SlideShare uma empresa Scribd logo

3830100.ppt

Transferir como PPT, PDF
A
azida3

Open SAMM

Educação
1 de 47
The OWASP Foundation http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader OWASP Europe Tour 2013 Geneva
The web application security challenge Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer
“Build in” software assurance 3 Design Build Test Production vulnerability scanning - WAF security testing dynamic test tools coding guidelines code reviews static test tools security requirements / threat modeling reactive proactive Secure Development Lifecycle (SAMM) D B T P SAMM
CLASP • Comprehensive, Lightweight Application Security Process • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • Defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs
Microsoft SDL • Built internally for MS software • Extended and made public for others • MS-only versions since public release
Touchpoints • Gary McGraw’s and Cigital’s model
BSIMM • Gary McGraw’s and Cigital’s model • Quantifies activities of software security initiatives of 51 firms BSIMM Code SAMM Code BSIMM Activity OpenSAMM Activity SM 3.2 - run external marketing program 0 T 3.3 - host external software security events 0 CR 1.1 CR 1.A create top N bugs list (real data preferred) (T: training) Create review checklists from known security requirements CR 1.2 CR 1.B have SSG perform ad hoc review Perform point-review of high-risk code CR 1.4 CR 2.A use automated tools along with manual review Utilize automated code analysis tools CR 3.1 CR 3.A use automated tools with tailored rules Customize code analysis for application-specific concerns CR 3.3 CR 3.A build capability for eradicating specific bugs from entire codebase Customize code analysis for application-specific concerns CR 2.3 CR 3.B make code review mandatory for all projects Establish release gates for code review AA 1.1 DR 1.B perform security feature review Analyze design against known security requirements AA 2.1 DR 2.A define/use AA process Inspect for complete provision of security mechanisms AA 1.2 DR 2.B perform design review for high-risk applications Deploy design review service for project teams AA 1.3 DR 2.B have SSG lead review efforts Deploy design review service for project teams AA 2.2 DR 3.A standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resources SM 1.3 EG 1.A educate executives Conduct technical security awareness training T 1.1 EG 1.A provide awareness training Conduct technical security awareness training T 2.5 EG 1.A hold satellite training/events Conduct technical security awareness training SR 1.1 EG 1.B create security standards (T: sec features/design) Build and maintain technical guidelines SR 1.2 EG 1.B create security portal Build and maintain technical guidelines CP 2.5 EG 2.A promote executive awareness of compliance/privacy obligations Conduct role-specific application security training T 2.1 EG 2.A offer role-specific advanced curriculum (tools, technology stacks, bug parade) Conduct role-specific application security training T 2.2 EG 2.A create/use material specific to company history Conduct role-specific application security training T 2.4 EG 2.A offer on-demand individual training Conduct role-specific application security training T 3.2 EG 2.A provide training for vendors or outsource workers Conduct role-specific application security training T 3.4 EG 2.A require annual refresher Conduct role-specific application security training AA 2.3 EG 2.B make SSG available as AA resource/mentor Utilize security coaches to enhance project teams AA 3.1 EG 2.B have software architects lead review efforts Utilize security coaches to enhance project teams AM 2.4 EG 2.B build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teams CR 2.5 EG 2.B assign tool mentors Utilize security coaches to enhance project teams SM 2.3 EG 2.B create or grow social network/satellite system Utilize security coaches to enhance project teams T 1.3 EG 2.B establish SSG office hours Utilize security coaches to enhance project teams BSIMM – Open SAMM Mapping Derived from SAMM beta
Lessons Learned • Microsoft SDL • Heavyweight, good for large ISVs • Touchpoints • High-level, not enough details to execute against • BSIMM • Stats, but what to do with them? • CLASP • Large collection of activities, but no priority ordering • ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf
We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk- based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non- security-people Overall, must be simple, well- defined, and measurable OWASP Software Assurance Maturity Model (SAMM) D B T P SAMM https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement D B T P SAMM
Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • This establishes a notion of a Level at which an organization fulfills a given Practice • The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale D B T P SAMM
Per Level, SAMM defines... • Objective • Activities • Results • Success Metrics • Costs • Personnel • Related Levels D B T P SAMM
Strategy & Metrics 1 D B T P SAMM
Policy & Compliance 1 D B T P SAMM
Education & Guidance 1 D B T P SAMM
Education & Guidance Resources: • OWASP Top 10 • OWASP Education • WebGoat Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP Cheat Sheets D B T P SAMM https://www.owasp.org/index.php/Cheat_Sheets
Threat Assessment 1 D B T P SAMM
Security Requirements 1 D B T P SAMM
Secure Coding Practices Quick Reference Guide • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language D B T P SAMM https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
Secure Architecture 2 D B T P SAMM
The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Design Review 2 D B T P SAMM
Code Review 2 D B T P SAMM
Code Review Resources: • OWASP Code Review Guide SDL Integration: • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Code review tooling Code review tools: • OWASP LAPSE (Security scanner for Java EE Applications) • MS FxCop / CAT.NET (Code Analysis Tool for .NET) • Agnitio (open source Manual source code review support tool) D B T P SAMM https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/
Security Testing 2 D B T P SAMM
Security Testing Resources: • OWASP ASVS • OWASP Testing Guide SDL Integration: • Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common vulnerabilities • Review results with stakeholders prior to release D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project
Security Testing • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications • Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually Features: • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration D B T P SAMM https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Vulnerability Management 3 D B T P SAMM
Environment Hardening 3 D B T P SAMM
Web Application Firewalls Network Firewall Web Application Firewall Web Server Web client (browser) Malicious web traffic Legitimate web traffic Port 80 ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org • HTTP Traffic Logging • Real-Time Monitoring and Attack Detection • Attack Prevention and Just-in-time Patching • Flexible Rule Engine • Embedded Deployment (Apache, IIS7 and Nginx) • Network-Based Deployment (reverse proxy) OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Operational Enablement 3 D B T P SAMM
150+ OWASP Projects PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project
Mapping Projects / SAMM 3 Project Type Level SAMMPractice Remarks Broken Web Applications Tools Labs EG1 CSRFTester Tools Labs ST1 EnDe Tools Labs ST1 Fiddler Addons for Security Testing Tools Labs ST1 Forward Exploit Tool Tools Labs ST1 Hackademic Challenges Tools Labs EG1 Hatkit Datafiddler Tools Labs ST1 Hatkit Proxy Tools Labs ST1 HTTP POST Tools Labs ST1 Java XML Templates Tools Labs SA2 JavaScript Sandboxes Tools Labs not applicable Joomla Vulnerability Scanner Tools Labs ST1 LAPSE Tools Labs CR2 Mantra Security Framework Tools Labs ST1 Multilidea Tools Labs EG1 O2 Tools Labs ST2 Orizon Tools Labs CR2 Srubbr Tools Labs ST1 Security Assurance Testing of Virtual Worlds Tools Labs ST1 Vicnum Tools Labs EG1 Wapiti Tools Labs ST1 Web Browser Testing System Tools Labs ST1 WebScarab Tools Labs ST1 Webslayer Tools Labs ST1 WSFuzzer Tools Labs ST1 Yasca Tools Labs CR2 AppSec Tutorials Documentation Labs EG1 AppSensor Documentation Labs EH3 AppSensor Documentation Labs SA2 Cloud 10 Documentation Labs EG1 CTF Documentation Labs EG1 Fuzzing Code Documentation Labs ST1 Legal Documentation Labs SR3 Podcast Documentation Labs EG1 Virtual Patching Best Practices Documentation Labs EH3 Project Type Level SAMMPractice Remarks AntiSamy Code Flagship SA2 Enterprise Security API Code Flagship SA3 ModSecurity Core Rule Set Code Flagship EH3 CSRFGuard Code Flagship SA2 Web Testing Environment Tools Flagship ST2 WebGoat Tools Flagship EG2 Zed Attack Proxy Tools Flagship ST2 Application Security Verification Standard Documentation Flagship DR2 ASVS-L4 Application Security Verification Standard Documentation Flagship CR3 ASVS-L4 Application Security Verification Standard Documentation Flagship ST3 ASVS-L4 Code Review Guide Documentation Flagship CR1 Codes of Conduct Documentation Flagship not applicable Development Guide Documentation Flagship EG1 Secure Coding Practices - Quick Reference Guide Documentation Flagship SR1 Software Assurance Maturity Model Documentation Flagship SM1 Recursiveness :-) Testing Guide Documentation Flagship ST1 Top Ten Documentation Flagship EG1
Coverage 3 SM1 1 PC1 0 EG1 10 SM2 0 PC2 0 EG2 1 SM3 0 PC3 0 EG3 0 1 0 11 12 TA1 0 SR1 1 SA1 0 TA2 0 SR2 0 SA2 4 TA3 0 SR3 1 SA3 1 0 2 5 7 DR1 0 CR1 1 ST1 18 DR2 1 CR2 3 ST2 3 DR3 0 CR3 1 ST3 1 1 5 22 28 VM1 0 EH1 0 OE1 0 VM2 0 EH2 0 OE2 0 VM3 0 EH3 3 OE3 0 0 3 0 3 Governance Construction Verification Deployment Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Hardening Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Security Architecture
Get started Step 1: questionnaire as-is Step 2: define your maturity goal Step 3: define phased roadmap D B T P SAMM
Conducting assessments SAMM includes assessment worksheets for each Security Practice D B T P SAMM
Assessment process Supports both lightweight and detailed assessments D B T P SAMM
Creating Scorecards • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place D B T P SAMM
Roadmap templates • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations • Tune these to your own targets / speed D B T P SAMM
SAMM Resources www.opensamm.org • Presentations • Tools • Assessment worksheets / templates • Roadmap templates • Scorecard chart generation • Translations (Spanish / Japanese) • SAMM mappings to ISO/EIC 27034 / BSIMM 4
Critical Success Factors • Get initiative buy-in from all stakeholders • Adopt a risk-based approach • Awareness / education is the foundation • Integrate security in your development / acquisition and deployment processes • Provide management visibility 4
Project Roadmap Build the SAMM community: • List of SAMM adopters • Workshops at AppSecEU and AppSecUSA V1.1: • Incorporate tools / guidance / OWASP projects • Revamp SAMM wiki V2.0: • Revise scoring model • Model revision necessary ? (12 practices, 3 levels, ...) • Application to agile • Roadmap planning: how to measure effort ? • Presentations & teaching material • … 4
Get involved • Use and donate back! • Attend OWASP chapter meetings and conferences • Support OWASP become personal/company member https://www.owasp.org/index.php/Membership
Q&A
Thank you • @sebadele • seba@owasp.org • seba@deleersnyder.eu • www.linkedin.com/in/sebadele

Recomendados

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 

Recomendados

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsSpv Reddy
 
Effective Software Release Management
Effective Software Release ManagementEffective Software Release Management
Effective Software Release ManagementMichael Degnan
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Gcs day1
Gcs day1Gcs day1
Gcs day1Sriram Angajala
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and toolMoutasm Tamimi
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptxMuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Prototyping.eveningclass.ppt
Prototyping.eveningclass.pptPrototyping.eveningclass.ppt
Prototyping.eveningclass.pptazida3
 
Access Control
Access ControlAccess Control
Access Controlazida3
 

Mais conteúdo relacionado

Semelhante a 3830100.ppt

Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Effective Software Release Management
Effective Software Release ManagementEffective Software Release Management
Effective Software Release ManagementMichael Degnan
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and toolMoutasm Tamimi
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 

Semelhante a 3830100.ppt (20)

Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Effective Software Release Management
Effective Software Release ManagementEffective Software Release Management
Effective Software Release Management
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Gcs day1
Gcs day1Gcs day1
Gcs day1
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and tool
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 

Mais de azida3

Prototyping.eveningclass.ppt
Prototyping.eveningclass.pptPrototyping.eveningclass.ppt
Prototyping.eveningclass.pptazida3
 
Access Control
Access ControlAccess Control
Access Controlazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
codingtechniques1.ppt
codingtechniques1.pptcodingtechniques1.ppt
codingtechniques1.pptazida3
 
GCSECS-DefensiveDesign.pptx
GCSECS-DefensiveDesign.pptxGCSECS-DefensiveDesign.pptx
GCSECS-DefensiveDesign.pptxazida3
 
DefensiveProgramming (1).pptx
DefensiveProgramming (1).pptxDefensiveProgramming (1).pptx
DefensiveProgramming (1).pptxazida3
 
Requirments Elicitation.pptx
Requirments Elicitation.pptxRequirments Elicitation.pptx
Requirments Elicitation.pptxazida3
 
Requirements analysis.pptx
Requirements analysis.pptxRequirements analysis.pptx
Requirements analysis.pptxazida3
 
Introduction to SAD.pptx
Introduction to SAD.pptxIntroduction to SAD.pptx
Introduction to SAD.pptxazida3
 
Chap 4 - Requirements Engineering 1.ppt
Chap 4 - Requirements Engineering 1.pptChap 4 - Requirements Engineering 1.ppt
Chap 4 - Requirements Engineering 1.pptazida3
 
BPM - Activity diagram.pptx
BPM - Activity diagram.pptxBPM - Activity diagram.pptx
BPM - Activity diagram.pptxazida3
 
Use Case Modelling.pptx
Use Case Modelling.pptxUse Case Modelling.pptx
Use Case Modelling.pptxazida3
 
Presentation Use Case Diagram and Use Case Specification.pptx
Presentation Use Case Diagram and Use Case Specification.pptxPresentation Use Case Diagram and Use Case Specification.pptx
Presentation Use Case Diagram and Use Case Specification.pptxazida3
 
Introduction to SAD.pptx
Introduction to SAD.pptxIntroduction to SAD.pptx
Introduction to SAD.pptxazida3
 

Mais de azida3 (14)

Prototyping.eveningclass.ppt
Prototyping.eveningclass.pptPrototyping.eveningclass.ppt
Prototyping.eveningclass.ppt
 
Access Control
Access ControlAccess Control
Access Control
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
codingtechniques1.ppt
codingtechniques1.pptcodingtechniques1.ppt
codingtechniques1.ppt
 
GCSECS-DefensiveDesign.pptx
GCSECS-DefensiveDesign.pptxGCSECS-DefensiveDesign.pptx
GCSECS-DefensiveDesign.pptx
 
DefensiveProgramming (1).pptx
DefensiveProgramming (1).pptxDefensiveProgramming (1).pptx
DefensiveProgramming (1).pptx
 
Requirments Elicitation.pptx
Requirments Elicitation.pptxRequirments Elicitation.pptx
Requirments Elicitation.pptx
 
Requirements analysis.pptx
Requirements analysis.pptxRequirements analysis.pptx
Requirements analysis.pptx
 
Introduction to SAD.pptx
Introduction to SAD.pptxIntroduction to SAD.pptx
Introduction to SAD.pptx
 
Chap 4 - Requirements Engineering 1.ppt
Chap 4 - Requirements Engineering 1.pptChap 4 - Requirements Engineering 1.ppt
Chap 4 - Requirements Engineering 1.ppt
 
BPM - Activity diagram.pptx
BPM - Activity diagram.pptxBPM - Activity diagram.pptx
BPM - Activity diagram.pptx
 
Use Case Modelling.pptx
Use Case Modelling.pptxUse Case Modelling.pptx
Use Case Modelling.pptx
 
Presentation Use Case Diagram and Use Case Specification.pptx
Presentation Use Case Diagram and Use Case Specification.pptxPresentation Use Case Diagram and Use Case Specification.pptx
Presentation Use Case Diagram and Use Case Specification.pptx
 
Introduction to SAD.pptx
Introduction to SAD.pptxIntroduction to SAD.pptx
Introduction to SAD.pptx
 

Último

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxAmita Gupta
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 

Último (20)

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 

3830100.ppt

  • 1. The OWASP Foundation http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader OWASP Europe Tour 2013 Geneva
  • 2. The web application security challenge Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer
  • 3. “Build in” software assurance 3 Design Build Test Production vulnerability scanning - WAF security testing dynamic test tools coding guidelines code reviews static test tools security requirements / threat modeling reactive proactive Secure Development Lifecycle (SAMM) D B T P SAMM
  • 4. CLASP • Comprehensive, Lightweight Application Security Process • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • Defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs
  • 5. Microsoft SDL • Built internally for MS software • Extended and made public for others • MS-only versions since public release
  • 6. Touchpoints • Gary McGraw’s and Cigital’s model
  • 7. BSIMM • Gary McGraw’s and Cigital’s model • Quantifies activities of software security initiatives of 51 firms BSIMM Code SAMM Code BSIMM Activity OpenSAMM Activity SM 3.2 - run external marketing program 0 T 3.3 - host external software security events 0 CR 1.1 CR 1.A create top N bugs list (real data preferred) (T: training) Create review checklists from known security requirements CR 1.2 CR 1.B have SSG perform ad hoc review Perform point-review of high-risk code CR 1.4 CR 2.A use automated tools along with manual review Utilize automated code analysis tools CR 3.1 CR 3.A use automated tools with tailored rules Customize code analysis for application-specific concerns CR 3.3 CR 3.A build capability for eradicating specific bugs from entire codebase Customize code analysis for application-specific concerns CR 2.3 CR 3.B make code review mandatory for all projects Establish release gates for code review AA 1.1 DR 1.B perform security feature review Analyze design against known security requirements AA 2.1 DR 2.A define/use AA process Inspect for complete provision of security mechanisms AA 1.2 DR 2.B perform design review for high-risk applications Deploy design review service for project teams AA 1.3 DR 2.B have SSG lead review efforts Deploy design review service for project teams AA 2.2 DR 3.A standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resources SM 1.3 EG 1.A educate executives Conduct technical security awareness training T 1.1 EG 1.A provide awareness training Conduct technical security awareness training T 2.5 EG 1.A hold satellite training/events Conduct technical security awareness training SR 1.1 EG 1.B create security standards (T: sec features/design) Build and maintain technical guidelines SR 1.2 EG 1.B create security portal Build and maintain technical guidelines CP 2.5 EG 2.A promote executive awareness of compliance/privacy obligations Conduct role-specific application security training T 2.1 EG 2.A offer role-specific advanced curriculum (tools, technology stacks, bug parade) Conduct role-specific application security training T 2.2 EG 2.A create/use material specific to company history Conduct role-specific application security training T 2.4 EG 2.A offer on-demand individual training Conduct role-specific application security training T 3.2 EG 2.A provide training for vendors or outsource workers Conduct role-specific application security training T 3.4 EG 2.A require annual refresher Conduct role-specific application security training AA 2.3 EG 2.B make SSG available as AA resource/mentor Utilize security coaches to enhance project teams AA 3.1 EG 2.B have software architects lead review efforts Utilize security coaches to enhance project teams AM 2.4 EG 2.B build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teams CR 2.5 EG 2.B assign tool mentors Utilize security coaches to enhance project teams SM 2.3 EG 2.B create or grow social network/satellite system Utilize security coaches to enhance project teams T 1.3 EG 2.B establish SSG office hours Utilize security coaches to enhance project teams BSIMM – Open SAMM Mapping Derived from SAMM beta
  • 8. Lessons Learned • Microsoft SDL • Heavyweight, good for large ISVs • Touchpoints • High-level, not enough details to execute against • BSIMM • Stats, but what to do with them? • CLASP • Large collection of activities, but no priority ordering • ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf
  • 9. We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk- based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non- security-people Overall, must be simple, well- defined, and measurable OWASP Software Assurance Maturity Model (SAMM) D B T P SAMM https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
  • 10. SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement D B T P SAMM
  • 11. Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • This establishes a notion of a Level at which an organization fulfills a given Practice • The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale D B T P SAMM
  • 12. Per Level, SAMM defines... • Objective • Activities • Results • Success Metrics • Costs • Personnel • Related Levels D B T P SAMM
  • 16. Education & Guidance Resources: • OWASP Top 10 • OWASP Education • WebGoat Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
  • 17. OWASP Cheat Sheets D B T P SAMM https://www.owasp.org/index.php/Cheat_Sheets
  • 20. Secure Coding Practices Quick Reference Guide • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language D B T P SAMM https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
  • 22. The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
  • 24. Code Review 2 D B T P SAMM
  • 25. Code Review Resources: • OWASP Code Review Guide SDL Integration: • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
  • 26. Code review tooling Code review tools: • OWASP LAPSE (Security scanner for Java EE Applications) • MS FxCop / CAT.NET (Code Analysis Tool for .NET) • Agnitio (open source Manual source code review support tool) D B T P SAMM https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/
  • 28. Security Testing Resources: • OWASP ASVS • OWASP Testing Guide SDL Integration: • Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common vulnerabilities • Review results with stakeholders prior to release D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project
  • 29. Security Testing • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications • Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually Features: • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration D B T P SAMM https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • 32. Web Application Firewalls Network Firewall Web Application Firewall Web Server Web client (browser) Malicious web traffic Legitimate web traffic Port 80 ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org • HTTP Traffic Logging • Real-Time Monitoring and Attack Detection • Attack Prevention and Just-in-time Patching • Flexible Rule Engine • Embedded Deployment (Apache, IIS7 and Nginx) • Network-Based Deployment (reverse proxy) OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
  • 34. 150+ OWASP Projects PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project
  • 35. Mapping Projects / SAMM 3 Project Type Level SAMMPractice Remarks Broken Web Applications Tools Labs EG1 CSRFTester Tools Labs ST1 EnDe Tools Labs ST1 Fiddler Addons for Security Testing Tools Labs ST1 Forward Exploit Tool Tools Labs ST1 Hackademic Challenges Tools Labs EG1 Hatkit Datafiddler Tools Labs ST1 Hatkit Proxy Tools Labs ST1 HTTP POST Tools Labs ST1 Java XML Templates Tools Labs SA2 JavaScript Sandboxes Tools Labs not applicable Joomla Vulnerability Scanner Tools Labs ST1 LAPSE Tools Labs CR2 Mantra Security Framework Tools Labs ST1 Multilidea Tools Labs EG1 O2 Tools Labs ST2 Orizon Tools Labs CR2 Srubbr Tools Labs ST1 Security Assurance Testing of Virtual Worlds Tools Labs ST1 Vicnum Tools Labs EG1 Wapiti Tools Labs ST1 Web Browser Testing System Tools Labs ST1 WebScarab Tools Labs ST1 Webslayer Tools Labs ST1 WSFuzzer Tools Labs ST1 Yasca Tools Labs CR2 AppSec Tutorials Documentation Labs EG1 AppSensor Documentation Labs EH3 AppSensor Documentation Labs SA2 Cloud 10 Documentation Labs EG1 CTF Documentation Labs EG1 Fuzzing Code Documentation Labs ST1 Legal Documentation Labs SR3 Podcast Documentation Labs EG1 Virtual Patching Best Practices Documentation Labs EH3 Project Type Level SAMMPractice Remarks AntiSamy Code Flagship SA2 Enterprise Security API Code Flagship SA3 ModSecurity Core Rule Set Code Flagship EH3 CSRFGuard Code Flagship SA2 Web Testing Environment Tools Flagship ST2 WebGoat Tools Flagship EG2 Zed Attack Proxy Tools Flagship ST2 Application Security Verification Standard Documentation Flagship DR2 ASVS-L4 Application Security Verification Standard Documentation Flagship CR3 ASVS-L4 Application Security Verification Standard Documentation Flagship ST3 ASVS-L4 Code Review Guide Documentation Flagship CR1 Codes of Conduct Documentation Flagship not applicable Development Guide Documentation Flagship EG1 Secure Coding Practices - Quick Reference Guide Documentation Flagship SR1 Software Assurance Maturity Model Documentation Flagship SM1 Recursiveness :-) Testing Guide Documentation Flagship ST1 Top Ten Documentation Flagship EG1
  • 36. Coverage 3 SM1 1 PC1 0 EG1 10 SM2 0 PC2 0 EG2 1 SM3 0 PC3 0 EG3 0 1 0 11 12 TA1 0 SR1 1 SA1 0 TA2 0 SR2 0 SA2 4 TA3 0 SR3 1 SA3 1 0 2 5 7 DR1 0 CR1 1 ST1 18 DR2 1 CR2 3 ST2 3 DR3 0 CR3 1 ST3 1 1 5 22 28 VM1 0 EH1 0 OE1 0 VM2 0 EH2 0 OE2 0 VM3 0 EH3 3 OE3 0 0 3 0 3 Governance Construction Verification Deployment Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Hardening Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Security Architecture
  • 37. Get started Step 1: questionnaire as-is Step 2: define your maturity goal Step 3: define phased roadmap D B T P SAMM
  • 38. Conducting assessments SAMM includes assessment worksheets for each Security Practice D B T P SAMM
  • 39. Assessment process Supports both lightweight and detailed assessments D B T P SAMM
  • 40. Creating Scorecards • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place D B T P SAMM
  • 41. Roadmap templates • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations • Tune these to your own targets / speed D B T P SAMM
  • 42. SAMM Resources www.opensamm.org • Presentations • Tools • Assessment worksheets / templates • Roadmap templates • Scorecard chart generation • Translations (Spanish / Japanese) • SAMM mappings to ISO/EIC 27034 / BSIMM 4
  • 43. Critical Success Factors • Get initiative buy-in from all stakeholders • Adopt a risk-based approach • Awareness / education is the foundation • Integrate security in your development / acquisition and deployment processes • Provide management visibility 4
  • 44. Project Roadmap Build the SAMM community: • List of SAMM adopters • Workshops at AppSecEU and AppSecUSA V1.1: • Incorporate tools / guidance / OWASP projects • Revamp SAMM wiki V2.0: • Revise scoring model • Model revision necessary ? (12 practices, 3 levels, ...) • Application to agile • Roadmap planning: how to measure effort ? • Presentations & teaching material • … 4
  • 45. Get involved • Use and donate back! • Attend OWASP chapter meetings and conferences • Support OWASP become personal/company member https://www.owasp.org/index.php/Membership
  • 46. Q&A
  • 47. Thank you • @sebadele • seba@owasp.org • seba@deleersnyder.eu • www.linkedin.com/in/sebadele