This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"
From OWASP
Marco-cincy (talk | contribs) |
Marco-cincy (talk | contribs) |
||
| Line 82: | Line 82: | ||
[https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks] | [https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks#Part_II:_Criteria_for_Managing_Application_Security_Risks Part II Criteria for Managing Application Security Risks] | ||
| | | | ||
| − | * OWASP Top Ten Risks | + | * [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks] |
| − | |||
| − | |||
| − | |||
* [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology] | * [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology] | ||
| + | * [https://www.owasp.org/index.php/Threat_Risk_Modeling OWASP Threat Risk Modelling] | ||
| + | * [https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Application Threat Modelling] | ||
|- | |- | ||
| valign="top" | Assess procurement of new application processes, services, technologies and security tools | | valign="top" | Assess procurement of new application processes, services, technologies and security tools | ||
Revision as of 21:59, 25 October 2013
< Back to the Application Security Guide For CISOs
Appendix B: Quick Reference to OWASP Guides & Projects
This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.
To do:
- Check cross-references back to other parts of guie and add links/anchors
- Check for other OWASP projects
| CISO Function | Security Domain | OWASP CISO Guide | OWASP Projects |
|---|---|---|---|
| Develop and implement policies, standards and guidelines for application security | Standards and Policies | Part I - Section 1.3 "Information Security Standards, Policies and Compliance" | |
| Develop, implement and manage application security governance | Governance | Part III - Section 1.3.1 "Application Security Governance, Risk and Compliance" | |
| Develop and implement software security development and security testing processes | Security Engineering Processes | Part III - Section 1.4 "Targeting Software Security Activities and S-SDLC Processes"
Part III - Section 1.5 "How to Choose the Right OWASP Projects and Tools For Your Organization" |
|
| Develop, articulate and implement a risk management strategy for applications | Risk Strategy |
Part I - Section 1.4.4 "Risk Management Strategies" Part II - "Criteria for Managing Application Security Risks" |
|
| Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited | Audit & Compliance | Part I - Section 1.3.2 "Capturing Application Security Requirements"
Part III - Section 1.3 "Addressing CISO's Application Security Functions" |
|
| Measure and monitor security and risks of application assets within the organization | Risk Metrics & Monitoring | Part IV - "Selection of Metrics for Managing Risks & Application Security Investments" |
|
| Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasurers/corrective actions | Risk Analysis & Management | Part I - Section 1.4 "Risk Management" | |
| Assess procurement of new application processes, services, technologies and security tools | Procurement | [Part III - Section 1.4.2.1 "Assess Risks before Procurement of Third Party Components" |
|
| Oversee the training on application security for development, operational and information security teams | Security Training | Part III- Section 1.5.3 "People, Processes and Technology" |
|
| Develop, articulate and implement continuity planning/disaster recovery | Business Continuity / Disaster Recovery | Part IV - Addressing CISO's Application Security Functions" |
|
| Investigate and analyse suspected and actual application security incidents and recommend corrective actions | Incident Response | Part I Section 1.4.6 "Addressing the Business Concerns after a Security Incident" |
|
