This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CPWE"

From OWASP
Jump to: navigation, search
m (Common Program Weakness Enumeration)
m (Introduction)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
 
This OWASP cheat sheet for [http://en.wikipedia.org/wiki/Chief_information_security_officer Chief Information Security Officers (CISO)] is intended for an executive audience and for application security program assessors. It contains a list of application security program weaknesses that is intended to be built out over time, similar to MITRE's Common Weakness Enumeration (CWE) for software weaknesses. This list of program weaknesses is called the Common Program Weakness Enumeration (CPWE). The CPWE spans topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. An example of a CPWE use case is an organization having a SAMM or BSIMM assessment done, and the findings are mapped to CPWE-ID. Mappings are done in a similar fashion as one can for example generally configure software vulnerability assessment tools to map software weakness findings to CWE (or e.g. OWASP Top Ten), so that one can compare apples to apples regardless of program assessment methodology. I.e., regardless if for example SAMM or  BSIMM was used. Long-term goals for leveraging the CPWE potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".
 
This OWASP cheat sheet for [http://en.wikipedia.org/wiki/Chief_information_security_officer Chief Information Security Officers (CISO)] is intended for an executive audience and for application security program assessors. It contains a list of application security program weaknesses that is intended to be built out over time, similar to MITRE's Common Weakness Enumeration (CWE) for software weaknesses. This list of program weaknesses is called the Common Program Weakness Enumeration (CPWE). The CPWE spans topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. An example of a CPWE use case is an organization having a SAMM or BSIMM assessment done, and the findings are mapped to CPWE-ID. Mappings are done in a similar fashion as one can for example generally configure software vulnerability assessment tools to map software weakness findings to CWE (or e.g. OWASP Top Ten), so that one can compare apples to apples regardless of program assessment methodology. I.e., regardless if for example SAMM or  BSIMM was used. Long-term goals for leveraging the CPWE potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".
<br><br>
 
  
 
= Common Program Weakness Enumeration =
 
= Common Program Weakness Enumeration =

Revision as of 19:36, 30 August 2012

Introduction

This OWASP cheat sheet for Chief Information Security Officers (CISO) is intended for an executive audience and for application security program assessors. It contains a list of application security program weaknesses that is intended to be built out over time, similar to MITRE's Common Weakness Enumeration (CWE) for software weaknesses. This list of program weaknesses is called the Common Program Weakness Enumeration (CPWE). The CPWE spans topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. An example of a CPWE use case is an organization having a SAMM or BSIMM assessment done, and the findings are mapped to CPWE-ID. Mappings are done in a similar fashion as one can for example generally configure software vulnerability assessment tools to map software weakness findings to CWE (or e.g. OWASP Top Ten), so that one can compare apples to apples regardless of program assessment methodology. I.e., regardless if for example SAMM or BSIMM was used. Long-term goals for leveraging the CPWE potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".

Common Program Weakness Enumeration

The comprehensive CPWE dictionary view is below.

Insufficient Program Resources - (12)
xxxxxxxxxxx - (xx)
xxxxxxxxxxx - (xx)
xxxxxxxxxxx - (xx)
xxxxxxxxxxx - (xx)


"Insufficient Program Resources - (##)"..... if you only put someone on this half time you'll continue limping along trying to start a secure software development program........

"Lack of Verification Capability - (##)"........ if you have for instance only a couple people to get some elements of the program going but not enough to have an enforcement/verification capability..........

Etc, .. initial, then e.g. (make a pass through sp) .....some top-level generic using sp, 5 generic, e.g. missing or inadequate implementation phase activities ... risky or dangerous vendor service .. risky or dangerous application or service integration ((split all these 'ors' into separate ones)) .. missing policy .. missing standards .. missing systems development activity .. missing systems development gate .. failure to track compliance activities .. failure to track security bugs .. failure to protect source code from theft ... missing or inadequate developer training .. no reusable common security control libraries .. no secure coding standards .. no minimum lifecycle activities .. failure to address implicit contractual or regulatory requirements .. failure to address explicit contractual or regulatory requirements .. inappropriate or inadequate secure development lifecycle activity .. portfolio posture blindness .. application posture blindness .. potentially material event (add ref to draft guidance)

Authors and Primary Editors

Mike Boberski - boberski_michael [at] bah.com

Other Cheatsheets

OWASP Cheat Sheets Project Homepage