2. The web application security challenge
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
Legacy
Systems
Web
Services
Directories
Human
Resrcs
Billing
Custom Developed
Application Code
APPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Network
Layer
Application
Layer
Your security “perimeter” has huge holes at the
application layer
3. “Build in” software assurance
3
Design Build Test Production
vulnerability
scanning -
WAF
security testing
dynamic test
tools
coding guidelines
code reviews
static test tools
security
requirements /
threat modeling
reactive
proactive
Secure Development Lifecycle
(SAMM)
D B T P
SAMM
4. CLASP
• Comprehensive, Lightweight Application Security
Process
• Centered around 7 AppSec Best Practices
• Cover the entire software lifecycle (not just
development)
• Adaptable to any development process
• Defines roles across the SDLC
• 24 role-based process components
• Start small and dial-in to your needs
5. Microsoft SDL
• Built internally for MS software
• Extended and made public for others
• MS-only versions since public release
7. BSIMM
• Gary McGraw’s and Cigital’s model
• Quantifies activities of software security
initiatives of 51 firms
BSIMM
Code
SAMM
Code BSIMM Activity OpenSAMM Activity
SM 3.2 - run external marketing program 0
T 3.3 - host external software security events 0
CR 1.1 CR 1.A create top N bugs list (real data preferred) (T: training) Create review checklists from known security requirements
CR 1.2 CR 1.B have SSG perform ad hoc review Perform point-review of high-risk code
CR 1.4 CR 2.A use automated tools along with manual review Utilize automated code analysis tools
CR 3.1 CR 3.A use automated tools with tailored rules Customize code analysis for application-specific concerns
CR 3.3 CR 3.A build capability for eradicating specific bugs from entire codebase
Customize code analysis for application-specific concerns
CR 2.3 CR 3.B make code review mandatory for all projects Establish release gates for code review
AA 1.1 DR 1.B perform security feature review Analyze design against known security requirements
AA 2.1 DR 2.A define/use AA process Inspect for complete provision of security mechanisms
AA 1.2 DR 2.B perform design review for high-risk applications Deploy design review service for project teams
AA 1.3 DR 2.B have SSG lead review efforts Deploy design review service for project teams
AA 2.2 DR 3.A standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resources
SM 1.3 EG 1.A educate executives Conduct technical security awareness training
T 1.1 EG 1.A provide awareness training Conduct technical security awareness training
T 2.5 EG 1.A hold satellite training/events Conduct technical security awareness training
SR 1.1 EG 1.B create security standards (T: sec features/design) Build and maintain technical guidelines
SR 1.2 EG 1.B create security portal Build and maintain technical guidelines
CP 2.5 EG 2.A promote executive awareness of compliance/privacy obligations
Conduct role-specific application security training
T 2.1 EG 2.A offer role-specific advanced curriculum (tools, technology stacks, bug parade)
Conduct role-specific application security training
T 2.2 EG 2.A create/use material specific to company history Conduct role-specific application security training
T 2.4 EG 2.A offer on-demand individual training Conduct role-specific application security training
T 3.2 EG 2.A provide training for vendors or outsource workers Conduct role-specific application security training
T 3.4 EG 2.A require annual refresher Conduct role-specific application security training
AA 2.3 EG 2.B make SSG available as AA resource/mentor Utilize security coaches to enhance project teams
AA 3.1 EG 2.B have software architects lead review efforts Utilize security coaches to enhance project teams
AM 2.4 EG 2.B build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teams
CR 2.5 EG 2.B assign tool mentors Utilize security coaches to enhance project teams
SM 2.3 EG 2.B create or grow social network/satellite system Utilize security coaches to enhance project teams
T 1.3 EG 2.B establish SSG office hours Utilize security coaches to enhance project teams
BSIMM – Open SAMM Mapping
Derived from SAMM beta
8. Lessons Learned
• Microsoft SDL
• Heavyweight, good for large ISVs
• Touchpoints
• High-level, not enough details to execute against
• BSIMM
• Stats, but what to do with them?
• CLASP
• Large collection of activities, but no priority
ordering
• ALL: Good for experts to use as a guide, but hard
for non-security folks to use off the shelf
9. We need a Maturity Model
An organization’s
behavior
changes slowly
over time
Changes must
be iterative while
working toward
long-term goals
There is no
single recipe that
works for all
organizations
A solution must
enable risk-
based choices
tailored to the
organization
Guidance related
to security
activities must be
prescriptive
A solution must
provide enough
details for non-
security-people
Overall, must be
simple, well-
defined, and
measurable
OWASP
Software
Assurance
Maturity Model
(SAMM)
D B T P
SAMM
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
10. SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are
defined
• The Security Practices cover all areas relevant to software security
assurance
• Each one is a ‘silo’ for improvement
D B T P
SAMM
11. Under each Security
Practice
• Three successive Objectives under each Practice define how it
can be improved over time
• This establishes a notion of a Level at which an organization
fulfills a given Practice
• The three Levels for a Practice generally correspond to:
• (0: Implicit starting point with the Practice unfulfilled)
• 1: Initial understanding and ad hoc provision of the Practice
• 2: Increase efficiency and/or effectiveness of the Practice
• 3: Comprehensive mastery of the Practice at scale
D B T P
SAMM
12. Per Level, SAMM defines...
• Objective
• Activities
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels
D B T P
SAMM
16. Education & Guidance
Resources:
• OWASP Top 10
• OWASP Education
• WebGoat
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime.
Chinese proverb
D B T P
SAMM
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://www.owasp.org/index.php/Category:OWASP_Education_Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
20. Secure Coding Practices Quick
Reference Guide
• Technology agnostic coding practices
• What to do, not how to do it
• Compact, but comprehensive checklist
format
• Focuses on secure coding requirements,
rather then on vulnerabilities and exploits
• Includes a cross referenced glossary to get
developers and security folks talking the
same language
D B T P
SAMM
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
22. The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Exception
Handling
Logger
IntrusionDetector
SecurityConfiguration
Existing Enterprise Security Services/Libraries
D B T P
SAMM
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
25. Code Review
Resources:
• OWASP Code Review Guide
SDL Integration:
• Multiple reviews defined as deliverables in your SDLC
• Structured, repeatable process with management support
• Reviews are exit criteria for the development and test phases
D B T P
SAMM
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
26. Code review tooling
Code review tools:
• OWASP LAPSE (Security scanner for Java EE
Applications)
• MS FxCop / CAT.NET (Code Analysis Tool for
.NET)
• Agnitio (open source Manual source code review
support tool)
D B T P
SAMM
https://www.owasp.org/index.php/OWASP_LAPSE_Project
http://www.microsoft.com/security/sdl/discover/implementation.aspx
http://agnitiotool.sourceforge.net/
28. Security Testing
Resources:
• OWASP ASVS
• OWASP Testing Guide
SDL Integration:
• Integrate dynamic security testing as part of you test cycles
• Derive test cases from the security requirements that apply
• Check business logic soundness as well as common
vulnerabilities
• Review results with stakeholders prior to release
D B T P
SAMM
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
https://www.owasp.org/index.php/OWASP_Testing_Project
29. Security Testing
• Zed Attack Proxy (ZAP) is an easy to use integrated
penetration testing tool for finding vulnerabilities in
web applications
• Provides automated scanners as well as a set of
tools that allow you to find security vulnerabilities
manually
Features:
• Intercepting proxy
• Automated scanner
• Passive scanner
• Brute force scanner
• Spider
• Fuzzer
• Port scanner
• Dynamic SSL Certificates
• API
• Beanshell integration
D B T P
SAMM
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
32. Web Application Firewalls
Network
Firewall
Web
Application
Firewall
Web
Server
Web client
(browser)
Malicious web traffic
Legitimate web traffic
Port 80
ModSecurity: Worlds No 1 open source Web Application Firewall
www.modsecurity.org
• HTTP Traffic Logging
• Real-Time Monitoring and Attack Detection
• Attack Prevention and Just-in-time Patching
• Flexible Rule Engine
• Embedded Deployment (Apache, IIS7 and Nginx)
• Network-Based Deployment (reverse proxy)
OWASP ModSecurity Core Rule Set Project, generic, plug-n-play
set of WAF rules
D B T P
SAMM
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
40. Creating Scorecards
• Gap analysis
• Capturing scores from detailed
assessments versus expected
performance levels
• Demonstrating improvement
• Capturing scores from before and
after an iteration of assurance
program build-out
• Ongoing measurement
• Capturing scores over consistent time
frames for an assurance program that
is already in place
D B T P
SAMM
41. Roadmap templates
• To make the “building blocks” usable, SAMM
defines Roadmaps templates for typical kinds
of organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
• Tune these to your own targets / speed
D B T P
SAMM
43. Critical Success Factors
• Get initiative buy-in from all stakeholders
• Adopt a risk-based approach
• Awareness / education is the foundation
• Integrate security in your development /
acquisition and deployment processes
• Provide management visibility
4
44. Project Roadmap
Build the SAMM community:
• List of SAMM adopters
• Workshops at AppSecEU and AppSecUSA
V1.1:
• Incorporate tools / guidance / OWASP projects
• Revamp SAMM wiki
V2.0:
• Revise scoring model
• Model revision necessary ? (12 practices, 3 levels, ...)
• Application to agile
• Roadmap planning: how to measure effort ?
• Presentations & teaching material
• …
4
45. Get involved
• Use and donate back!
• Attend OWASP chapter meetings and
conferences
• Support OWASP become
personal/company member
https://www.owasp.org/index.php/Membership