:: History ::
LASCON 2011 - October 28, 2011 (Philip J Beyer and Scott Stevens) - http://lanyrd.com/shgmf
:: Summary ::
We will present the difficulties and successes involved with realigning the development lifecycle at TEA using OpenSAMM.
:: Abstract ::
In "Pitfall!", a player must maneuver Pitfall Harry through a maze-like jungle to stay alive. Along the way, he must negotiate numerous hazards, try to recover treasure, and do it all in a limited time. Implementing OWASP's OpenSAMM in a large organization is kinda like playing that classic game. It's a little dangerous, requires vision, planning, and precision, and promises rewards. Like many of its size and with its mandate, the Texas Education Agency already has an SDLC. Enter Pitfall Phil. In an effort to build a stronger program, Pitfall Phil shifted the focus of TEA's application security program to align with OpenSAMM. We will present the hazards he discovered and the treasure he found while playing the game.
OpenSAMM in the Real World: Pitfalls Discovered and Treasures Collected Along the Way
1. OpenSAMM in the Real World:
Pitfalls Discovered and Treasure
Collected Along the Way
Philip J. Beyer - Texas Education Agency
philip.beyer@tea.state.tx.us @pjbeyer
Scott Stevens - Denim Group
sstevens@denimgroup.com
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 1
2. Overview
• Background
• The Manual
• The Premise
• Treasures and Pitfalls
• Game Over
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 2
3. About
• Phil Beyer
– Information Security Officer
– Consulting background
• Scott Stevens
– Project Manager
– Application development background
• TEA
– ~700 employees
– ~1200 school districts
– ~5 million students
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 3
4. Where Did TEA Start?
• Application Security Program already
established
– Some policies & procedures
– Initial training & exposure to concepts
– Historically siloed approach
• Outsourcing for subject matter expertise
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 4
5. Where Do You Start?
• Establish your Application Security Program
• Be the Champion (or find one)
• Make sure your Team Gets It
• Have a Roadmap to Maturity
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 5
6. The Manual
Business Functions
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 6
7. The Manual
Security Practices
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 7
8. The Manual
Phases
1. The Early Levels
2. Racking Up Some
Points
3. Hitting Your Stride
4. Bigger Treasures,
Deeper Pits
The End Game
Copyright 2011 by Texas Education
Agency. All rights reserved.
9. The Premise
• It has already started
• Shortcuts don’t exist
– No cheat codes
– No invincibility
– No God mode
• There are Pitfalls
• There are Treasures
Copyright 2011 by Texas Education
Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 9
10. The Early Levels (Phase 1)
Treasures
• A Map
– Not necessarily THE Map, but
something to get started
– An organizational roadmap is a
powerful thing
• Some Running Room
– Awareness in the organization is
increasing
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 10
11. The Early Levels (Phase 1)
Pitfalls
• The Log
– You can’t stand still
– Move through Phase 1 so you
don’t get rolled over
• Inertia
– Getting started is just plain hard
– Determining who should play is
also hard
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 11
12. Racking Up Some Points (Phase 2)
Treasures
• Silver Bars
– Development teams begin to
appreciate the security problem
• The Ladder
– More of the team is involved in
practicing security
– You’ve found a new way around
the alligator-infested pond
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 12
13. Racking Up Some Points (Phase 2)
Pitfalls
• The Alligator
– There’s a dangerous thing there
on the screen
– Threats are real, and now they
see some of them too
• More Players
– Other people are going to play
your game
– They may not play as { nice |
carefully | safely } as you
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 13
14. Hitting Your Stride (Phase 3)
Treasures
• Gold Bars
– Better visibility instills confidence
in Management
• The Compass
– The Program has direction
– From requirements to
maintenance, a formal process
starts to emerge
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 14
15. Hitting Your Stride (Phase 3)
Pitfalls
• The Scorpion
– Better informed Management
may sting
• The Wall
– A different kind of obstacle will
block your path
– Developers and Operators may
not enjoy working together
more closely
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 15
16. Bigger Treasures, Deeper Pits (Phase 4)
Treasures
• The Bridge
– Get rid of that Rope and jeer at
the Alligators as you walk across
– The whole Program is working
together to build securely and
verify aggressively
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 16
17. Bigger Treasures, Deeper Pits (Phase 4)
Pitfalls
• The Hole
– Compliance is not Security
– Don’t let Management fall into the
trap at this stage of the game… It
can be a pretty deep pit
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 17
18. The End Game (Phases 5 & 6)
Treasures
• Shangri-La
– You’ve reached the mystical,
harmonious valley; a
permanently happy land
isolated from the outside world
– I’d tell you how it feels, but we
haven’t gotten there yet
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 18
19. It’s Time to Play
• Build a Mature Software Assurance Program
• Measure and Report Your Progress
• Have Fun!
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 19
20. Resources
• OWASP – Open Web Application Security Project
– http://www.owasp.org/
• OpenSAMM - Software Assurance Maturity Model
– http://www.opensamm.org/
• Attribution
– All OpenSAMM images are licensed under the Creative Commons
Attribution-Share Alike 3.0 License.
Copyright 2011 by Texas Education http://lanyrd.com/shgmf
LASCON 2011
Agency. All rights reserved. 20