This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CISO AppSec Guide v2: Introduction"

From OWASP
Jump to: navigation, search
Line 35: Line 35:
 
== Target Audience ==
 
== Target Audience ==
 
* Chief Information Security Officers (CISOs)
 
* Chief Information Security Officers (CISOs)
* Chief Security Officers (CSO)
+
* Security Development Operation (SecDevOps) Managers
* Security Development Operation Managers
 
  
 
[[Category:OWASP Application Security Guide For CISO Project]]
 
[[Category:OWASP Application Security Guide For CISO Project]]

Revision as of 09:24, 4 November 2017

< Back to the Application Security Guide For CISOs V2


Introduction

Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance and risk perspectives. This guide seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives and needs.

This guide is also written for CISOs and managers responsible for implementing security in DevOps practices including initiating, creating and managing application security programs from the initial problem statement to delivery of the solution.

Application security best practices and OWASP resources are referenced throughout this guide. OWASP is a non profit organization whose mission is "making application security visible and empowering application security stakeholders with the right information for managing application security risks".

Scope

The scope of this guide is application security that is the security of applications and the security of the components of the application architecture such as web clients, web servers, application servers, databases and services as well as the security of software components and libraries that are either developed or integrated with the application. This does not include other aspects of security such as the security of the network infrastructure that supports the applications and constitutes a valued asset whose security properties such as confidentiality, integrity and availability need to be protected as well

Objectives

The guide assists CISOs and SecDevOps in managing application security through the phases of initiation, creation, management and process improvements. Tactical guidance is provided in the following aspects:

  • Assure compliance of applications with security regulations for privacy, data protection and information security
  • Leverage OWASP resources such as project documentation and tools
  • Manage application security from perspective or people/training, processes and tools/technologies
  • Manage application vulnerability risks and remediation based upon risk exposure to the business
  • Create awareness on cyber-threats targeting applications to focus on countermeasures
  • Operationalise application security assessments and provide support to development teams for continuous software security development and testing
  • Integration of existing applications with emerging technologies such as API, micro-services, cloud, virtualisation, biometrics
  • Alignment of application security strategy with business and IT strategy
  • Focus on process automation and process improvements
  • Be an agent of change in challenging corporate environments and trigger appropriate responses
  • Asking the right questions to gain visibility across the organisation (who does what questions)
  • Proactive risk management strategies
  • Capture lesson learned from past security incidents/data breaches
  • Setting roadmaps for process improvements

Target Audience

  • Chief Information Security Officers (CISOs)
  • Security Development Operation (SecDevOps) Managers