This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CISO AppSec Guide v2: Introduction

Revision as of 01:35, 7 November 2017 by Marco-cincy (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

< Back to the Application Security Guide For CISOs V2


The intent of this guide is to help Chief Information Security Officers (CISOs) and SecDevOps managers in the initiation, creation and management of new application security programs and initiatives within their organisation as well as for improvements of existing application security processes, standards, training and tools.

OWASP resources such as projects are referenced throughout this guide. These resources can be used by CISOs and SecDevOps managers for creating standards, conduct application security assessments, develop training modules for software developers. OWASP free tools for security testing of web application vulnerabilities are also referenced in this guide.


The scope of this guide is application security and the security of the components of the application architecture such as clients, servers, databases, services, software components and libraries. This scope of this guide does not cover other aspects that are essential to the security of the application such as network and infrastructure security.


This guide is written in alignment of OWASP mission main goal that is "making application security visible and empowering application security stakeholders with the right information for managing application security risks". Specifically we seek to provide guidance on the following aspects of the application security program:

  • Assuring compliance of applications with security regulations for privacy, data protection and information security
  • Leveraging OWASP resources such as project documentation and tools
  • Managing application security from perspective or people/training, processes and tools/technologies
  • Managing application vulnerability risks and remediation based upon risk exposure to the business
  • Creating awareness on cyber-threats targeting applications to focus on countermeasures
  • Operationalisation of application security assessments
  • Supporting development teams for continuous software security development and testing
  • Integration of existing applications with emerging technologies such as API, micro-services, cloud, virtualisation, biometrics
  • Creation of an application security strategy in alignment with business and IT strategy
  • Focusing on process automation and process improvements
  • Helping CISOs and SecDevOps managers to be an agent of change in challenging corporate environments and trigger appropriate responses
  • Help CISOs and SecDevOps to ask the right questions to gain visibility across the organisation (who does what questions)
  • Capturing the lesson learned from past security incidents/data breaches
  • Setting roadmaps for process improvements

Target Audience

  • Chief Information Security Officers (CISOs)
  • Security Development Operation (SecDevOps) Managers