[Owasp-leaders] CISO AppSec Cheat Sheet

dinis cruz dinis.cruz at owasp.org
Tue Apr 6 07:33:00 EDT 2010


(sorry, pressed 'send' too soon)

... talk to Paulo Coimbra (CCed) to set up a project

Dinis Cruz

On 6 Apr 2010, at 09:58, Stanka Salamun <stanka.salamun at acros.si> wrote:

> Hi all,
>
> In our company we had an internal research project last year - we
> called it
> MASS (Model for Application Security Strategy) - the main goal was
> to find a
> simple way of answering to two important questions:
>
> 1. how much of appsec my application actually need? The answer was a
> classification of  application in a 0 to 6 level (0 - no appsec
> needed, 1-
> basic sec, 2 - public access, 3 - data, 4 - money, 5 - secret, 6 -
> life).
> The names are just for understanding (or feeling the appsec
> importance) of a
> main level for requirements.
>
> 2. What I need to do in order to gain my target level of security?
> For that
> we have 4 key activities (contractual obligations, security
> requirements,
> security architecture, security testing) and 6 other activities
> (people,
> security coding, testing of security functions, key vulnerabilities,
> metrics, security standards and good practices).
>
> Now we have 2 (quite simple) questionnaires - but unfortunately in
> Slovene
> ;( - together they should be filled up in 15-25 minutes, if you are
> familiar
> with the application (you do not need to be an expert on MASS
> model). Right
> now we are targeting auditors and IT managers with it - actually some
> security aware people, that are not appsec experts -  so ideally
> also for
> CISOs.
>
> We were using a lot of sources for compiling that - OWASP SAMM, SDL,
> OWASP
> ASVS, ISO 15408, BSIMM, PCI-DSS, COBIT, SANS CAG, ISO 2700x - just
> to name
> some of them and I would say it is just a compilation (or
> extraction) of
> them.
>
> At the end we tried to test the model on real data - we collected
> information for all major public tenders in Slovenia in 2009 for
> building
> software - we had cca 130 future projects in the stage of defined
> requirements available. Because in EU the documentation of the
> tenders is
> generally public (or at least accessible under special
> circumstances) we had
> all the data as the companies that competed for the job (and were
> forced to
> give the price for it). From 130 we selected 37 (that we assumed are
> larger
> then 500.000 EUR) and executed detailed research for them. Now I am
> travelling from Ministry to Ministry explaining the results (which
> were not
> in favor of their appsec) and suggesting the future efforts that are
> needed
> in development and also future tender documentation. We were lucky
> enough
> that among the tenders there were some really critical ones such as
> our main
> tax system, our health portal together with personal health record,
> documentation for Ministry of justice and others. We got the
> overview of how
> security critical the application in our country are and at least
> give some
> recommendation about what to do with them.
>
> Why I am bothering you with such a long email? Well, I was already
> thinking
> to make it an OWASP project, but I could not get myself into
> translating it
> properly. Now I feel a little bit more obliged to do it because I
> told you
> about it :). Because I am (obviously) not a native English speaker I
> do not
> want to embarrass myself publicly by doing it lame :).   Before
> going into
> all the trouble I would like to get some opinion about it from you
> and find
> at least somebody who could clean-up my messy English language for the
> questionaires.
>
> So what do you think? Could this be helpful for CISOs too? Is it
> something
> interesting for OWASP?
>
> Regards,
> Stanka
>
>
>
>
>
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave
> Wichers
> Sent: Saturday, April 03, 2010 12:53 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] CISO AppSec Cheat Sheet
>
> I'd rather not confuse the existing, pretty technical, cheat sheet
> series
> with articles like this.
>
> I do think helping CISOs would be useful. Would this essentially be a
> summary of what OpenSAMM suggests organizations do?
>
> The 2010 OWASP Top 10, which I intend to release by April 15 by the
> way, has
> a new page that wasn't in the release candidate called What's next for
> Organizations, to complement the What's next for Developers/
> Verifiers pages
> that were already included.
>
> This one page might essentially be the 'cheat sheet' you are looking
> for.
>
> Jim - can you give me a bit more detail on what you think this
> article would
> cover, and if you simply wrote it as an article, rather than a cheat
> sheet,
> would it still serve its purpose?
>
> Thanks, Dave
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Friday, April 02, 2010 4:53 PM
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] CISO AppSec Cheat Sheet
>
> I was thinking of leading an effort to build an OWASP "CISO AppSec
> Cheat
> Sheet" - would this effort duplicate another in OWASP?
>
> http://www.owasp.org/index.php/CISO_AppSec_Cheat_Sheet
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> http://www.manico.net
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list