Application Security Guide for CISO

Among application security stakeholders, Chief Information Security Officers (CISOs) are responsible for application security from governance, compliance, and risk perspectives. This guide seeks to help CISOs manage application security programs according to CISO roles, responsibilities, perspectives, and needs. Application security best practices and OWASP resources are referenced throughout this guide. OWASP is a non-profit organization whose mission is “making application security visible and empowering application security stakeholders with the right information for managing application security risks”.


The main purpose of the Application Security Guide for CISOs is to give information security professionals, who are responsible for delivering and managing application security programs (including security in the SDLC (S-SDLC), easier access to the OWASP mission and available OWASP resources (e.g. awareness guidelines, maturity models, top vulnerability research, and testing guides and tools).

This Working Session will demonstrate how OWASP resources can help them deliver and manage security in the SDLC (S-SDLC) processes.


The OWASP CISO guide provides a framework that can be used to manage application security programs, including software security, from governance, risk, and compliance perspectives.

Specifically, the guide helps to translate vulnerable technical risks into business risks. This helps information security managers to communicate risks posed by insecure web and mobile applications, including exploits of vulnerabilities from threats due to emerging technologies, and exposure to cyber-threats targeting web and mobile security digital assets.

The guide helps CISOs navigate through the many OWASP resources so they can deliver and manage application security programs. Examples of some of the OWASP resources available include the following:

  • OWASP SAMM, a framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization
  • Information on incorporating security requirements in the design of web and mobile applications to ensure products and services comply with information security standards policies and data privacy regulations
  • OWASP coding guides, testing guides, and application security testing tools, in addition to OWASP resources for training & awareness, can help software development and engineering teams implement security reviews of source code and vulnerability testing
  • OWASP Top Ten, a powerful awareness document for web application security, that helps to manage web and mobile application vulnerability risks, including emerging technology risks (e.g. cloud security Software as a Service, web services), by communicating vulnerability risk exposure, in terms of possible impacts to the business such as loss of data confidentiality, integrity, and availability as well as impacts to customers in terms of estimates of monetary losses and reputational damage.


The Application Security Guide for CISO 2013 Version Goals were:

  1. Make Application Security and OWASP More Visible to Application Security Managers & CISOs
  2. Analyse Reasons for Adopting An Application Security Program by An Organisation (e.g. Tactical and Strategic)
  3. Explain Difference Between Technical Risks and Business Risks including How to Estimate Costs of Data Breaches
  4. Factor The impact of Emerging Technologies in Application Security Program (e.g. Mobile, Cloud, Web Services) and provide guidance
  5. Provide Examples of Metrics & Measurements for Vulnerability Risk Management

For The Planned 2018 Version, Which Problems and Solutions/Guidance We Can Expand Upon ? (NOTE These Will be Assessed With Expanded CISO Survey Questions):

  1. Impact of GDPR on AppSec and Recommendations (Including Outcomes of 2017 Summit CISO track)
  2. Emerging technology risks and Risk Mitigation Guidance (e.g. APIs and Micro-services, Biometrics)
  3. Evolving Threats Facing Web Applications (e.g. 0-day exploits of AppSec vulnerabilities) and solutions (e.g. improved attack detection with new tools such as Outcome 1 (unranked) – What topics would you like covered in the new CISO guide? as RASP)
  4. Others (brainstorming)

Synopsis and Takeaways

Outcome 1 – What topics would you like covered in the new CISO guide? (unranked)

  • Incorporate reference to outcomes of 2017 Summit CISO track
  • Expand to include new tools/technologies
  • Expand to include compliance with GDPR
  • Expand on new emerging technology risks and provide risk Mitigation Guidance (e.g. APIs, proliferation, and Micro-services/interoperability, Biometrics, Cloud (internal and external), strategies for managing risk in Cloud environments)
  • Expand on Risk Management Strategies for Vendors, Provisioning, Supply-Chain Risks
  • Expand on new evolving threats facing web Applications (e.g. 0-day exploits
  • Add reference to handbooks and playbooks for CISO’s managed process
  • Where to provide guidance or where to put a focus, e.g., 5,000 applications in different countries, where to allocate security resources in such a situation
  • How to get visibility across the organisation – who is doing what. As CISO you need to know what changes are being made, and where
  • Corporate culture: how can a CISO be an agent of change and overcome cultural challenges? Knowing the corporate culture to enable CISO to function properly; trust is crucial to success
  • Success stories as examples of how to win – people can refer to these as a value-add – how can the CISO provide value to the business
  • Knowing the right questions to ask triggers the appropriate response and action
  • A proactive, strategic CISO is better than a reactive one: knowing to shift focus from fighting fires to ensuring the fires do not get out of control
  • After an incident, think about how to promote change; train people to think holistically not just about the incident, but about the impact of the incident
  • Involvement CISO should be involved in road mapping for future deployment and included in business development meeting so CISO can plan ahead
  • Format: It was agreed that a handbook would have more value than a playbook given threat variables between company requirements

Outcome 2 – What type of question would you like included in the new CISO guide? (unranked)

  • Which among the organization IT assets, networks or applications are considered more at risk of cyber-attacks ?
  • Does your organization have a cyber-threat intelligence program and attack monitoring/alert process ?
  • Does your organization has adopted S-SDLC? If yes which one. Does it include threat modeling ?
  • Is application security seen as an investment or as a cost by your organization ?
  • Does your planning of application security follow a long term strategy (at least two years) ?
  • Need to ask questions about how to map the scope, application, and business process perspectives
  • How to manage risk from third parties, private vs. public premise
  • How do you manage the risk for developing technologies, such as the Cloud?


The target audience for this Working Session is:

  • Information security professionals who are responsible for managing and delivering application security programs, including security in the SDLC (S-SDLC)
  • Information security officers in senior management roles, including technology managers/directors responsible for managing software and application security

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here