[Owasp-leaders] CISO AppSec Cheat Sheet

Stanka Salamun stanka.salamun at acros.si
Tue Apr 6 04:58:49 EDT 2010

Hi all,

In our company we had an internal research project last year - we called it
MASS (Model for Application Security Strategy) - the main goal was to find a
simple way of answering to two important questions:

1. how much of appsec my application actually need? The answer was a
classification of  application in a 0 to 6 level (0 - no appsec needed, 1-
basic sec, 2 - public access, 3 - data, 4 - money, 5 - secret, 6 - life).
The names are just for understanding (or feeling the appsec importance) of a
main level for requirements.

2. What I need to do in order to gain my target level of security? For that
we have 4 key activities (contractual obligations, security requirements,
security architecture, security testing) and 6 other activities (people,
security coding, testing of security functions, key vulnerabilities,
metrics, security standards and good practices).

Now we have 2 (quite simple) questionnaires - but unfortunately in Slovene
;( - together they should be filled up in 15-25 minutes, if you are familiar
with the application (you do not need to be an expert on MASS model). Right
now we are targeting auditors and IT managers with it - actually some
security aware people, that are not appsec experts -  so ideally also for

We were using a lot of sources for compiling that - OWASP SAMM, SDL, OWASP
ASVS, ISO 15408, BSIMM, PCI-DSS, COBIT, SANS CAG, ISO 2700x - just to name
some of them and I would say it is just a compilation (or extraction) of

At the end we tried to test the model on real data - we collected
information for all major public tenders in Slovenia in 2009 for building
software - we had cca 130 future projects in the stage of defined
requirements available. Because in EU the documentation of the tenders is
generally public (or at least accessible under special circumstances) we had
all the data as the companies that competed for the job (and were forced to
give the price for it). From 130 we selected 37 (that we assumed are larger
then 500.000 EUR) and executed detailed research for them. Now I am
travelling from Ministry to Ministry explaining the results (which were not
in favor of their appsec) and suggesting the future efforts that are needed
in development and also future tender documentation. We were lucky enough
that among the tenders there were some really critical ones such as our main
tax system, our health portal together with personal health record,
documentation for Ministry of justice and others. We got the overview of how
security critical the application in our country are and at least give some
recommendation about what to do with them.

Why I am bothering you with such a long email? Well, I was already thinking
to make it an OWASP project, but I could not get myself into translating it
properly. Now I feel a little bit more obliged to do it because I told you
about it :). Because I am (obviously) not a native English speaker I do not
want to embarrass myself publicly by doing it lame :).   Before going into
all the trouble I would like to get some opinion about it from you and find
at least somebody who could clean-up my messy English language for the

So what do you think? Could this be helpful for CISOs too? Is it something
interesting for OWASP?


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Saturday, April 03, 2010 12:53 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] CISO AppSec Cheat Sheet

I'd rather not confuse the existing, pretty technical, cheat sheet series
with articles like this.

I do think helping CISOs would be useful. Would this essentially be a
summary of what OpenSAMM suggests organizations do?

The 2010 OWASP Top 10, which I intend to release by April 15 by the way, has
a new page that wasn't in the release candidate called What's next for
Organizations, to complement the What's next for Developers/Verifiers pages
that were already included.

This one page might essentially be the 'cheat sheet' you are looking for.

Jim - can you give me a bit more detail on what you think this article would
cover, and if you simply wrote it as an article, rather than a cheat sheet,
would it still serve its purpose?

Thanks, Dave

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, April 02, 2010 4:53 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] CISO AppSec Cheat Sheet

I was thinking of leading an effort to build an OWASP "CISO AppSec Cheat
Sheet" - would this effort duplicate another in OWASP?


Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list