A short thread on security frameworks. 1/ The further I go in my Info Sec career, the more value I'm finding in security frameworks. They help me to not fixate so much on noisy or shiny things, and also make sure we can "block and tackle" effectively.

2/ We've done a bunch this year with CIS 20 and NIST CSF. I'm finding both very helpful in organizing my thinking around security controls in our org, and how we plan and prioritize or roadmap.

3/ However, these seem to focus on Enterprise Security, and don't account very well, for example, for the work our Product Security teams do. Almost all of what they work on (AuthN, AuthZ, encryption, input/output scrubbing, etc.) doesn't map very well onto CIS or NIST.

4/ The best we seem to have for Prod Sec or App Sec, as far as security frameworks, are OWASP Top 10 and CWE. But these strike me as lists of threats to mitigate, rather than lists of controls/countermeasures to deploy.

5/ Do we need to combine OWASP Top 10, CWE 25 (others?), invert them to create the superset of relevant countermeasures, and organize them into a comprehensive Application Security controls framework?