Application Security Guide for CISO

Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance, and risk perspectives. This guide seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives, and needs. Application security best practices and OWASP resources are referenced throughout this guide. OWASP is a non-profit organization whose mission is “making application security visible and empowering application security stakeholders with the right information for managing application security risks”.


The main purpose of the Application Security Guide for CISOs is to give information security professionals, who are responsible for delivering and managing application security programs (including security in the SDLC (S-SDLC), easier access to the OWASP mission and available OWASP resources (e.g. awareness guidelines, maturity models, top vulnerability research, and testing guides and tools).

This Working Session will demonstrate how OWASP resources can help them deliver and manage security in the SDLC (S-SDLC) processes.


The OWASP CISO guide provides a framework that can be used to manage application security programs, including software security, from governance, risk, and compliance perspectives.

Specifically, the guide helps to translate vulnerable technical risks into business risks. This helps information security managers to communicate risks posed by insecure web and mobile applications, including exploits of vulnerabilities from threats due to emerging technologies, and exposure to cyber-threats targeting web and mobile security digital assets.

The guide helps CISOs navigate through the many OWASP resources so they can deliver and manage application security programs. Examples of some of the OWASP resources available include the following:

  • OWASP SAMM, a framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization
  • Information on incorporating security requirements in the design of web and mobile applications to ensure products and services comply with information security standards policies and data privacy regulations
  • OWASP coding guides, testing guides, and application security testing tools, in addition to OWASP resources for training & awareness, can help software development and engineering teams implement security reviews of source code and vulnerability testing
  • OWASP Top Ten, a powerful awareness document for web application security, that helps to manage web and mobile application vulnerability risks, including emerging technology risks (e.g. cloud security Software as a Service, web services), by communicating vulnerability risk exposure, in terms of possible impacts to the business such as loss of data confidentiality, integrity, and availability as well as impacts to customers in terms of estimates of monetary losses and reputational damage.


The target audience for this Working Session is:

  • Information security professionals who are responsible for managing and delivering application security programs, including security in the SDLC (S-SDLC)
  • Information security officers in senior management roles, including technology managers/directors responsible for managing software and application security

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here