This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "CISO AppSec Guide: Quick Reference to OWASP Guides & Projects"

Jump to: navigation, search
m (Appendix B: Quick Reference to OWASP Guides & Other Projects: Numbering)
Line 126: Line 126:
[[Category:OWASP CISO Survey Project]]

Latest revision as of 21:25, 6 February 2014

< Back to the Application Security Guide For CISOs

Appendix B: Quick Reference to OWASP Guides & Other Projects

This quick reference maps typical CISO's functions and information security domains to different sections of the OWASP' CISO Guide and relevant OWASP projects.

CISO Function Security Domain OWASP CISO Guide OWASP Projects
Develop and implement policies, standards and guidelines for application security Standards and Policies I-3 "Information Security Standards, Policies and Compliance"
Develop, implement and manage application security governance Governance III-3 "Application Security Governance, Risk and Compliance"
Develop and implement software security development and security testing processes Security Engineering Processes III-4 "Targeting Software Security Activities and S-SDLC Processes"

III-5 "How to Choose the Right OWASP Projects and Tools For Your Organization"

Develop, articulate and implement a risk management strategy for applications Risk Strategy

I-4 "Risk Management Strategies"

II "Criteria for Managing Application Security Risks"

III-4 "Security Strategy"

Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited Audit & Compliance I-3 "Capturing Application Security Requirements"

III-3 "Addressing CISO's Application Security Functions"

Measure and monitor security and risks of application assets within the organization Risk Metrics & Monitoring IV "Selection of Metrics for Managing Risks & Application Security Investments"
Define, identify and assess the inherent security of critical application assets, assess the threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions Risk Analysis & Management I-4 "Risk Management"

II "Criteria for Managing Application Security Risks"

Assess procurement of new application processes, services, technologies and security tools Procurement III-4 "Assess Risks before Procurement of Third Party Components"
Oversee the training on application security for development, operational and information security teams Security Training III-5 "People, Processes and Technology"
Develop, articulate and implement continuity planning/disaster recovery Business Continuity / Disaster Recovery III-3 "Addressing CISO's Application Security Functions"
Investigate and analyse suspected and actual application security incidents and recommend corrective actions Vulnerability Management & Incident Response I-4 "Addressing the Business Concerns after a Security Incident"