SlideShare uma empresa Scribd logo

OWASP Product Requirement Recommendations Library Project Overview

Transferir como PPTX, PDF
Robert Grupe, CSSLP CISSP PE PMP
Robert Grupe, CSSLP CISSP PE PMP

The OWASP Product Requirement Recommendations Library is a list of best practice recommended security product requirements that can be easily used for new web application development projects. The objectives are to: * Improve end-product security design * Enable efficient application security consideration and definition in early PDLC phases Scoping and Design. * Reduce time and resource needs for project AppSec requirements discovery and definitions Improve application development and testing estimations for security best practice and regulatory compliance * Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs * Make OWASP recommendations more accessible to business (non-technical) stakeholders

Tecnologia
1 de 17
OWASP Product Requirement Recommendations Library robertGrupe, CISSP CSSLP PE PMP 2014-11-28
Purpose • Mission – Provide a list of best practice recommended security product requirements that can be easily used for new web application development projects. – Providing an easy-to-use resource for minimizing security risks with currently recognized best practice security controls. • Objectives – Improve end-product security design – Enable efficient application security consideration and definition in early PDLC phases Scoping and Design. • Reduce time and resource needs for project AppSec requirements discovery and definitions – Improve application development and testing estimations for security best practice and regulatory compliance – Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs – Make OWASP recommendations more accessible to business (non-technical) stakeholders • Key Deliverable Outputs – OWASP Product Requirement Recommendations Library – Best Practice Work Flow Process Diagrams – Categorizations Taxonomy: Application Functionality, Risks, Controls – Application and Content Security Best Practices Resources Links
Taxonomy: Requirements Categorizations • Application Functionality – User Registration – Logon, etc • Security Control Category – Access Control – Data Encryption, etc. • Testing Verification – Inspection – Programming, etc.
Key Audience / Personas • Marketing Product Managers or Enterprise Application Business Analysts – What security controls do I need to consider for my application (required for target market, service disruption prevention, etc.)? – Cut-and-paste user stories and details for Requirements, Design, and Test documentation • Defining baseline product functionality and design standards • Planning and designing QA & UAT test objectives – Evaluating proposed solution designs, plans, and costs • Architects & Developers – Checklist of security considerations for estimation and design – UAT test targets for design
Context Diagram
Compliance & Standards • Legal & Compliance – HIPAA/HITRUST – PCI – EU Data Privacy – US Data Protection – Public Company: Sarbanes, etc. • Best Practices Guidance/Standards – NIST – OWASP – Vendors: Microsoft, Apple, etc.
Roadmap 14/Q4–2015/Q1 (Initiation) 2015Q2 (PC) 2015Q3 (Mobile) 2015Q4 Goals • Proposed Project Approval • Recruitment • Categorization Taxonomy 1st Draft • PRRD 1st Comments Draft • Corp Sponsors/ Partners • OWASP Cheat sheets in PPRD • 1st Quarterly Release • Mobile • Regulatory Requirements Planning • Initial Project Backlog • Plan/Roadmap/Sprints Promotion • OWASP Wiki Page • PPT on SlideShare • OWASP Mail List • LinkedIn • NewsBits MailList/Twitter for announcements PR Research • Collaboration platform • WebApp Security Controls Categorization Taxonomy • WebApp Functionality Taxonomy
Current Kanban Back Log In-Work Review Completed • OWASP Project final review & approval • OWASP Project Set-up • Project online collaboration setup • Finalize project initial pages (11/26/14) • Local chapter contact (11/1/14) • Archived project re-assignable? (11/1/14) • Initiation Process (11/1/14) • Existing Project? No (11/1/14)
Team Contributor Roles – SME’s: Standards & Regulations • Initial requirement • Monitor on-going updates • OWASP guidance, HIPAA/HITRUST, – Authors • Write new requirements from multiple sources – Reviewers • Editorial: formatting recommendations for authors • Templates – Promoters – Project Management • Collaboration Platform Management • Progress Reporting (Sprints) • Meetings Facilitation • Membership management (access permissions) • Posting Publications • Distributing Announcements
Publication Process • Online ongoing updates – New items & categories • Publication (Monthly Quarterly) – Export of online version – Delete “Modified by” column (to reflect team ownership) – Team Sign-Off (for items modified over period) – Posting of published for downloads – Announcements
Project Management • Project Methodology: Kanban – Monthly • Planning: Telcon – Backlog grooming and next sprint selection • Review: Telcon - anyone • Retrospective: Telcon Team Members only – Weekly • Team members email Project Manager • Project Manager creates summary PPT and posts
Collaboration Platform Needs • List that can be – Simultaneously edited – Editor definable columns and selection values – Automatically record last modified user and time – Export to spreadsheet for publishing • Manage users access and editing rights • Hosted Solution Options – Google Docs ? – SharePoint (Chrome, Firefox, and Safari supported)) • Microsoft free for non-profits • http://www.1and1.com/ - would they Sponsor free? • https://www.cloudappsportal.com/ - free??
Communications & Collaboration • Announcements – Email List: Project Reviews & Releases – All Team, All SME’s (provided input/review) • Team Coordination – Collaborative Space: SharePoint – Discussions: Yammer, Email, IM, Twitter? – IM: Skype, Google Hangouts • Meetings: GoToMeeting • Backlog & Kanban: Trello
1st Review Meeting 2014-12-30? • Welcome for all members and interested • What has been done • What coming up next • Follow-Ups – Communication & Collaboration Preferences • Channels • Frequency • Time of day/week • Etc.
Contact Information Robert Grupe robert@rgrupe.com +1.314.278.7901 || skype:rgrupe http://rgrupe.com http://www.linkedin.com/in/rgrupe/
APPENDIX
SAMM Context Software Development, Construction

Recomendados

Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Software Planning Models
Red7 Software Planning ModelsRed7 Software Planning Models
Red7 Software Planning Models
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Automating UAT Web Testing
Red7 Automating UAT Web TestingRed7 Automating UAT Web Testing
Red7 Automating UAT Web Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Product Management Software Tools Overview
Red7 Product Management Software Tools OverviewRed7 Product Management Software Tools Overview
Red7 Product Management Software Tools Overview
Robert Grupe, CSSLP CISSP PE PMP
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
nfteodoro
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
Andris Soroka
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
m1splacedsoul
 

Recomendados

Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Software Planning Models
Red7 Software Planning ModelsRed7 Software Planning Models
Red7 Software Planning Models
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Automating UAT Web Testing
Red7 Automating UAT Web TestingRed7 Automating UAT Web Testing
Red7 Automating UAT Web Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Product Management Software Tools Overview
Red7 Product Management Software Tools OverviewRed7 Product Management Software Tools Overview
Red7 Product Management Software Tools Overview
Robert Grupe, CSSLP CISSP PE PMP
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
nfteodoro
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
Andris Soroka
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
m1splacedsoul
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
Marco Morana
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
Bob Sanders
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
Antonio Fontes
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Boy Scouts STEM Nova Awards
Boy Scouts STEM Nova AwardsBoy Scouts STEM Nova Awards
Boy Scouts STEM Nova Awards
Robert Grupe, CSSLP CISSP PE PMP
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
hong_nona
 
Red7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models OverviewRed7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models Overview
Robert Grupe, CSSLP CISSP PE PMP
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
Lan & Wan Solutions
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence Qualifications
JDOLIV
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related Measurements
STAG Software Private Limited
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
Andris Soroka
 
Application of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationApplication of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & Qualifcation
GMP EDUCATION : Not for Profit Organization
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
Tom Laszewski
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
aj22dms
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
Application Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & DefensesApplication Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & Defenses
Robert Grupe, CSSLP CISSP PE PMP
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 

Mais conteúdo relacionado

Destaque

Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
Marco Morana
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 

Destaque (20)

Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Boy Scouts STEM Nova Awards
Boy Scouts STEM Nova AwardsBoy Scouts STEM Nova Awards
Boy Scouts STEM Nova Awards
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
 
Red7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models OverviewRed7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models Overview
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence Qualifications
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related Measurements
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Application of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationApplication of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & Qualifcation
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 

Mais de Robert Grupe, CSSLP CISSP PE PMP

Mais de Robert Grupe, CSSLP CISSP PE PMP (12)

Application Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & DefensesApplication Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & Defenses
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Venturing: Extending the Boy Scout Troop
Venturing: Extending the Boy Scout TroopVenturing: Extending the Boy Scout Troop
Venturing: Extending the Boy Scout Troop
 
Boy Scout Parents Introduction
Boy Scout Parents IntroductionBoy Scout Parents Introduction
Boy Scout Parents Introduction
 
Boy Scouts Introduction
Boy Scouts IntroductionBoy Scouts Introduction
Boy Scouts Introduction
 
Red7 Introduction to Product Management
Red7 Introduction to Product ManagementRed7 Introduction to Product Management
Red7 Introduction to Product Management
 
Red7 Product Portfolio Management
Red7 Product Portfolio ManagementRed7 Product Portfolio Management
Red7 Product Portfolio Management
 
Red7 Developing Product Requirements: Tools and Process
Red7 Developing Product Requirements: Tools and ProcessRed7 Developing Product Requirements: Tools and Process
Red7 Developing Product Requirements: Tools and Process
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

OWASP Product Requirement Recommendations Library Project Overview

  • 1. OWASP Product Requirement Recommendations Library robertGrupe, CISSP CSSLP PE PMP 2014-11-28
  • 2. Purpose • Mission – Provide a list of best practice recommended security product requirements that can be easily used for new web application development projects. – Providing an easy-to-use resource for minimizing security risks with currently recognized best practice security controls. • Objectives – Improve end-product security design – Enable efficient application security consideration and definition in early PDLC phases Scoping and Design. • Reduce time and resource needs for project AppSec requirements discovery and definitions – Improve application development and testing estimations for security best practice and regulatory compliance – Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs – Make OWASP recommendations more accessible to business (non-technical) stakeholders • Key Deliverable Outputs – OWASP Product Requirement Recommendations Library – Best Practice Work Flow Process Diagrams – Categorizations Taxonomy: Application Functionality, Risks, Controls – Application and Content Security Best Practices Resources Links
  • 3. Taxonomy: Requirements Categorizations • Application Functionality – User Registration – Logon, etc • Security Control Category – Access Control – Data Encryption, etc. • Testing Verification – Inspection – Programming, etc.
  • 4. Key Audience / Personas • Marketing Product Managers or Enterprise Application Business Analysts – What security controls do I need to consider for my application (required for target market, service disruption prevention, etc.)? – Cut-and-paste user stories and details for Requirements, Design, and Test documentation • Defining baseline product functionality and design standards • Planning and designing QA & UAT test objectives – Evaluating proposed solution designs, plans, and costs • Architects & Developers – Checklist of security considerations for estimation and design – UAT test targets for design
  • 6. Compliance & Standards • Legal & Compliance – HIPAA/HITRUST – PCI – EU Data Privacy – US Data Protection – Public Company: Sarbanes, etc. • Best Practices Guidance/Standards – NIST – OWASP – Vendors: Microsoft, Apple, etc.
  • 7. Roadmap 14/Q4–2015/Q1 (Initiation) 2015Q2 (PC) 2015Q3 (Mobile) 2015Q4 Goals • Proposed Project Approval • Recruitment • Categorization Taxonomy 1st Draft • PRRD 1st Comments Draft • Corp Sponsors/ Partners • OWASP Cheat sheets in PPRD • 1st Quarterly Release • Mobile • Regulatory Requirements Planning • Initial Project Backlog • Plan/Roadmap/Sprints Promotion • OWASP Wiki Page • PPT on SlideShare • OWASP Mail List • LinkedIn • NewsBits MailList/Twitter for announcements PR Research • Collaboration platform • WebApp Security Controls Categorization Taxonomy • WebApp Functionality Taxonomy
  • 8. Current Kanban Back Log In-Work Review Completed • OWASP Project final review & approval • OWASP Project Set-up • Project online collaboration setup • Finalize project initial pages (11/26/14) • Local chapter contact (11/1/14) • Archived project re-assignable? (11/1/14) • Initiation Process (11/1/14) • Existing Project? No (11/1/14)
  • 9. Team Contributor Roles – SME’s: Standards & Regulations • Initial requirement • Monitor on-going updates • OWASP guidance, HIPAA/HITRUST, – Authors • Write new requirements from multiple sources – Reviewers • Editorial: formatting recommendations for authors • Templates – Promoters – Project Management • Collaboration Platform Management • Progress Reporting (Sprints) • Meetings Facilitation • Membership management (access permissions) • Posting Publications • Distributing Announcements
  • 10. Publication Process • Online ongoing updates – New items & categories • Publication (Monthly Quarterly) – Export of online version – Delete “Modified by” column (to reflect team ownership) – Team Sign-Off (for items modified over period) – Posting of published for downloads – Announcements
  • 11. Project Management • Project Methodology: Kanban – Monthly • Planning: Telcon – Backlog grooming and next sprint selection • Review: Telcon - anyone • Retrospective: Telcon Team Members only – Weekly • Team members email Project Manager • Project Manager creates summary PPT and posts
  • 12. Collaboration Platform Needs • List that can be – Simultaneously edited – Editor definable columns and selection values – Automatically record last modified user and time – Export to spreadsheet for publishing • Manage users access and editing rights • Hosted Solution Options – Google Docs ? – SharePoint (Chrome, Firefox, and Safari supported)) • Microsoft free for non-profits • http://www.1and1.com/ - would they Sponsor free? • https://www.cloudappsportal.com/ - free??
  • 13. Communications & Collaboration • Announcements – Email List: Project Reviews & Releases – All Team, All SME’s (provided input/review) • Team Coordination – Collaborative Space: SharePoint – Discussions: Yammer, Email, IM, Twitter? – IM: Skype, Google Hangouts • Meetings: GoToMeeting • Backlog & Kanban: Trello
  • 14. 1st Review Meeting 2014-12-30? • Welcome for all members and interested • What has been done • What coming up next • Follow-Ups – Communication & Collaboration Preferences • Channels • Frequency • Time of day/week • Etc.
  • 15. Contact Information Robert Grupe robert@rgrupe.com +1.314.278.7901 || skype:rgrupe http://rgrupe.com http://www.linkedin.com/in/rgrupe/
  • 17. SAMM Context Software Development, Construction

Notas do Editor

  1. 1st version 2014-11-2
  2. 250 Word Description: The OWASP Product Requirement Recommendations Library is a list of best practice recommended security product requirements that can be easily used for new web application development projects. The objectives are to: Improve end-product security design Enable efficient application security consideration and definition in early PDLC phases Scoping and Design. Reduce time and resource needs for project AppSec requirements discovery and definitions Improve application development and testing estimations for security best practice and regulatory compliance Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs Make OWASP recommendations more accessible to business (non-technical) stakeholders