OWASP Product Requirement Recommendations Library Project Overview

OWASP Product Requirement Recommendations Library

robertGrupe, CISSP CSSLP PE PMP

2014-11-28

Purpose

• Mission– Provide a list of best practice recommended security product requirements that can be easily

used for new web application development projects.– Providing an easy-to-use resource for minimizing security risks with currently recognized best

practice security controls.

• Objectives– Improve end-product security design– Enable efficient application security consideration and definition in early PDLC phases Scoping

and Design.• Reduce time and resource needs for project AppSec requirements discovery and definitions

– Improve application development and testing estimations for security best practice and regulatory compliance

– Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs

– Make OWASP recommendations more accessible to business (non-technical) stakeholders

• Key Deliverable Outputs– OWASP Product Requirement Recommendations Library– Best Practice Work Flow Process Diagrams– Categorizations Taxonomy: Application Functionality, Risks, Controls– Application and Content Security Best Practices Resources Links

Taxonomy:Requirements Categorizations

• Application Functionality– User Registration

– Logon, etc

• Security Control Category– Access Control

– Data Encryption, etc.

• Testing Verification– Inspection

– Programming, etc.

Key Audience / Personas

• Marketing Product Managers or Enterprise Application Business Analysts– What security controls do I need to consider for my application

(required for target market, service disruption prevention, etc.)?– Cut-and-paste user stories and details for Requirements, Design,

and Test documentation• Defining baseline product functionality and design standards• Planning and designing QA & UAT test objectives

– Evaluating proposed solution designs, plans, and costs

• Architects & Developers– Checklist of security considerations for estimation and design– UAT test targets for design

Context Diagram

Compliance & Standards

• Legal & Compliance– HIPAA/HITRUST– PCI– EU Data Privacy– US Data Protection– Public Company: Sarbanes, etc.

• Best Practices Guidance/Standards– NIST– OWASP– Vendors: Microsoft, Apple, etc.

Roadmap14/Q4–2015/Q1

(Initiation)2015Q2

(PC)2015Q3(Mobile)

2015Q4G

oal

s

• Proposed Project Approval

• Recruitment• Categorization

Taxonomy 1st Draft• PRRD 1st Comments

Draft

• Corp Sponsors/ Partners

• OWASP Cheat sheets in PPRD

• 1st Quarterly Release

• Mobile• Regulatory

Requirements

Pla

nn

ing • Initial Project Backlog

• Plan/Roadmap/Sprints

Pro

mo

tio

n • OWASP Wiki Page• PPT on SlideShare• OWASP Mail List• LinkedIn • NewsBits

MailList/Twitter for announcements

PR

Re

sear

ch

• Collaboration platform• WebApp Security

Controls Categorization Taxonomy

• WebApp Functionality Taxonomy

Current KanbanBack Log In-Work Review Completed

• OWASP Project final review & approval

• OWASP Project Set-up• Project online

collaboration setup

• Finalize project initial pages (11/26/14)

• Local chapter contact (11/1/14)

• Archived project re-assignable? (11/1/14)

• Initiation Process (11/1/14)

• Existing Project? No (11/1/14)

Team Contributor Roles

– SME’s: Standards & Regulations• Initial requirement• Monitor on-going updates• OWASP guidance, HIPAA/HITRUST,

– Authors• Write new requirements from multiple sources

– Reviewers• Editorial: formatting recommendations for authors• Templates

– Promoters– Project Management

• Collaboration Platform Management• Progress Reporting (Sprints)• Meetings Facilitation• Membership management (access permissions)• Posting Publications• Distributing Announcements

Publication Process

• Online ongoing updates– New items & categories

• Publication (Monthly Quarterly)– Export of online version

– Delete “Modified by” column (to reflect team ownership)

– Team Sign-Off (for items modified over period)

– Posting of published for downloads

– Announcements

Project Management

• Project Methodology: Kanban– Monthly

• Planning: Telcon– Backlog grooming and next sprint selection

• Review: Telcon - anyone

• Retrospective: Telcon Team Members only

– Weekly• Team members email Project Manager

• Project Manager creates summary PPT and posts

Collaboration Platform Needs

• List that can be – Simultaneously edited– Editor definable columns and selection values– Automatically record last modified user and time– Export to spreadsheet for publishing

• Manage users access and editing rights• Hosted Solution Options

– Google Docs ?– SharePoint (Chrome, Firefox, and Safari supported))

• Microsoft free for non-profits• http://www.1and1.com/ - would they Sponsor free?• https://www.cloudappsportal.com/ - free??

http://www.microsoft.com/about/corporatecitizenship/en-us/office365-for-nonprofits/

http://www.1and1.com/

https://www.cloudappsportal.com/

Communications & Collaboration

• Announcements– Email List: Project Reviews & Releases– All Team, All SME’s (provided input/review)

• Team Coordination– Collaborative Space: SharePoint– Discussions: Yammer, Email, IM, Twitter?– IM: Skype, Google Hangouts

• Meetings: GoToMeeting• Backlog & Kanban: Trello

https://trello.com/

1st Review Meeting 2014-12-30?

• Welcome for all members and interested

• What has been done

• What coming up next

• Follow-Ups– Communication & Collaboration Preferences

• Channels

• Frequency

• Time of day/week

• Etc.

Robert Grupe

[email protected]

+1.314.278.7901 || skype:rgrupe

http://rgrupe.com

http://www.linkedin.com/in/rgrupe/

Contact Information

APPENDIX

SAMM ContextSoftware Development, Construction

OWASP Product Requirement Recommendations Library Project Overview

Technology

security risks

design standardsplanning

testing estimations

resource needs

regulatory complianceestablish

early pdlc phases scoping

easytouse resource

qa uat test objectives