OWASP Product Requirement Recommendations Library Project Overview
-
Upload
robert-grupe -
Category
Technology
-
view
93 -
download
1
Transcript of OWASP Product Requirement Recommendations Library Project Overview
Purpose
• Mission– Provide a list of best practice recommended security product requirements that can be easily
used for new web application development projects.– Providing an easy-to-use resource for minimizing security risks with currently recognized best
practice security controls.
• Objectives– Improve end-product security design– Enable efficient application security consideration and definition in early PDLC phases Scoping
and Design.• Reduce time and resource needs for project AppSec requirements discovery and definitions
– Improve application development and testing estimations for security best practice and regulatory compliance
– Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs
– Make OWASP recommendations more accessible to business (non-technical) stakeholders
• Key Deliverable Outputs– OWASP Product Requirement Recommendations Library– Best Practice Work Flow Process Diagrams– Categorizations Taxonomy: Application Functionality, Risks, Controls– Application and Content Security Best Practices Resources Links
Taxonomy:Requirements Categorizations
• Application Functionality– User Registration
– Logon, etc
• Security Control Category– Access Control
– Data Encryption, etc.
• Testing Verification– Inspection
– Programming, etc.
Key Audience / Personas
• Marketing Product Managers or Enterprise Application Business Analysts– What security controls do I need to consider for my application
(required for target market, service disruption prevention, etc.)?– Cut-and-paste user stories and details for Requirements, Design,
and Test documentation• Defining baseline product functionality and design standards• Planning and designing QA & UAT test objectives
– Evaluating proposed solution designs, plans, and costs
• Architects & Developers– Checklist of security considerations for estimation and design– UAT test targets for design
Compliance & Standards
• Legal & Compliance– HIPAA/HITRUST– PCI– EU Data Privacy– US Data Protection– Public Company: Sarbanes, etc.
• Best Practices Guidance/Standards– NIST– OWASP– Vendors: Microsoft, Apple, etc.
Roadmap14/Q4–2015/Q1
(Initiation)2015Q2
(PC)2015Q3(Mobile)
2015Q4G
oal
s
• Proposed Project Approval
• Recruitment• Categorization
Taxonomy 1st Draft• PRRD 1st Comments
Draft
• Corp Sponsors/ Partners
• OWASP Cheat sheets in PPRD
• 1st Quarterly Release
• Mobile• Regulatory
Requirements
Pla
nn
ing • Initial Project Backlog
• Plan/Roadmap/Sprints
Pro
mo
tio
n • OWASP Wiki Page• PPT on SlideShare• OWASP Mail List• LinkedIn • NewsBits
MailList/Twitter for announcements
PR
Re
sear
ch
• Collaboration platform• WebApp Security
Controls Categorization Taxonomy
• WebApp Functionality Taxonomy
Current KanbanBack Log In-Work Review Completed
• OWASP Project final review & approval
• OWASP Project Set-up• Project online
collaboration setup
• Finalize project initial pages (11/26/14)
• Local chapter contact (11/1/14)
• Archived project re-assignable? (11/1/14)
• Initiation Process (11/1/14)
• Existing Project? No (11/1/14)
Team Contributor Roles
– SME’s: Standards & Regulations• Initial requirement• Monitor on-going updates• OWASP guidance, HIPAA/HITRUST,
– Authors• Write new requirements from multiple sources
– Reviewers• Editorial: formatting recommendations for authors• Templates
– Promoters– Project Management
• Collaboration Platform Management• Progress Reporting (Sprints)• Meetings Facilitation• Membership management (access permissions)• Posting Publications• Distributing Announcements
Publication Process
• Online ongoing updates– New items & categories
• Publication (Monthly Quarterly)– Export of online version
– Delete “Modified by” column (to reflect team ownership)
– Team Sign-Off (for items modified over period)
– Posting of published for downloads
– Announcements
Project Management
• Project Methodology: Kanban– Monthly
• Planning: Telcon– Backlog grooming and next sprint selection
• Review: Telcon - anyone
• Retrospective: Telcon Team Members only
– Weekly• Team members email Project Manager
• Project Manager creates summary PPT and posts
Collaboration Platform Needs
• List that can be – Simultaneously edited– Editor definable columns and selection values– Automatically record last modified user and time– Export to spreadsheet for publishing
• Manage users access and editing rights• Hosted Solution Options
– Google Docs ?– SharePoint (Chrome, Firefox, and Safari supported))
• Microsoft free for non-profits• http://www.1and1.com/ - would they Sponsor free?• https://www.cloudappsportal.com/ - free??
Communications & Collaboration
• Announcements– Email List: Project Reviews & Releases– All Team, All SME’s (provided input/review)
• Team Coordination– Collaborative Space: SharePoint– Discussions: Yammer, Email, IM, Twitter?– IM: Skype, Google Hangouts
• Meetings: GoToMeeting• Backlog & Kanban: Trello
1st Review Meeting 2014-12-30?
• Welcome for all members and interested
• What has been done
• What coming up next
• Follow-Ups– Communication & Collaboration Preferences
• Channels
• Frequency
• Time of day/week
• Etc.
Robert Grupe
+1.314.278.7901 || skype:rgrupe
http://rgrupe.com
http://www.linkedin.com/in/rgrupe/
Contact Information