OWASP Product Requirement Recommendations Library

robertGrupe, CISSP CSSLP PE PMP

2014-11-28

Purpose

• Mission– Provide a list of best practice recommended security product requirements that can be easily

used for new web application development projects.– Providing an easy-to-use resource for minimizing security risks with currently recognized best

practice security controls.

• Objectives– Improve end-product security design– Enable efficient application security consideration and definition in early PDLC phases Scoping

and Design.• Reduce time and resource needs for project AppSec requirements discovery and definitions

– Improve application development and testing estimations for security best practice and regulatory compliance

– Establish an industry recognized best practice benchmark standard that can be used evaluate application security designs

– Make OWASP recommendations more accessible to business (non-technical) stakeholders

• Key Deliverable Outputs– OWASP Product Requirement Recommendations Library– Best Practice Work Flow Process Diagrams– Categorizations Taxonomy: Application Functionality, Risks, Controls– Application and Content Security Best Practices Resources Links

Taxonomy:Requirements Categorizations

• Application Functionality– User Registration

– Logon, etc

• Security Control Category– Access Control

– Data Encryption, etc.

• Testing Verification– Inspection

– Programming, etc.

Key Audience / Personas

• Marketing Product Managers or Enterprise Application Business Analysts– What security controls do I need to consider for my application

(required for target market, service disruption prevention, etc.)?– Cut-and-paste user stories and details for Requirements, Design,

and Test documentation• Defining baseline product functionality and design standards• Planning and designing QA & UAT test objectives

– Evaluating proposed solution designs, plans, and costs

• Architects & Developers– Checklist of security considerations for estimation and design– UAT test targets for design

Context Diagram

Compliance & Standards

• Legal & Compliance– HIPAA/HITRUST– PCI– EU Data Privacy– US Data Protection– Public Company: Sarbanes, etc.

• Best Practices Guidance/Standards– NIST– OWASP– Vendors: Microsoft, Apple, etc.

Roadmap14/Q4–2015/Q1

(Initiation)2015Q2

(PC)2015Q3(Mobile)

2015Q4G

oal

s

• Proposed Project Approval

• Recruitment• Categorization

Taxonomy 1st Draft• PRRD 1st Comments

Draft

• Corp Sponsors/ Partners

• OWASP Cheat sheets in PPRD

• 1st Quarterly Release

• Mobile• Regulatory

Requirements

Pla

nn

ing • Initial Project Backlog

• Plan/Roadmap/Sprints

Pro

mo

tio

n • OWASP Wiki Page• PPT on SlideShare• OWASP Mail List• LinkedIn • NewsBits

MailList/Twitter for announcements

PR

Re

sear

ch

• Collaboration platform• WebApp Security

Controls Categorization Taxonomy

• WebApp Functionality Taxonomy

Current KanbanBack Log In-Work Review Completed

• OWASP Project final review & approval

• OWASP Project Set-up• Project online

collaboration setup

• Finalize project initial pages (11/26/14)

• Local chapter contact (11/1/14)

• Archived project re-assignable? (11/1/14)

• Initiation Process (11/1/14)

• Existing Project? No (11/1/14)

Team Contributor Roles

– SME’s: Standards & Regulations• Initial requirement• Monitor on-going updates• OWASP guidance, HIPAA/HITRUST,

– Authors• Write new requirements from multiple sources

– Reviewers• Editorial: formatting recommendations for authors• Templates

– Promoters– Project Management

• Collaboration Platform Management• Progress Reporting (Sprints)• Meetings Facilitation• Membership management (access permissions)• Posting Publications• Distributing Announcements

Publication Process

• Online ongoing updates– New items & categories

• Publication (Monthly Quarterly)– Export of online version

– Delete “Modified by” column (to reflect team ownership)

– Team Sign-Off (for items modified over period)

– Posting of published for downloads

– Announcements

Project Management

• Project Methodology: Kanban– Monthly

• Planning: Telcon– Backlog grooming and next sprint selection

• Review: Telcon - anyone

• Retrospective: Telcon Team Members only

– Weekly• Team members email Project Manager

• Project Manager creates summary PPT and posts

Collaboration Platform Needs

• List that can be – Simultaneously edited– Editor definable columns and selection values– Automatically record last modified user and time– Export to spreadsheet for publishing

• Manage users access and editing rights• Hosted Solution Options

– Google Docs ?– SharePoint (Chrome, Firefox, and Safari supported))

• Microsoft free for non-profits• http://www.1and1.com/ - would they Sponsor free?• https://www.cloudappsportal.com/ - free??

Communications & Collaboration

• Announcements– Email List: Project Reviews & Releases– All Team, All SME’s (provided input/review)

• Team Coordination– Collaborative Space: SharePoint– Discussions: Yammer, Email, IM, Twitter?– IM: Skype, Google Hangouts

• Meetings: GoToMeeting• Backlog & Kanban: Trello

1st Review Meeting 2014-12-30?

• Welcome for all members and interested

• What has been done

• What coming up next

• Follow-Ups– Communication & Collaboration Preferences

• Channels

• Frequency

• Time of day/week

• Etc.

Robert Grupe

robert@rgrupe.com

+1.314.278.7901 || skype:rgrupe

http://rgrupe.com

http://www.linkedin.com/in/rgrupe/

Contact Information

APPENDIX

SAMM ContextSoftware Development, Construction