Target Group: Anyone involved in software development Focus: technical/organizational Language: English Abstract ********** Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, technology stacks, tools and processes, different stakeholders, competing priorities, etc. Implementing software assurance will have a significant, positive impact on an organization, yet trying to achieve this without a good framework often leads to marginal and unsustainable improvements. About the Speaker: ********************* Seba (https://twitter.com/Sebadele) is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more secure software. He adapts application security models to the evolving field of DevOps and brings Threat Modeling to a wider audience (including teaching Whiteboard Hacking at Black Hat).

1. OWASP SAMM2 –
Your Dynamic Software
Security Journey
SBA Live Academy
Thursday, 14 May, 2020

2. Sebastien Deleersnyder
CEO Toreon
Belgian OWASP chapter founder
SAMM project co-leader

3. What is SAMM?
"The prime maturity model for software assurance that provides
an effective and measurable way for all types of organizations
to analyze and improve their software security posture.”

4. “Build in” software assurance
4
Design Build Test Production
vulnerability
scanning -
WAF
security testing
dynamic test
tools
coding guidelines
code reviews
static test tools
security
requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle
(SAMM)

5. Why a maturity model?
Changes must be iterative while
working toward long-term goals
An organization’s
behavior changes
slowly over time
A solution must enable risk-based
choices tailored to the organization
There is no single recipe
that works for all
organizations
A solution must provide enough details
for non-security-people
Guidance related to
security activities must
be prescriptive
OWASP Software Assurance Maturity
Model (SAMM)
Overall, must be simple,
well-defined, and
measurable
Measurable
Actionable
Versatile

6. OWASP SAMM
https://owaspsamm.org/

7. Core structure

8. Per Level, SAMM defines...
• Objective
• Activities
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels

9. SAMM2 security practice structure
Requirements Testing
Maturity Activities
Streams
A: Control
Verification
B: Misuse
/Abuse Testing
Level 1 - Opportunistically find
basic vulnerabilities and other
security issues.
Test for standard
security controls
Perform security
fuzzing testing
Level 2 - Perform implementation
review to discover application-
specific risks against the security
requirements.
Derive test cases
from known
security
requirements
Create and test
abuse cases and
business logic flaw
test
Level 3 - Maintain the application
security level after bug fixes,
changes or during maintenance
Perform regression
testing (with
security unit tests)
Denial of service and
security stress
testing

10. SAMM2 assessments
SAMM2 Toolbox:
https://github.com/OWASP/samm/tree/master/Supporting%20Resources/v2.0/toolbox

11. SAMM output

12. Owaspsamm.org and toolbox demo

13. How to use SAMM?
Quick-Start Guide

14. Project: SAMM CI/CD
•Single source of the truth (Github)
•Used to generate everything automatically
–Document, website
–Toolbox
–Applications

15. Current roadmap
V2.0: Jan 2020
2020:
•v2.1, 2.2, ...: iterative releases
•Agile/devops guidance
•Roadshows/trainings
•Benchmark

16. Try it !

17. •Talks
•Roundtables
•Workshops

18. Questions? Feedback? Input?
#project-samm github.com/OWASP/samm
Join through
https://owasp-slack.herokuapp.com/

19. SAMM newsletter
eepurl.com/gl9fb9

20. Credits
Bart De Win – Project Co-Leader, Belgium
Sebastien (Seba) Deleersnyder – Project Co-Leader, Belgium
Brian Glass – United States
Daniel Kefer – Germany
Yan Kravchenko – United States
Chris Cooper – United Kingdom
John DiLeo – New Zealand
Nessim Kisserli – Belgium
Patricia Duarte - Uruguay
John Kennedy - Sweden
Hardik Parekh - United States
John Ellingsworth - United States
Sebastian Arriada - Argentina
Brett Crawley – United Kingdom
...

21. Thank You to Our Sponsors

22. SUPPORT OWASP SAMM
Software powers the world,
but insecure software threatens safety, trust,
and economic growth.

23. Questions or Feedback ?

24. Thank you
info@owaspsamm.org
seba@owasp.org
seba@toreon.com