This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"
From OWASP
m (→Appendix B: Quick Reference to OWASP Guides & Other Projects: Names and numbering) |
|||
| (4 intermediate revisions by one other user not shown) | |||
| Line 95: | Line 95: | ||
| valign="top" | Assess procurement of new application processes, services, technologies and security tools | | valign="top" | Assess procurement of new application processes, services, technologies and security tools | ||
| valign="top" | Procurement | | valign="top" | Procurement | ||
| − | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components III-4 "Assess Risks before Procurement of Third Party Components"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex] | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex] | ||
| Line 102: | Line 102: | ||
| valign="top" | Oversee the training on application security for development, operational and information security teams | | valign="top" | Oversee the training on application security for development, operational and information security teams | ||
| valign="top" | Security Training | | valign="top" | Security Training | ||
| − | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology | + | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology III-5 "People, Processes and Technology"] |
| | | | ||
* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs] | * [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs] | ||
| Line 109: | Line 109: | ||
* [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos] | * [https://www.owasp.org/index.php/Category:OWASP_Video Conference Videos] | ||
* [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs] | * [https://www.owasp.org/index.php/OWASP_Application_Security_FAQ Application Security FAQs] | ||
| − | |||
|- | |- | ||
| valign="top" | Develop, articulate and implement continuity planning/disaster recovery | | valign="top" | Develop, articulate and implement continuity planning/disaster recovery | ||
| valign="top" | Business Continuity / Disaster Recovery | | valign="top" | Business Continuity / Disaster Recovery | ||
| − | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions | + | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Addressing_CISO.27s_Application_Security_Functions III-3 "Addressing CISO's Application Security Functions"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency] | * [https://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency Cloud Business Continuity and Resiliency] | ||
| Line 119: | Line 118: | ||
| valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions | | valign="top" | Investigate and analyse suspected and actual application security incidents and recommend corrective actions | ||
| valign="top" | Vulnerability Management & Incident Response | | valign="top" | Vulnerability Management & Incident Response | ||
| − | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident | + | | valign="top" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Addressing_the_Business_Concerns_after_a_Security_Incident I-4 "Addressing the Business Concerns after a Security Incident"] |
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management] | * [https://www.owasp.org/index.php/SAMM_-_Vulnerability_Management_-_1 SAMM Vulnerability Management] | ||
| Line 127: | Line 126: | ||
[[Category:OWASP_Application_Security_Guide_For_CISO_Project]] | [[Category:OWASP_Application_Security_Guide_For_CISO_Project]] | ||
| + | [[Category:OWASP CISO Survey Project]] | ||
Latest revision as of 21:25, 6 February 2014
< Back to the Application Security Guide For CISOs
Appendix B: Quick Reference to OWASP Guides & Other Projects
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
| CISO Function | Security Domain | OWASP CISO Guide | OWASP Projects |
|---|---|---|---|
| Develop and implement policies, standards and guidelines for application security | Standards and Policies | I-3 "Information Security Standards, Policies and Compliance" | |
| Develop, implement and manage application security governance | Governance | III-3 "Application Security Governance, Risk and Compliance" | |
| Develop and implement software security development and security testing processes | Security Engineering Processes | III-4 "Targeting Software Security Activities and S-SDLC Processes"
III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization" |
|
| Develop, articulate and implement a risk management strategy for applications | Risk Strategy |
I-4 "Risk Management Strategies" |
|
| Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited | Audit & Compliance | I-3 "Capturing Application Security Requirements" | |
| Measure and monitor security and risks of application assets within the organization | Risk Metrics & Monitoring | IV "Selection of Metrics for Managing Risks & Application Security Investments" | |
| Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions | Risk Analysis & Management | I-4 "Risk Management" | |
| Assess procurement of new application processes, services, technologies and security tools | Procurement | III-4 "Assess Risks before Procurement of Third Party Components" | |
| Oversee the training on application security for development, operational and information security teams | Security Training | III-5 "People, Processes and Technology" | |
| Develop, articulate and implement continuity planning/disaster recovery | Business Continuity / Disaster Recovery | III-3 "Addressing CISO's Application Security Functions" | |
| Investigate and analyse suspected and actual application security incidents and recommend corrective actions | Vulnerability Management & Incident Response | I-4 "Addressing the Business Concerns after a Security Incident" |
