opensamm
play

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder - PowerPoint PPT Presentation

Mar 28, 2023 •233 likes •682 views

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

  1. The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader

  2. The OWASP Foundation http://www.owasp.org OWASP World OWASP is a worldwide free and Everyone is free to participate in open community focused on OWASP and all of our materials improving the security of are available under a free and application software. open software license. Our mission is to make The OWASP Foundation is a not- application security visible so for-profit charitable organization that people and organizations that ensures the ongoing can make informed decisions availability and support for our about application security risks. work.

  3. The web application security challenge Your security “perimeter” has huge holes at the application layer Application Layer Legacy Systems Human Resrcs Web Services Directories Databases Billing Custom Developed Application Code APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

  4. D B T P SAMM “Build in” software assurance proactive reactive security coding guidelines vulnerability security testing requirements / code reviews scanning - dynamic test threat modeling static test tools WAF tools Design Build Test Production Secure Development Lifecycle (SAMM) 4

  5. D B T P SAMM We need a Maturity Model An organization’s Changes must behavior be iterative while changes slowly working toward long-term goals over time A solution must There is no enable risk- single recipe that based choices works for all tailored to the organizations organization Guidance related A solution must to security provide enough activities must be details for non- security-people prescriptive OWASP Overall, must be Software simple, well- Assurance defined, and Maturity Model measurable (SAMM) https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

  6. D B T P SAMM SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement

  7. D B T P SAMM Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • This establishes a notion of a Level at which an organization fulfills a given Practice • The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale

  8. D B T P SAMM Per Level, SAMM defines... • Objective • Activities • Results • Success Metrics • Costs • Personnel • Related Levels

  9. D B T P SAMM Strategy & Metrics 9

  10. D B T P SAMM Policy & Compliance 1 0

  11. D B T P SAMM Education & Guidance 1 1

  12. D B T P SAMM Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb Resources: • OWASP Top 10 • OWASP Education • WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

  13. D B T P SAMM OWASP Cheat Sheets https://www.owasp.org/index.php/Cheat_Sheets

  14. D B T P SAMM Threat Assessment 1 4

  15. D B T P SAMM Security Requirements 1 5

  16. D B T P SAMM Secure Coding Practices Quick Reference Guide • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

  17. D B T P SAMM Secure Architecture 1 7

  18. D B T P SAMM The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector AccessController Authenticator HTTPUtilities Randomizer Encryptor Validator Encoder Logger User Existing Enterprise Security Services/Libraries https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

  19. D B T P SAMM Design Review 1 9

  20. D B T P SAMM Code Review 2 0

  21. D B T P SAMM Code Review SDL Integration: • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Resources: • OWASP Code Review Guide https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

  22. D B T P SAMM Code review tooling Code review tools: • OWASP LAPSE (Security scanner for Java EE Applications) • MS FxCop / CAT.NET (Code Analysis Tool for .NET) • Agnitio (open source Manual source code review support tool) https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/

  23. D B T P SAMM Security Testing 2 3

  24. D B T P SAMM Security Testing SDL Integration: • Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common vulnerabilities • Review results with stakeholders prior to release Resources: • OWASP ASVS • OWASP Testing Guide https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project

  25. D B T P SAMM Security Testing • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications • Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually Features: • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  26. D B T P SAMM Vulnerability Management 2 6

  27. D B T P SAMM Environment Hardening 2 7

  28. D B T P SAMM Web Application Firewalls Malicious web traffic Legitimate web traffic Port 80 Web Web client Network Web Application (browser) Firewall Server Firewall ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org • HTTP Traffic Logging • Real-Time Monitoring and Attack Detection • Attack Prevention and Just-in-time Patching • Flexible Rule Engine • Embedded Deployment (Apache, IIS7 and Nginx) • Network-Based Deployment (reverse proxy) OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  29. D B T P SAMM Operational Enablement 2 9

  30. 150+ OWASP Projects PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project

  31. D B T P SAMM Get started Step 1: Step 2: define Step 3: define questionnaire your maturity phased as-is goal roadmap

  32. D B T P SAMM Conducting assessments SAMM includes assessment worksheets for each Security Practice

  33. D B T P SAMM Assessment process Supports both lightweight and detailed assessments

  34. D B T P SAMM Creating Scorecards • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place

  35. D B T P SAMM Roadmap templates • To make the “ building blocks ” usable, SAMM defines Roadmaps templates for typical kinds of organizations • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations • Tune these to your own targets / speed

  36. SAMM Resources www.opensamm.org • Presentations • Tools • Assessment worksheets / templates • Roadmap templates • Scorecard chart generation • Translations (Spanish / Japanese) • SAMM mappings to ISO/EIC 27034 / BSIMM 3 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Operating Systems Fall 2014 Cloud Computing and Data Centers Myungjin Lee myungjin.lee@ed.ac.uk

Operating Systems Fall 2014 Cloud Computing and Data Centers Myungjin Lee myungjin.lee@ed.ac.uk

Operating Systems Fall 2014 Cloud Computing and Data Centers Myungjin Lee myungjin.lee@ed.ac.uk 2 Google data center locations 3 A closer look 4 Inside data center 5 A datacenter has 50 - 250 containers A container has 1,000 -

339 views • 32 slides
Introduction to Unix http://linux.oreilly.com/ VI, October 2006 Page 1 Unix tutorial Outline

Introduction to Unix http://linux.oreilly.com/ VI, October 2006 Page 1 Unix tutorial Outline

Unix tutorial Introduction to Unix http://linux.oreilly.com/ VI, October 2006 Page 1 Unix tutorial Outline Basic background in Unix structure Directories and files I (listing, navigation, filenames) Directories and files II

313 views • 12 slides
2011 AEROSE-VII Ocean Cal/Val Campaign Summary Nicholas R. Nalli and C. D. Barnet, E. Joseph, D.

2011 AEROSE-VII Ocean Cal/Val Campaign Summary Nicholas R. Nalli and C. D. Barnet, E. Joseph, D.

2011 AEROSE-VII Ocean Cal/Val Campaign Summary Nicholas R. Nalli and C. D. Barnet, E. Joseph, D. Wolfe, V. Morris, E. Maddy, M. Divakarla, T. Reale, T. King, A. Gambacorta, H. Xie, G. Guo, B. Sun, F. Tilley, R. Lumpkin, P. J. Minnett, et al.

553 views • 38 slides
COV OVID-19 P Public H c Heal alth th Webinar r Se Seri ries s Session 3: Advice from

COV OVID-19 P Public H c Heal alth th Webinar r Se Seri ries s Session 3: Advice from

COV OVID-19 P Public H c Heal alth th Webinar r Se Seri ries s Session 3: Advice from People who have a Disability on Dealing with COVID-19 April 29, 2020 Facilitators: Ilka Riddle, PhD - University of Cincinnati Center for Excellence

831 views • 34 slides
Time-Aware Prospective Modeling of Users for Online Display Advertising Djordje Gligorijevic,

Time-Aware Prospective Modeling of Users for Online Display Advertising Djordje Gligorijevic,

Time-Aware Prospective Modeling of Users for Online Display Advertising Djordje Gligorijevic, Jelena Gligorijevic and Aaron Flores Presented by: Djordje Gligorijevic 1 Prospective Display Advertising Introduction 2 Prospective display

396 views • 23 slides
SJCC Career Education Virtual Commencement Sa San Jos n Jose e Cit City Colle y College ge

SJCC Career Education Virtual Commencement Sa San Jos n Jose e Cit City Colle y College ge

Welcome to the Class of 2020 SJCC Career Education Virtual Commencement Sa San Jos n Jose e Cit City Colle y College ge Bu Busine siness ss an and Wor d Workforce kforce De Development Divis velopment Division ion Career Education

944 views • 77 slides
Disclosures ADDRESSING HEALTH CARE NIH-NIDDK DISPARITIES NIH-NIMHD AT THE BEDSIDE

Disclosures ADDRESSING HEALTH CARE NIH-NIDDK DISPARITIES NIH-NIMHD AT THE BEDSIDE

Disclosures ADDRESSING HEALTH CARE NIH-NIDDK DISPARITIES NIH-NIMHD AT THE BEDSIDE NIH-NHLBI PCORI BOG Alicia Fernandez, MD No conflicts of interest University of California, San Francisco Zuckerberg San Francisco General

384 views • 11 slides
Intro to Life Cycle Analysis Intro to Life Cycle Analysis Intro to Life Cycle Analysis

Intro to Life Cycle Analysis Intro to Life Cycle Analysis Intro to Life Cycle Analysis

Intro to Life Cycle Analysis Intro to Life Cycle Analysis Intro to Life Cycle Analysis 2.83/2.813 2.83/2.813 2.83/2.813 Manufacturing End of Life Mining Use Phase References 1. Allen and Shonnard, Ch 13 1. Life Cycle Concepts Life

680 views • 54 slides
Mol2Net The milk industry seen from the farms of producers in the Ecuadorian Amazon. La industria

Mol2Net The milk industry seen from the farms of producers in the Ecuadorian Amazon. La industria

Mol2Net , 2016 , 2, Section M , doi: 10.3390/MOL2NET-02-M??? 1 http://sciforum.net/conference/mol2net-02 SciForum Mol2Net The milk industry seen from the farms of producers in the Ecuadorian Amazon. La industria de la leche vista desde la finca

311 views • 4 slides
Recent Advances in the Chemistry of Eucalyptus Wood Jos C. del Ro, Jorge Rencoret, Ana

Recent Advances in the Chemistry of Eucalyptus Wood Jos C. del Ro, Jorge Rencoret, Ana

Recent Advances in the Chemistry of Eucalyptus Wood Jos C. del Ro, Jorge Rencoret, Ana Gutirrez (IRNAS, Seville, Spain) ngel T. Martnez (CIB-CSIC, Madrid, Spain) Jorge L. Colodette (UFV, Viosa, Brazil) Eucalyptus for pulp and paper

693 views • 56 slides
Growth rates of braid monoids with many generators Ramn Flores 1 , Juan Gonzlez-Meneses 1 &

Growth rates of braid monoids with many generators Ramn Flores 1 , Juan Gonzlez-Meneses 1 &

Growth rates of braid monoids with many generators Ramn Flores 1 , Juan Gonzlez-Meneses 1 & Vincent Jug 2 1: Universidad de Sevilla 2: Universit Paris-Est Marne-la-Valle (LIGM) 20/06/2019 Ramn Flores, Juan Gonzlez-Meneses

1.14k views • 100 slides
Ontologien und Ontologien und Werkzeuge Werkzeuge Vortrag im Rahmen der Vortrag im Rahmen der

Ontologien und Ontologien und Werkzeuge Werkzeuge Vortrag im Rahmen der Vortrag im Rahmen der

Ontologien und Ontologien und Werkzeuge Werkzeuge Vortrag im Rahmen der Vortrag im Rahmen der Veranstaltung Veranstaltung Anwendungen 1 Anwendungen 1 Project: Modell des Ferienclubs. Project: Modell des Ferienclubs. Prof. Dr. Kai von

306 views • 30 slides
The Borsuk-Ulam Theorem If f : S n R n n = 2 is continuous then there exists x 2 S n such

The Borsuk-Ulam Theorem If f : S n R n n = 2 is continuous then there exists x 2 S n such

Using the Borsuk-Ulam Theorem G Eric Moorhouse based on Matou eks book ... The Borsuk-Ulam Theorem If f : S n R n n = 2 is continuous then there exists x 2 S n such that f ( x ) = f ( x ) . T = 69.154 C T = 69.154 C P = 102.79

453 views • 44 slides
DA(e)NEn lgen nicht Patrick Ben Koetter Carsten Strotmann TLS und SMTP 2 TLS und SMTP

DA(e)NEn lgen nicht Patrick Ben Koetter Carsten Strotmann TLS und SMTP 2 TLS und SMTP

DA(e)NEn lgen nicht Patrick Ben Koetter Carsten Strotmann TLS und SMTP 2 TLS und SMTP STARTTLS? 3 TLS und SMTP STARTTLS? STARTTLS! 4 TLS und SMTP STARTTLS? STARTTLS! Flschung 5 TLS und SMTP STARTTLS? STARTTLS? STARTTLS!

438 views • 32 slides
Novidades 6 .5 Domino Server 6.5 Domino Designer 6.5 Notes 6.5 Domino Web Access Lotus

Novidades 6 .5 Domino Server 6.5 Domino Designer 6.5 Notes 6.5 Domino Web Access Lotus

Novidades 6 .5 Domino Server 6.5 Domino Designer 6.5 Notes 6.5 Domino Web Access Lotus Enterprise Integrator (LEI) Dom ino Server 6 .5 Novas Plataformas Domino 6.5 support the Linux on zSeries (S390) Windows Server 2003 platforms. Domino

202 views • 16 slides
System Development at Run Time Dr. Christopher Landauer, Dr. Kirstie L. Bellman, Topcy House

System Development at Run Time Dr. Christopher Landauer, Dr. Kirstie L. Bellman, Topcy House

System Development at Run Time Dr. Christopher Landauer, Dr. Kirstie L. Bellman, Topcy House Consulting, Thousand Oaks, California, topcycal@gmail.com, bellmanhome@yahoo.com last changed 13:50 PDT, 08 September 2015 at nguyen Abstract 3

410 views • 16 slides
Oracle 10 g revolutioniert 10 g Business Intelligence & Warehouse Marcus Bender Strategisch

Oracle 10 g revolutioniert 10 g Business Intelligence & Warehouse Marcus Bender Strategisch

Oracle 10 g revolutioniert 10 g Business Intelligence & Warehouse Marcus Bender Strategisch Technische Untersttzung (STU) Hamburg 1-1 BI&W Market Trends 10 g DWH werden zu VLDW Weniger Systeme, mehr Daten DWH werden

443 views • 15 slides
Earthquake Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural Disaster And

Earthquake Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural Disaster And

GNR 639 GNR 639 : Natural Disaster And Management Lesson 2 Earthquake Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural Disaster And Management Earthquake Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural

1.27k views • 105 slides
Domain Expert Collaboration when it went well Anna Vilanova Computer Graphics & Visualization

Domain Expert Collaboration when it went well Anna Vilanova Computer Graphics & Visualization

Domain Expert Collaboration when it went well Anna Vilanova Computer Graphics & Visualization https://graphics.tudelft.nl Mass Cytometry Recent development in cell analysis (Commercially available since 2014) Cells stained with

465 views • 5 slides
Innovation Platform Technology Needs March 2014 Al Lauritano Director, Technology Licensing and

Innovation Platform Technology Needs March 2014 Al Lauritano Director, Technology Licensing and

Innovation Platform Technology Needs March 2014 Al Lauritano Director, Technology Licensing and Collaboration al_lauritano@bd.com Glenn Vonk Director, Advanced Technology glenn_vonk@bd.com Global & Growing Medical (4.3) Diagnostics

91 views • 6 slides
Learning An Introduction for New Users & Advanced Techniques Professional Development

Learning An Introduction for New Users & Advanced Techniques Professional Development

Learning An Introduction for New Users & Advanced Techniques Professional Development Opportunity for the Flow Cytometry Core Facility July 27 th & August 24 th , 2018 LKG Consulting Email: consulting.lkg@gmail.com Website:

713 views • 69 slides
Complex Aggregates over Subsets of Elements Celine Vens < Celine.Vens@irc.vib-ugent.be >

Complex Aggregates over Subsets of Elements Celine Vens < Celine.Vens@irc.vib-ugent.be >

Complex Aggregates over Subsets of Elements Celine Vens < Celine.Vens@irc.vib-ugent.be > Sofie Van Gassen < Sofie.VanGassen@intec.ugent.be > Tom Dhaene < Tom.Dhaene@intec.ugent.be > Yvan Saeys < Yvan.Saeys@irc.vib-ugent.be >

487 views • 20 slides
Interface From whence we came Initially Miscellanea Group Disconcerting and uninviting in

Interface From whence we came Initially Miscellanea Group Disconcerting and uninviting in

Clinical/Research Interface From whence we came Initially Miscellanea Group Disconcerting and uninviting in its vagueness Initial discussions were IRB-centric Escaped that trap! Evolvedto Research/Clinical Interface Our

248 views • 23 slides
1 Freiburg, Germany where the observant cell manufacture started noticing, well, gee, our

1 Freiburg, Germany where the observant cell manufacture started noticing, well, gee, our

MITOCW | 9. Charge Extraction The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To make a donation or view additional

591 views • 38 slides

More recommend