This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"
From OWASP
Marco-cincy (talk | contribs) |
Marco-cincy (talk | contribs) |
||
Line 20: | Line 20: | ||
| valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"] | | valign="top" width="40%" |[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Reasons_for_Investing_in_Application_Security#Information_Security_Standards.2C_Policies_and_Compliance Part I - Section 1.3 "Information Security Standards, Policies and Compliance"] | ||
| valign="top" width="25%" | | | valign="top" width="25%" | | ||
− | * [https://www.owasp.org/index.php/Policy_Frameworks | + | * [https://www.owasp.org/index.php/Policy_Frameworks Project Development Guide - Policy Frameworks] |
− | * [https://www.owasp.org/index.php/Identify_global_security_policy CLASP - Identify Global Security Policy] | + | * [https://www.owasp.org/index.php/Identify_global_security_policy Project CLASP - Identify Global Security Policy] |
− | * [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 SAMM - Policy & Compliance] | + | * [https://www.owasp.org/index.php/SAMM_-_Policy_&_Compliance_-_1 Project SAMM - Policy & Compliance] |
− | * [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Code Reviews and Compliance] | + | * [https://www.owasp.org/index.php/Code_Reviews_and_Compliance Code Review - Project Coding Guide - Code Reviews and Compliance] |
|- | |- | ||
| valign="top" | Develop, implement and manage application security governance | | valign="top" | Develop, implement and manage application security governance | ||
Line 39: | Line 39: | ||
| valign="top" | | | valign="top" | | ||
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide] | * [https://www.owasp.org/index.php/Category:OWASP_Guide_Project Development Guide] | ||
− | * [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide] | + | * [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Project Code Review Guide] |
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices] | * [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices] | ||
− | * [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide] | + | * [https://www.owasp.org/index.php/OWASP_Testing_Project Project Testing Guide] |
* [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction] | * [https://buildsecurityin.us-cert.gov/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process Comprehensive Lightweight Application Security Process (CLASP) Introduction] | ||
− | * [https://www.owasp.org/index.php/CLASP_Concepts CLASP Concepts] | + | * [https://www.owasp.org/index.php/CLASP_Concepts Project CLASP Concepts] |
* [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)] | * [http://www.opensamm.org/ Software Assurance Maturity Model(SAMM)] | ||
* [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools] | * [https://www.owasp.org/index.php/Appendix_A:_Testing_Tools Testing Tools] | ||
− | * [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project] | + | * [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Project Application Security Verification Standard Project (ASVS)] |
|- | |- | ||
| valign="top" | Develop, articulate and implement a risk management strategy for applications | | valign="top" | Develop, articulate and implement a risk management strategy for applications | ||
Line 68: | Line 68: | ||
* [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements] | * [https://www.owasp.org/index.php/SAMM_-_Security_Requirements_-_1 SAMM - Security Requirements] | ||
* [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation] | * [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Testing Guide - Security Requirements Test Derivation] | ||
− | * [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia] | + | * [https://www.owasp.org/index.php/OWASP_Cornucopia Project OWASP Cornucopia] |
− | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Legal - Secure Software Contract Annex] | + | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Legal - Secure Software Contract Annex] |
|- | |- | ||
| valign="top" | Measure and monitor security and risks of application assets within the organization | | valign="top" | Measure and monitor security and risks of application assets within the organization | ||
Line 76: | Line 76: | ||
| | | | ||
* [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics] | * [https://www.owasp.org/index.php/Types_of_application_security_metrics Types of Application Security Metrics] | ||
− | * [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics CLASP - Define and Monitor Metrics] | + | * [https://www.owasp.org/index.php/Category:BP6_Define_and_monitor_metrics Project CLASP - Define and Monitor Metrics] |
* [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics] | * [https://www.owasp.org/index.php/SAMM_-_Strategy_&_Metrics_-_1 SAMM Strategy & Metrics] | ||
|- | |- | ||
Line 85: | Line 85: | ||
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks] | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks] | ||
| | | | ||
− | * [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Top Ten Web Application Risks] | + | * [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Project Top Ten Web Application Risks] |
− | * [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Top Ten Mobile Application Risks] | + | * [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Top Ten Mobile Application Risks] |
− | * [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Top Ten Cloud Risks] | + | * [https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks Project Top Ten Cloud Risks] |
− | * [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Implementation of NIST Risk Management Verification Activities] | + | * [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities Project AVSV- Implementation of NIST Risk Management Verification Activities] |
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology] | * [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Risk Rating Methodology] | ||
* [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling] | * [https://www.owasp.org/index.php/Threat_Risk_Modeling Threat Risk Modelling] | ||
Line 97: | Line 97: | ||
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"] | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#Assess_Risks_before_Procurement_of_Third_Party_Components[Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components"] | ||
| valign="top" | | | valign="top" | | ||
− | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Secure Software Contract Annex] | + | * [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex Project Secure Software Contract Annex] |
− | * [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts Verification of Contract Requirements] | + | * [https://www.owasp.org/index.php/How_to_specify_verification_requirements_in_contracts ASVS - Verification of Contract Requirements] |
|- | |- | ||
| valign="top" | Oversee the training on application security for development, operational and information security teams | | valign="top" | Oversee the training on application security for development, operational and information security teams | ||
Line 104: | Line 104: | ||
| valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"] | | valign="top" | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program#People.2C_Processes_and_Technology Part III- Section 1.5.3 "People, Processes and Technology"] | ||
| | | | ||
− | * [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs] | + | * [https://www.owasp.org/index.php/Category:BP1_Institute_awareness_programs Project CLASP Institute Awareness Programs] |
* [https://www.owasp.org/index.php/Category:OWASP_Education_Project Education Projects] | * [https://www.owasp.org/index.php/Category:OWASP_Education_Project Education Projects] | ||
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos] | * [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Appsec Training Videos] |
Revision as of 07:53, 26 October 2013
< Back to the Application Security Guide For CISOs
Appendix B: Quick Reference to OWASP Guides & Projects
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
To do:
- Check cross-references back to other parts of guie and add links/anchors
- Check for other OWASP projects
CISO Function | Security Domain | OWASP CISO Guide | OWASP Projects |
---|---|---|---|
Develop and implement policies, standards and guidelines for application security | Standards and Policies | Part I - Section 1.3 "Information Security Standards, Policies and Compliance" | |
Develop, implement and manage application security governance | Governance | Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance" | |
Develop and implement software security development and security testing processes | Security Engineering Processes | Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"
Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization" |
|
Develop, articulate and implement a risk management strategy for applications | Risk Strategy |
Part I - Section 1.4.4 "Risk Management Strategies" Part II - "Criteria for Managing Application Security Risks" |
|
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited | Audit & Compliance | Part I - Section 1.3.2 "Capturing Application Security Requirements"
Part III - Section 1.3 "Addressing CISO's Application Security Functions" |
|
Measure and monitor security and risks of application assets within the organization | Risk Metrics & Monitoring | Part IV - "Selection of Metrics for Managing Risks & Application Security Investments" | |
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions | Risk Analysis & Management | Part I - Section 1.4 "Risk Management" | |
Assess procurement of new application processes, services, technologies and security tools | Procurement | [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components" | |
Oversee the training on application security for development, operational and information security teams | Security Training | Part III- Section 1.5.3 "People, Processes and Technology" | |
Develop, articulate and implement continuity planning/disaster recovery | Business Continuity / Disaster Recovery | Part IV - Addressing CISO's Application Security Functions" | |
Investigate and analyse suspected and actual application security incidents and recommend corrective actions | Incident Response | Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident" |