Difference between revisions of "How to bootstrap the NIST risk management framework with verification activities"

Latest revision as of 13:11, 28 March 2009

OWASP Application Security Verification Standard (ASVS) can be used in support of the NIST risk management framework. This article describes one possible way to bootstrap the NIST risk management framework security life cycle with verification activities.

NIST risk management framework security life cycle

The NIST risk management framework security life cycle activities can be summarized as follows:

Categorize the information system
Select an initial set of security controls
Supplement the initial set of tailored security controls
Document the agreed-upon set of security controls
Implement the security controls
Assess the security controls
Authorize information system operation
Monitor and assess selected security controls

The NIST risk management framework security life cycle activities can be strengthened with verification activities using OWASP ASVS as follows:

NIST framework activity	Can ASVS be used?	Notes
Categorize the information system	No
Select an initial set of security controls	No
Supplement the initial set of tailored security controls	Yes	OWASP ASVS is an easy way to add web application and web service-specific security requirements, to guard against threats that are specific to web applications and web services.
Document the agreed-upon set of security controls	Yes	OWASP ASVS security architecture analyses can be used as input to system security plans.
Implement the security controls	Yes	OWASP ASVS verification requirements can be used to ensure security controls called by web applications and web services are designed, implemented, and called securely.
Assess the security controls	Yes	OWASP ASVS verifications can be performed to assess supplemented web application and web service technical security control requirements.
Authorize information system operation	No
Monitor and assess selected security controls	Yes	OWASP ASVS verifications can be performed during the life cycle at regular intervals, as a new on-going activity introduced into the existing life cycle.

@@ Line 1: / Line 1: @@
-[http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard (ASVS)] can be used in support of the NIST risk management framework. This article describes one possible way to bootstrap the NIST risk management framework security life cycle with verification activities.
+[[::Category:OWASP_Application_Security_Verification_Standard_Project |OWASP Application Security Verification Standard (ASVS)]] can be used in support of the NIST risk management framework. This article describes one possible way to bootstrap the NIST risk management framework security life cycle with verification activities.
@@ Line 17: / Line 17: @@
-The NIST risk management framework security life cycle activities can be augmented with verification activities using OWASP ASVS as follows:
+The NIST risk management framework security life cycle activities can be strengthened with verification activities using OWASP ASVS as follows:
@@ Line 26: / Line 26: @@
   | style="width:15%; background:#4058A0" align="center"|<font color="white">'''Notes'''
 |-
-|   style="width:15%; background:#FFDF80" |Categorize the information system    ||   style="width:15%; background:#FFDF80" |'''Yes'''     ||   style="width:15%; background:#FFDF80" |OWASP ASVS is an easy way to perform an initial review of a web service or web application, to determine its security posture.
+|   style="width:15%; background:#cccccc" |Categorize the information system    ||   style="width:15%; background:#cccccc" |No     ||   style="width:15%; background:#cccccc" |
 |-
 |   style="width:15%; background:#cccccc" |Select an initial set of security controls   || style="width:15%; background:#cccccc" |No ||  style="width:15%; background:#cccccc" |
@@ Line 32: / Line 32: @@
 |   style="width:15%; background:#FFDF80" |Supplement the initial set of tailored security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS is an easy way to add web application and web service-specific security requirements, to guard against threats that are specific to web applications and web services.
 |-
-|   style="width:15%; background:#FFDF80" |Document the agreed-upon set of security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS reports can be used as input to system security plans, since they include not just findings, but also security architecture analysis.
+|   style="width:15%; background:#FFDF80" |Document the agreed-upon set of security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS security architecture analyses can be used as input to system security plans.
 |-
-|   style="width:15%; background:#FFDF80" |Implement the security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS verification requirements can be used to design technical security controls for web applications and web services.
+|   style="width:15%; background:#FFDF80" |Implement the security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS verification requirements can be used to ensure security controls called by web applications and web services are designed, implemented, and called securely.
 |-
-|   style="width:15%; background:#FFDF80" |Assess the security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS verifications can be used to assess supplemented web application and web service technical security controls.
+|   style="width:15%; background:#FFDF80" |Assess the security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS verifications can be performed to assess supplemented web application and web service technical security control requirements.
 |-
 |   style="width:15%; background:#cccccc" |Authorize information system operation   || style="width:15%; background:#cccccc" |No ||  style="width:15%; background:#cccccc" |
 |-
-|   style="width:15%; background:#FFDF80" |Monitor and assess selected security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS verifications can be performed during the life cycle at regular intervals, as a new activity introduced into the life cycle.
+|   style="width:15%; background:#FFDF80" |Monitor and assess selected security controls   || style="width:15%; background:#FFDF80" |'''Yes''' ||  style="width:15%; background:#FFDF80" |OWASP ASVS verifications can be performed during the life cycle at regular intervals, as a new on-going activity introduced into the existing life cycle.
 |}

Difference between revisions of "How to bootstrap the NIST risk management framework with verification activities"

Latest revision as of 13:11, 28 March 2009

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools