OpenSAMM Software Assurance Maturity Model Seba Deleersnyder - - PowerPoint PPT Presentation

opensamm
SMART_READER_LITE
LIVE PREVIEW

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder - - PowerPoint PPT Presentation

Mar 28, 2023 233 likes •688 views

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

slide-1
SLIDE 1

The OWASP Foundation

http://www.owasp.org

OpenSAMM

Software Assurance Maturity Model

Seba Deleersnyder seba@owasp.org

OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader Libre Software Meeting Brussels 10-July-2013

slide-2
SLIDE 2

The OWASP Foundation

http://www.owasp.org

OWASP World

OWASP is a worldwide free and

  • pen community focused on

improving the security of application software. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and

  • pen software license.

The OWASP Foundation is a not- for-profit charitable organization that ensures the ongoing availability and support for our work.

slide-3
SLIDE 3

The web application security challenge

Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Network Layer Application Layer

Your security “perimeter” has huge holes at the application layer

slide-4
SLIDE 4

“Build in” software assurance

4

Design Build Test Production

vulnerability scanning - WAF security testing dynamic test tools coding guidelines code reviews static test tools security requirements / threat modeling

reactive proactive

Secure Development Lifecycle (SAMM) D B T P

SAMM

slide-5
SLIDE 5

We need a Maturity Model

An organization’s behavior changes slowly

  • ver time

Changes must be iterative while working toward long-term goals

There is no single recipe that works for all

  • rganizations

A solution must enable risk- based choices tailored to the

  • rganization

Guidance related to security activities must be prescriptive

A solution must provide enough details for non- security-people

Overall, must be simple, well- defined, and measurable

OWASP Software Assurance Maturity Model (SAMM)

D B T P

SAMM

https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

slide-6
SLIDE 6

SAMM Security Practices

  • From each of the Business Functions, 3 Security Practices are

defined

  • The Security Practices cover all areas relevant to software security

assurance

  • Each one is a ‘silo’ for improvement

D B T P

SAMM

slide-7
SLIDE 7

Under each Security Practice

  • Three successive Objectives under each Practice define how it

can be improved over time

  • This establishes a notion of a Level at which an organization

fulfills a given Practice

  • The three Levels for a Practice generally correspond to:
  • (0: Implicit starting point with the Practice unfulfilled)
  • 1: Initial understanding and ad hoc provision of the Practice
  • 2: Increase efficiency and/or effectiveness of the Practice
  • 3: Comprehensive mastery of the Practice at scale

D B T P

SAMM

slide-8
SLIDE 8

Per Level, SAMM defines...

  • Objective
  • Activities
  • Results
  • Success Metrics
  • Costs
  • Personnel
  • Related Levels

D B T P

SAMM

slide-9
SLIDE 9

Strategy & Metrics

9

D B T P

SAMM

slide-10
SLIDE 10

Policy & Compliance

1

D B T P

SAMM

slide-11
SLIDE 11

Education & Guidance

1 1

D B T P

SAMM

slide-12
SLIDE 12

Education & Guidance

Resources:

  • OWASP Top 10
  • OWASP Education
  • WebGoat

Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb

D B T P

SAMM

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

slide-13
SLIDE 13

OWASP Cheat Sheets

D B T P

SAMM

https://www.owasp.org/index.php/Cheat_Sheets

slide-14
SLIDE 14

Threat Assessment

1 4

D B T P

SAMM

slide-15
SLIDE 15

Security Requirements

1 5

D B T P

SAMM

slide-16
SLIDE 16

Secure Coding Practices Quick Reference Guide

  • Technology agnostic coding practices
  • What to do, not how to do it
  • Compact, but comprehensive checklist

format

  • Focuses on secure coding requirements,

rather then on vulnerabilities and exploits

  • Includes a cross referenced glossary to get

developers and security folks talking the same language

D B T P

SAMM

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

slide-17
SLIDE 17

Secure Architecture

1 7

D B T P

SAMM

slide-18
SLIDE 18

The OWASP Enterprise Security API

Custom Enterprise Web Application Enterprise Security API

Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration

Existing Enterprise Security Services/Libraries

D B T P

SAMM

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

slide-19
SLIDE 19

Design Review

1 9

D B T P

SAMM

slide-20
SLIDE 20

Code Review

2

D B T P

SAMM

slide-21
SLIDE 21

Code Review

Resources:

  • OWASP Code Review Guide

SDL Integration:

  • Multiple reviews defined as deliverables in your SDLC
  • Structured, repeatable process with management support
  • Reviews are exit criteria for the development and test phases

D B T P

SAMM

https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

slide-22
SLIDE 22

Code review tooling

Code review tools:

  • OWASP LAPSE (Security scanner for Java EE

Applications)

  • MS FxCop / CAT.NET (Code Analysis Tool for

.NET)

  • Agnitio (open source Manual source code review

support tool)

D B T P

SAMM

https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/

slide-23
SLIDE 23

Security Testing

2 3

D B T P

SAMM

slide-24
SLIDE 24

Security Testing

Resources:

  • OWASP ASVS
  • OWASP Testing Guide

SDL Integration:

  • Integrate dynamic security testing as part of you test cycles
  • Derive test cases from the security requirements that apply
  • Check business logic soundness as well as common

vulnerabilities

  • Review results with stakeholders prior to release

D B T P

SAMM

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project

slide-25
SLIDE 25

Security Testing

  • Zed Attack Proxy (ZAP) is an easy to use integrated

penetration testing tool for finding vulnerabilities in web applications

  • Provides automated scanners as well as a set of

tools that allow you to find security vulnerabilities manually Features:

  • Intercepting proxy
  • Automated scanner
  • Passive scanner
  • Brute force scanner
  • Spider
  • Fuzzer
  • Port scanner
  • Dynamic SSL Certificates
  • API
  • Beanshell integration

D B T P

SAMM

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

slide-26
SLIDE 26

Vulnerability Management

2 6

D B T P

SAMM

slide-27
SLIDE 27

Environment Hardening

2 7

D B T P

SAMM

slide-28
SLIDE 28

Web Application Firewalls

Network Firewall Web Application Firewall Web Server Web client (browser)

Malicious web traffic Legitimate web traffic

Port 80

ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org

  • HTTP Traffic Logging
  • Real-Time Monitoring and Attack Detection
  • Attack Prevention and Just-in-time Patching
  • Flexible Rule Engine
  • Embedded Deployment (Apache, IIS7 and Nginx)
  • Network-Based Deployment (reverse proxy)

OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules

D B T P

SAMM

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

slide-29
SLIDE 29

Operational Enablement

2 9

D B T P

SAMM

slide-30
SLIDE 30

150+ OWASP Projects

PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project

slide-31
SLIDE 31

Get started

Step 1: questionnaire as-is Step 2: define your maturity goal Step 3: define phased roadmap

D B T P

SAMM

slide-32
SLIDE 32

Conducting assessments

SAMM includes assessment worksheets for each Security Practice

D B T P

SAMM

slide-33
SLIDE 33

Assessment process

Supports both lightweight and detailed assessments

D B T P

SAMM

slide-34
SLIDE 34

Creating Scorecards

  • Gap analysis
  • Capturing scores from detailed

assessments versus expected performance levels

  • Demonstrating improvement
  • Capturing scores from before and

after an iteration of assurance program build-out

  • Ongoing measurement
  • Capturing scores over consistent time

frames for an assurance program that is already in place

D B T P

SAMM

slide-35
SLIDE 35

Roadmap templates

  • To make the “building blocks” usable, SAMM

defines Roadmaps templates for typical kinds

  • f organizations
  • Independent Software Vendors
  • Online Service Providers
  • Financial Services Organizations
  • Government Organizations
  • Tune these to your own targets / speed

D B T P

SAMM

slide-36
SLIDE 36

SAMM Resources

www.opensamm.org

  • Presentations
  • Tools
  • Assessment worksheets / templates
  • Roadmap templates
  • Scorecard chart generation
  • Translations (Spanish / Japanese)
  • SAMM mappings to ISO/EIC 27034 / BSIMM

3 6

slide-37
SLIDE 37

Critical Success Factors

  • Get initiative buy-in from all stakeholders
  • Adopt a risk-based approach
  • Awareness / education is the foundation
  • Integrate security in your development /

acquisition and deployment processes

  • Provide management visibility

3 7

slide-38
SLIDE 38

Project Roadmap

Build the SAMM community:

  • List of SAMM adopters
  • Workshops at AppSecEU and AppSecUSA

V1.1:

  • Incorporate tools / guidance / OWASP projects
  • Revamp SAMM wiki

V2.0:

  • Revise scoring model
  • Model revision necessary ? (12 practices, 3 levels, ...)
  • Application to agile
  • Roadmap planning: how to measure effort ?
  • Presentations & teaching material

3 8

slide-39
SLIDE 39

Get involved

  • Use and donate back!
  • Attend OWASP chapter meetings and

conferences

  • Support OWASP become

personal/company member

https://www.owasp.org/index.php/Membership

slide-40
SLIDE 40

Q&A

slide-41
SLIDE 41

Global AppSec EMEA 2013

  • Aug. 20, 2013 - Aug. 23, 2013

Hamburg, Germany

slide-42
SLIDE 42

BeNeLux 2013

  • 28-29 november 2013
  • One day of trainings
  • One day conference
  • The Netherlands - Amsterdam

42

slide-43
SLIDE 43

Thank you

  • @sebadele
  • seba@owasp.org
  • seba@deleersnyder.eu
  • www.linkedin.com/in/sebadele