Synergy Between the CISO and Application Development

CISOs must work collaboratively with the heads of Application Development to ensure a Secure Development Life Cycle process is being implemented and followed. Developers must be following our secure coding standards. Are secure ESAPI libraries being used? ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. An effective CISO must have some knowledge of Application Security best practices. OWASP, the Open Web Application Security project is a great resource for this. It is a not-for-profit international organization of volunteers who are passionate about secure coding and development. Most CISOs I have known, other then the few who came up as developers, are admittedly weak in this area, and will often rely heavily on the myriad of tools and projects from OWASP. The most recognized is the OWASP Top 10, a broad consensus about what the most critical web application security flaws are. Part of a good Application Development Security Strategy is having both static and dynamic application vulnerability scanning in place. These scanning tools cannot be run out of the box; they need configuration.