security Guide For CISOs|< Back to the Application Security Guide For CISOs]] | ||
− | + | __NOTOC__ | |
+ | |||
+ | =Appendix B: Quick Reference to OWASP Guides & Other Projects = | ||
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects. | This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects. | ||
− | |||
− | |||
− | |||
− | |||
{| class="prettytable FCK__ShowTableBorders" align="top" | {| class="prettytable FCK__ShowTableBorders" align="top" | ||
Line 18: | Line 16: | ||
| valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security | | valign="top" width="25%" | Develop and implement policies, standards and guidelines for application security | ||
| valign="top" width="10%" | Standards and Policies | | valign="top" width="10%" | Standards and Policies | ||
− | | valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance | + | | valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance I-3 "Information Security Standards, Policies and Compliance"] |
| valign="top" width="25%" | | | valign="top" width="25%" | | ||
− | * [https://www.owasp.org/index.php/Policy_Frameworks | + | * [https://www.owasp.org/index.php/Policy_Frameworks Development Guide - Policy Frameworks] |
* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy] | * [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy] | ||
* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance] | * [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance] | ||
− | * [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review | + | * [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review Guide - Code Reviews and Compliance] |
|- | |- | ||
| valign="top" | Develop, implement and manage application security governance | | valign="top" | Develop, implement and manage application security governance | ||
| valign="top" | Governance | | valign="top" | Governance | ||
− | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Application_Security_Governance.2C_Risk_and_Compliance III-3 "Application Security Governance, Risk and Compliance"] |
| valign="top" | | | valign="top" | | ||
− | * [https://www.owasp.org/index.php/SAMM_-_Governance SAMM - Governance] | + | * [https://www.owasp.org/index.php/SAMM_-_Governance Project SAMM - Governance] |
− | * [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition How to Write Job Requisitions] | + | * [https://www.owasp.org/index.php/How_to_write_verifier_job_requisition Project ASVS - How to Write Job Requisitions] |
|- | |- | ||
| valign="top" | Develop and implement software security development and security testing processes | | valign="top" | Develop and implement software security development and security testing processes | ||
| valign="top" | Security Engineering Processes | | valign="top" | Security Engineering Processes | ||
− | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Targeting_Software_Security_Activities_and_S-SDLC_Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"] |
− | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization | + | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#How_to_Choose_the_Right_OWASP_Projects_and_Tools_For_Your_Organization III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide] | * [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide] | ||
− | * [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project | + | * [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide] |
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices] | * [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices] | ||
− | * [https://www.owasp.org/index.php/OWASP_Testing_Project | + | * [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide] |
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction] | * [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction] | ||
− | * [https://www.owasp.org/index.php/CLASP_Concepts | + | * [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts] |
− | * [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)] | + | * [http://www.opensamm.org/ Software Assurance Maturity Model (SAMM)] |
− | * [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools] | + | * [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Guide - Tools] |
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)] | * [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)] | ||
|- | |- | ||
Line 51: | Line 49: | ||
| valign="top" | Risk Strategy | | valign="top" | Risk Strategy | ||
| valign="top" | | | valign="top" | | ||
− | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies | + | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management_Strategies I-4 "Risk Management Strategies"] |
+ | |||
+ | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"] | ||
− | [https://www.owasp.org/index.php/CISO_AppSec_Guide: | + | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Security_Strategy III-4 "Security Strategy"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics] | * [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics] | ||
− | * [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - | + | * [https://www.owasp.org/index.php/Application_Threat_Modeling#Mitigation_Strategies Application Threat Modeling - Mitigation Strategies] |
|- | |- | ||
| valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited | | valign="top" | Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited | ||
| valign="top" | Audit & Compliance | | valign="top" | Audit & Compliance | ||
− | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Capturing_Application_Security_Requirements I-3 "Capturing Application Security Requirements"] |
− | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions | + | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/ASVS Application Security Verification Standards] | * [https://www.owasp.org/index.php/ASVS Application Security Verification Standards] | ||
− | * [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements Capture Security Requirements] | + | * [https://www.owasp.org/index.php/Category:BP3_Capture_security_requirements CLASP - Capture Security Requirements] |
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements] | * [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements] | ||
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation] | * [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation] | ||
− | * [https://www.owasp.org/index.php/OWASP_Cornucopia Project | + | * [https://www.owasp.org/index.php/OWASP_Cornucopia Project Cornucopia] |
− | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project | + | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex] |
|- | |- | ||
| valign="top" | Measure and monitor security and risks of application assets within the organization | | valign="top" | Measure and monitor security and risks of application assets within the organization | ||
| valign="top" | Risk Metrics & Monitoring | | valign="top" | Risk Metrics & Monitoring | ||
− | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments. IV "Selection of Metrics for Managing Risks & Application Security Investments"] |
| | | | ||
+ | * [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics] | ||
+ | * [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM - Strategy & Metrics] | ||
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics] | * [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics] | ||
− | |||
− | |||
|- | |- | ||
− | | valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend | + | | valign="top" | Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions |
| valign="top" | Risk Analysis & Management | | valign="top" | Risk Analysis & Management | ||
− | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management | + | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Risk_Management I-4 "Risk Management"] |
− | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks | + | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks II "Criteria for Managing Application Security Risks"] |
| | | | ||
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks] | * [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks] | ||
* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks] | * [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks] | ||
* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks] | * [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks] | ||
− | * [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities | + | * [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities ASVS - Implementation of NIST Risk Management Verification Activities] |
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology] | * [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology] | ||
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling] | * [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling] | ||
Line 95: | Line 95: | ||
| valign="top" | Assess procurement of new application processes, services, technologies and security tools | | valign="top" | Assess procurement of new application processes, services, technologies and security tools | ||
| valign="top" | Procurement | | valign="top" | Procurement | ||
− | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components III-4 "Assess Risks before Procurement of Third Party Components"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex] | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex] | ||
Line 102: | Line 102: | ||
| valign="top" | Oversee the training on application security for development, operational and information security teams | | valign="top" | Oversee the training on application security for development, operational and information security teams | ||
| valign="top" | Security Training | | valign="top" | Security Training | ||
− | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology III-5 "People, Processes and Technology"] |
| | | | ||
* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs] | * [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs] | ||
Line 109: | Line 109: | ||
* [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos] | * [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos] | ||
* [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs] | * [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs] | ||
− | |||
|- | |- | ||
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery | | valign="top" | Develop, articulate and implement continuity planning/disaster recovery | ||
| valign="top" | Business Continuity / Disaster Recovery | | valign="top" | Business Continuity / Disaster Recovery | ||
− | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions | + | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency] | * [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency] | ||
|- | |- | ||
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions | | valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions | ||
− | | valign="top" | Incident Response | + | | valign="top" | Vulnerability Management & Incident Response |
− | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident | + | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident I-4 "Addressing the Business Concerns after a Security Incident"] |
| valign="top" | | | valign="top" | | ||
+ | * [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management] | ||
+ | * [https://www.owasp.org/index.php/Manage_security_issue_disclosure_process CLASP - Manage Security Issue Disclosure Process] | ||
* [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response] | * [https://www.owasp.org/index.php/.NET_Incident_Response .NET Incident Response] | ||
− | |||
|} | |} | ||
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]] | [[Category:OWASP_Application_Security_Guide_For_CISO_Project]] | ||
+ | [[Category:OWASP CISO Survey Project]] |
Latest revision as of 21:25, 6 February 2014
< Back to the Application Security Guide For CISOs
Appendix B: Quick Reference to OWASP Guides & Other Projects
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
CISO Function | Security Domain | OWASP CISO Guide | OWASP Projects |
---|---|---|---|
Develop and implement policies, standards and guidelines for application security | Standards and Policies | I-3 "Information Security Standards, Policies and Compliance" | |
Develop, implement and manage application security governance | Governance | III-3 "Application Security Governance, Risk and Compliance" | |
Develop and implement software security development and security testing processes | Security Engineering Processes | III-4 "Targeting Software Security Activities and S-SDLC Processes"
III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization" |
|
Develop, articulate and implement a risk management strategy for applications | Risk Strategy |
I-4 "Risk Management Strategies" |
|
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited | Audit & Compliance | I-3 "Capturing Application Security Requirements" | |
Measure and monitor security and risks of application assets within the organization | Risk Metrics & Monitoring | IV "Selection of Metrics for Managing Risks & Application Security Investments" | |
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions | Risk Analysis & Management | I-4 "Risk Management" | |
Assess procurement of new application processes, services, technologies and security tools | Procurement | III-4 "Assess Risks before Procurement of Third Party Components" | |
Oversee the training on application security for development, operational and information security teams | Security Training | III-5 "People, Processes and Technology" | |
Develop, articulate and implement continuity planning/disaster recovery | Business Continuity / Disaster Recovery | III-3 "Addressing CISO's Application Security Functions" | |
Investigate and analyse suspected and actual application security incidents and recommend corrective actions | Vulnerability Management & Incident Response | I-4 "Addressing the Business Concerns after a Security Incident" |