Common Program Weakness Enumeration:
← Older revision
Revision as of 20:45, 30 August 2012
(2 intermediate revisions by one user not shown)
Line 1:
Line 1:
= Introduction =
= Introduction =
−
This OWASP cheat sheet for [http://en.wikipedia.org/wiki/Chief_information_security_officer Chief Information Security Officers (CISO)] is intended for an executive audience and for application security program assessors. It contains a list of application security program weaknesses that is intended to be built out over time, similar to MITRE's Common Weakness Enumeration (CWE) for software weaknesses. This list of program weaknesses is called the Common Program Weakness Enumeration (CPWE). The CPWE spans topics having to do with both institutionalization of an application security program, and also systems development touch points. An example of a CPWE use case is an organization having a SAMM or BSIMM assessment done, and the findings are mapped to CPWE-ID. Mappings are done in a similar fashion as one can for example generally configure software vulnerability assessment tools to map software weakness findings to CWE (or e.g. OWASP Top Ten), so that one can compare apples to apples regardless of program assessment methodology.
I.e.
, regardless if
for example
SAMM or BSIMM was used. Long-term goals for leveraging the CPWE potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".
+
This OWASP cheat sheet for [http://en.wikipedia.org/wiki/Chief_information_security_officer Chief Information Security Officers (CISO)] is intended for an executive audience and for application security program assessors. It contains a list of application security program weaknesses that is intended to be built out over time, similar to MITRE's Common Weakness Enumeration (CWE) for software weaknesses. This list of program weaknesses is called the Common Program Weakness Enumeration (CPWE). The CPWE spans topics having to do with both institutionalization of an application security program, and also systems development touch points. An example of a CPWE use case is an organization having a SAMM or BSIMM assessment done, and the findings are mapped to CPWE-ID. Mappings are done in a similar fashion as one can for example generally configure software vulnerability assessment tools to map software weakness findings to CWE (or e.g. OWASP Top Ten), so that one can compare apples to apples regardless of program assessment methodology.
In this example
, regardless if SAMM or BSIMM was used. Long-term goals for leveraging the CPWE potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".
= Common Program Weakness Enumeration =
= Common Program Weakness Enumeration =
Line 6:
Line 6:
[[CPWE-ID: 12|Insufficient Program Resources - (12)]]
[[CPWE-ID: 12|Insufficient Program Resources - (12)]]
+
Organizational Culture Problems - (xx)
Missing Policy - (xx)
Missing Policy - (xx)
Missing Standards - (xx)
Missing Standards - (xx)
Line 28:
Line 29:
Weaknesses that Affect SDLC Maintenance Phase - (xx)
Weaknesses that Affect SDLC Maintenance Phase - (xx)
Weaknesses that Affect SDLC Disposal Phase - (xx)
Weaknesses that Affect SDLC Disposal Phase - (xx)
+
Supply Chain Issues - (xx)
+
Service-Oriented Architecture Issues - (xx)
+
Reusable Security Module Issues - (xx)
+
Cross-Organizational Solution Issues - (xx)
+
Migration Issues - (xx)
+
Data Center or Development Facility Issues - (xx)
+
Virtualization Issues - (xx)
Regulatory Cybersecurity Risk Disclosure Obligation Issues - (xx)
Regulatory Cybersecurity Risk Disclosure Obligation Issues - (xx)
Regulatory Cyber Incident Disclosure Obligation Issues - (xx)
Regulatory Cyber Incident Disclosure Obligation Issues - (xx)