Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

Revision as of 07:53, 26 October 2013

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

To do:

Check cross-references back to other parts of guie and add links/anchors
Check for other OWASP projects

CISO Function	Security Domain	OWASP CISO Guide	OWASP Projects
Develop and implement policies, standards and guidelines for application security	Standards and Policies	Part I - Section 1.3 "Information Security Standards, Policies and Compliance"	Project Development Guide - Policy Frameworks Project CLASP - Identify Global Security Policy Project SAMM - Policy & Compliance Code Review - Project Coding Guide - Code Reviews and Compliance
Develop, implement and manage application security governance	Governance	Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance"	SAMM - Governance How to Write Job Requisitions
Develop and implement software security development and security testing processes	Security Engineering Processes	Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes" Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization"	Development Guide Project Code Review Guide Secure Coding Practices Project Testing Guide Comprehensive Lightweight Application Security Process (CLASP) Introduction Project CLASP Concepts Software Assurance Maturity Model(SAMM) Testing Tools Project Application Security Verification Standard Project (ASVS)
Develop, articulate and implement a risk management strategy for applications	Risk Strategy	Part I - Section 1.4.4 "Risk Management Strategies" Part II - "Criteria for Managing Application Security Risks"	SAMM - Strategy & Metrics Application Threat Modeling - Risk Mitigation Strategies
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited	Audit & Compliance	Part I - Section 1.3.2 "Capturing Application Security Requirements" Part III - Section 1.3 "Addressing CISO's Application Security Functions"	Application Security Verification Standards Capture Security Requirements SAMM - Security Requirements Testing Guide - Security Requirements Test Derivation Project OWASP Cornucopia Project Legal - Secure Software Contract Annex
Measure and monitor security and risks of application assets within the organization	Risk Metrics & Monitoring	Part IV - "Selection of Metrics for Managing Risks & Application Security Investments"	Types of Application Security Metrics Project CLASP - Define and Monitor Metrics SAMM Strategy & Metrics
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions	Risk Analysis & Management	Part I - Section 1.4 "Risk Management" Part II Criteria for Managing Application Security Risks	Project Top Ten Web Application Risks Project Top Ten Mobile Application Risks Project Top Ten Cloud Risks Project AVSV- Implementation of NIST Risk Management Verification Activities Risk Rating Methodology Threat Risk Modelling Application Threat Modelling
Assess procurement of new application processes, services, technologies and security tools	Procurement	[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"	Project Secure Software Contract Annex ASVS - Verification of Contract Requirements
Oversee the training on application security for development, operational and information security teams	Security Training	Part III- Section 1.5.3 "People, Processes and Technology"	Project CLASP Institute Awareness Programs Education Projects Appsec Training Videos Conference Videos Application Security FAQs CLASP - Institute Security Awareness Program
Develop, articulate and implement continuity planning/disaster recovery	Business Continuity / Disaster Recovery	Part IV - Addressing CISO's Application Security Functions"	Cloud Business Continuity and Resiliency
Investigate and analyse suspected and actual application security incidents and recommend corrective actions	Incident Response	Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident"	.NET Incident Response CLASP - Manage Security Issue Disclosure Process

@@ Line 20: / Line 20: @@
 | valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"]
 | valign="top" width="25%" |
-* [https://www.owasp.org/index.php/Policy_Frameworks OWASP Development Guide - Policy Frameworks]
+* [https://www.owasp.org/index.php/Policy_Frameworks Project Development Guide - Policy Frameworks]
-* [https://www.owasp.org/index.php/Identify_global_security_policy CLASP - Identify Global Security Policy]
+* [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy]
-* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 SAMM - Policy & Compliance]
+* [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance]
-* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Code Reviews and Compliance]
+* [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Project Coding Guide - Code Reviews and Compliance]
 |-
 | valign="top" | Develop, implement and manage application security governance
@@ Line 39: / Line 39: @@
 | valign="top" |
 * [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide]
-* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide]
+* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Project Code Review Guide]
 * [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices]
-* [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide]
+* [https://www.owasp.org/index.php/OWASP_Testing_Project Project Testing Guide]
 * [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction]
-* [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts]
+* [https://www.owasp.org/index.php/CLASP_Concepts Project CLASP Concepts]
 * [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)]
 * [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools]
-* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]
+* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)]
 |-
 | valign="top" | Develop, articulate and implement a risk management strategy for applications
@@ Line 68: / Line 68: @@
 * [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements]
 * [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation]
-* [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia]
+* [https://www.owasp.org/index.php/OWASP_Cornucopia Project OWASP Cornucopia]
-* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Legal - Secure Software Contract Annex]
+* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Legal - Secure Software Contract Annex]
 |-
 | valign="top" | Measure and monitor security and risks of application assets within the organization
@@ Line 76: / Line 76: @@
 |
 * [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics]
-* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics]
+* [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics Project CLASP - Define and Monitor Metrics]
 * [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics]
 |-
@@ Line 85: / Line 85: @@
 [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks]
 |
-* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Top Ten Web Application Risks]
+* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks]
-* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Top Ten Mobile Application Risks]
+* [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks]
-* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Top Ten Cloud Risks]
+* [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks]
-* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Implementation of NIST Risk Management Verification Activities]
+* [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Project AVSV- Implementation of NIST Risk Management Verification Activities]
 * [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology]
 * [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling]
@@ Line 97: / Line 97: @@
 | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"]
 | valign="top" |
-* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Secure Software Contract Annex]
+* [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex]
-* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts Verification of Contract Requirements]
+* [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts ASVS - Verification of Contract Requirements]
 |-
 | valign="top" | Oversee the training on application security for development, operational and information security teams
@@ Line 104: / Line 104: @@
 | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"]
 |
-* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs]
+* [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs]
 * [https://www.owasp.org/index.php/Category:OWASP_Education_Project Education Projects]
 * [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos]

Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

Revision as of 07:53, 26 October 2013

Appendix B: Quick Reference to OWASP Guides & Projects

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools