2/ We've done a bunch this year with CIS 20 and NIST CSF. I'm finding both very helpful in organizing my thinking around security controls in our org, and how we plan and prioritize or roadmap.

3/ However, these seem to focus on Enterprise Security, and don't account very well, for example, for the work our Product Security teams do. Almost all of what they work on (AuthN, AuthZ, encryption, input/output scrubbing, etc.) doesn't map very well onto CIS or NIST.

4/ The best we seem to have for Prod Sec or App Sec, as far as security frameworks, are OWASP Top 10 and CWE. But these strike me as lists of threats to mitigate, rather than lists of controls/countermeasures to deploy.

5/ Do we need to combine OWASP Top 10, CWE 25 (others?), invert them to create the superset of relevant countermeasures, and organize them into a comprehensive Application Security controls framework?

OpenSAMM / BSIMM for high level framework.

You're correct in that OWASP top 10 is a list of prevalent threats. But OWASP also has numerous other docs. The OWASP secure coding checklist is probably what you're looking for. owasp.org/index.php/OWASP_Se…

NIST 800-53 is a near comprehensive collection of all security controls. However, you're right that it doesn't spell out exactly how to handle those controls from an appsec perspective.

@manicode for more!

Hey @bsterne have you looked at the product (web) security requirements in the ASVS 4.0 standard, or the mobile security MASVS standard? I believe these requirements are what you are looking for.

Hey, Jim! Indeed, @bilcorry pointed me to ASVS last night, and that looks pretty close to what I'm looking for. Thanks for replying.