This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Projects/OWASP Application Security Guide For CISOs Project

Revision as of 19:22, 19 December 2012 by Samantha Groves (talk | contribs)

Jump to: navigation, search
What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Application Security Guide For CISOs Project (home page)
Purpose: The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide
License: Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
who is working on this project?
Project Leader(s):
  • Marco Morana @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Marco Morana @ to contribute to this project
  • Contact Marco Morana @ to review or sponsor this project
current release
{{Template: {{{Application Security Guide for CISOs}}} project_name = OWASP Application Security Guide for CISOs project_home_page = OWASP_Application_Security_Guide_For_CISOs_Project release_name = OWASP Application security guide for CISOs release_date = 11/19/2013 release_description = first version

Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance and risk perspectives. This guide seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout this guide. OWASP is a non profit organization whose mission is "making application security visible and empowering application security stakeholders with the right information for managing application security risks.This CISO guide is written to help CISOs that are responsible for managing application security programs from the information security and risk management perspectives. From the information security perspective, there is a need to protect the organization assets such as the citizen, client and customer sensitive data, the databases where this data is stored, the network infrastructure where the database servers reside and last but not least, the applications and software used to access and process this data. Besides business and user data, applications and software are among the assets that CISOs seek to protect. Some of these applications and software provide business critical functions to customers that generate revenues for the organization. Examples include applications and software that provide customers with business services as well as applications and software that are sold as products to the clients. In the case where software applications are considered business critical information assets, these should receive a specific focus in human resources, training, processes, standards and tools. The scope of this guide is the security of web applications and the security of the components of the architecture such as the security of web servers, application servers and databases. This does not include other aspects of security that are not related to the specific application. Such as the security of the network infrastructure that supports the applications and constitutes a valued asset whose security properties such as confidentiality, integrity and availability need to be protected as well"

release_license = Apache License 2.0 release_download_link = [1] leader_name1 = Marco Morana leader_email1 = [email protected] leader_username1 =marco-cincy leader_name2 = leader_email2 = leader_username2 = release_notes = first version released in 2013


last reviewed release
Not Yet Reviewed

other releases