The OWASP Product Requirement Recommendations Library is a list of best practice recommended security product requirements that can be easily used for new web application development projects. The objectives are to:
* Improve end-product security design
* Enable efficient application security consideration and definition in early PDLC phases Scoping and Design.
* Reduce time and resource needs for project AppSec requirements discovery and definitions
Improve application development and testing estimations for security best practice and regulatory compliance
* Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs
* Make OWASP recommendations more accessible to business (non-technical) stakeholders
2. Purpose
• Mission
– Provide a list of best practice recommended security product requirements that can be easily
used for new web application development projects.
– Providing an easy-to-use resource for minimizing security risks with currently recognized best
practice security controls.
• Objectives
– Improve end-product security design
– Enable efficient application security consideration and definition in early PDLC phases Scoping
and Design.
• Reduce time and resource needs for project AppSec requirements discovery and definitions
– Improve application development and testing estimations for security best practice and
regulatory compliance
– Establish an industry recognized best practice benchmark standard that can be used evaluate
application security designs
– Make OWASP recommendations more accessible to business (non-technical) stakeholders
• Key Deliverable Outputs
– OWASP Product Requirement Recommendations Library
– Best Practice Work Flow Process Diagrams
– Categorizations Taxonomy: Application Functionality, Risks, Controls
– Application and Content Security Best Practices Resources Links
3. Taxonomy:
Requirements Categorizations
• Application Functionality
– User Registration
– Logon, etc
• Security Control Category
– Access Control
– Data Encryption, etc.
• Testing Verification
– Inspection
– Programming, etc.
4. Key Audience / Personas
• Marketing Product Managers or
Enterprise Application Business Analysts
– What security controls do I need to consider for my application
(required for target market, service disruption prevention, etc.)?
– Cut-and-paste user stories and details for Requirements, Design,
and Test documentation
• Defining baseline product functionality and design standards
• Planning and designing QA & UAT test objectives
– Evaluating proposed solution designs, plans, and costs
• Architects & Developers
– Checklist of security considerations for estimation and design
– UAT test targets for design
6. Compliance & Standards
• Legal & Compliance
– HIPAA/HITRUST
– PCI
– EU Data Privacy
– US Data Protection
– Public Company: Sarbanes, etc.
• Best Practices Guidance/Standards
– NIST
– OWASP
– Vendors: Microsoft, Apple, etc.
10. Publication Process
• Online ongoing updates
– New items & categories
• Publication (Monthly Quarterly)
– Export of online version
– Delete “Modified by” column (to reflect team
ownership)
– Team Sign-Off (for items modified over period)
– Posting of published for downloads
– Announcements
11. Project Management
• Project Methodology: Kanban
– Monthly
• Planning: Telcon
– Backlog grooming and next sprint selection
• Review: Telcon - anyone
• Retrospective: Telcon Team Members only
– Weekly
• Team members email Project Manager
• Project Manager creates summary PPT and posts
12. Collaboration Platform Needs
• List that can be
– Simultaneously edited
– Editor definable columns and selection values
– Automatically record last modified user and time
– Export to spreadsheet for publishing
• Manage users access and editing rights
• Hosted Solution Options
– Google Docs ?
– SharePoint (Chrome, Firefox, and Safari supported))
• Microsoft free for non-profits
• http://www.1and1.com/ - would they Sponsor free?
• https://www.cloudappsportal.com/ - free??
14. 1st Review Meeting 2014-12-30?
• Welcome for all members and interested
• What has been done
• What coming up next
• Follow-Ups
– Communication & Collaboration Preferences
• Channels
• Frequency
• Time of day/week
• Etc.
15. Contact Information
Robert Grupe
robert@rgrupe.com
+1.314.278.7901 || skype:rgrupe
http://rgrupe.com
http://www.linkedin.com/in/rgrupe/
250 Word Description:
The OWASP Product Requirement Recommendations Library is a list of best practice recommended security product requirements that can be easily used for new web application development projects. The objectives are to:
Improve end-product security design
Enable efficient application security consideration and definition in early PDLC phases Scoping and Design.
Reduce time and resource needs for project AppSec requirements discovery and definitions
Improve application development and testing estimations for security best practice and regulatory compliance
Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs
Make OWASP recommendations more accessible to business (non-technical) stakeholders