OWASP Developer Guide

Security Gap Analysis

11. Security gap analysis

A security gap analysis is an activity where the information security posture of an organization is assessed and any shortfalls or operation gaps are identified. This activity can also be combined with a security gap evaluation where the existing controls and processes are assessed for effectiveness and relevance. Security gap analysis is required to gain or maintain certification to a management system standard such as ISO 27001 ‘Information security, cybersecurity and privacy protection’.

The security gap analysis is often associated with Governance, Risk & Compliance activities, where the compliance with a management system standard is periodically reviewed and updated. Guides and tools are useful for these compliance activities and the OWASP projects SAMM, MASVS and ASVS provide information and advice in meeting management system standards.

Sections:

11.1 Guides
11.1.1 Software Assurance Maturity Model
11.1.2 Application Security Verification Standard
11.1.3 Mobile Application Security
11.2 Bug Logging Tool


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.