1 / 45

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 10 Software Assurance Maturity Model. Objectives. Appreciate the importance of using an open framework for implementing a security strategy

july
Download Presentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 10 Software Assurance Maturity Model

  2. Objectives • Appreciate the importance of using an open framework for implementing a security strategy • Use the Software Assurance Maturity Model as a basis for software assurance • Use a scorecard approach to measure the maturity of an organization’s software assurance program Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  3. Overview of the Software Assurance Maturity Model • Software assurance is the level of confidence that software functions in the intended manner • And is free from vulnerabilities • Once an organization decides to meet software assurance goals: • The next step is to assess its current development and procurement activities and practices • Requires two things: • A repeatable and objective assessment process • A clear benchmark or target that represents a suitable level of risk management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  4. Understanding the SAMM Framework • SAMM was originally developed, designed, and written by Pravir Chandra • First draft was created in August 2008 • First official release was in March 2009 • The document is currently maintained and updated through the OpenSAMM Project • The project has become part of the Open Web Application Security Project (OWASP) • SAMM is an open model intended to help organizations formulate and implement a software security strategy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  5. Understanding the SAMM Framework • Resources provided by SAMM help an organization do the following: • Evaluate its existing software security practices • Build a balanced software security assurance program in well-defined iterations • Demonstrate concrete improvements to a security assurance program • Define and measure security activities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  6. Understanding the SAMM Framework • SAMM can be used by any organization • Regardless of size or software development methods • The model can be used to support an entire business or just the needs of an individual project • The framework of SAMM maps all activities under four business functions • Three security practices are mapped to each business function • Thus, 12 security practices serve as the basis for assurance improvement Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  7. Understanding the SAMM Framework • The four business functions: • Governance - includes concerns for all groups in development as well as business processes • Construction - encompasses processes and an activity related to how an organization defines goals and creates software within development projects • Verification - contains processes and activities related to how an organization checks and tests errors produced during the development phase • Deployment - contains the processes and activities related to how an organization manages software releases Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  8. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  9. Understanding the SAMM Framework • SAMM resembles CoBIT (Control Objective for Information and Related Technology) • In the CoBIT model, security operation maturity levels take a value from 0 to 3: • Level 0 - the operation is not applied • Level 1 - an organization does not have a systematic approach to security but has a basic-level application • Level 2 - the operation is applied at the appropriate maturity level • Level 3 - the operation is applied perfectly Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  10. Governance Business Function • Governance - the process that enables people to make decisions through chains of responsibility, authority, and communications • Governance also provides the ability to perform roles using mechanisms such as policy, control, and measurement • Governance is not the same as management • Although managers do make governance decisions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  11. Governance Business Function • Governance increases the likelihood of delivering a successful product by asking: • What is the scope being governed? • Who has the governing authority and what format is followed? • What are the governance goals? • What decision-making rights and communication structure are needed? • What policies, procedures, guidelines, controls, and measurements should be used to attain those goals? Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  12. Governance Business Function • The outcome of the governance business function provides the basis for: • Mandating an organization’s software assurance strategy • Establishing metrics to measure the success of that strategy • Policies are developed to complement the strategy • Audits are performed to ensure compliance with the policies • Education is provided to teach employees about relevant security topics Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  13. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  14. Strategy & Metrics Practice • Strategy and metrics practice - defines an underlying framework for an organization’s software security assurance program • Establishing this practice should be an organization’s first step in defining security goals • Protection strategies include: • Principles enacted by policies and procedures that state the requirements and risk tolerances for the database • Clear assignment of roles and responsibilities, periodic training and financial incentives for staff Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  15. Strategy & Metrics Practice • Protection strategies include (cont’d): • An infrastructure architecture that fulfills security requirements, meets risk tolerances, and implements effective controls • Periodic review of all new and upgraded technologies • Regular review and monitoring of relevant processes, performance indicators, and performance measures • Regular review of new and emerging threats • Regular audits of relevant controls Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  16. Strategy & Metrics Practice Effectively achieving and sustaining security is a continuous process Processes to plan, monitor, review, document, and update an organization’s security state must be ongoing SAMM suggests that organizations begin by implementing “lightweight” risk profiles More advanced security measures may later be applied that gradually lead to road maps toward greater efficiency in the security program Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  17. Policy & Compliance Practice • Policy and compliance process has two purposes: • To understand and meet external legal and regulatory requirements • To develop and implement internal security policies to ensure alignment with the organization’s overall mission and vision • Requirements of this practice include audits • To gather information about project-level activities to ensure policy compliance Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  18. Education & Guidance Practice This practice ensures that the appropriate staff receive the knowledge and resources needed to design, develop, and deploy secure software Participants on project teams are better prepared to identify and reduce or eliminate security risks This practice defines activities for preparing a formal set of security guidelines as a reference for project teams Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  19. Construction Business Function • Construction: a business function that encompasses more than just the activities of software coding and testing • Construction also includes: • Project management, requirements gathering, high-level architecture specification, detailed design, and implementation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  20. Construction Business Function • Security practices applied at this level include: • Threat assessment - identifies potential attacks against the organization’s software • To help identify risks and improve the ability to manage them • Security requirements - enforces the practice of including security requirements during the software development process • Secure architecture - improves the software design process by promoting secure-by-default designs and greater control over the technologies and processes from which software is built Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  21. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  22. Threat Assessment Practice • This practice contains activities that help an organization identify and understand project-level risks • Based on the functionality of the software being designed and developed • Also based on the characteristics of the software’s operating environment • Should start with simple threat models and gradually develop more detailed methods of threat analysis and measurement Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  23. Security Requirements Practice • This practice focuses on identifying and documenting software security requirements • Security requirements are initially gathered based on the high-level business purpose of the software • As the organization progresses, it can use more advanced techniques to discover new security requirements • Such as access control specifications • An organization should map its security requirements into its relationships with suppliers Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  24. Secure Architecture Practice • This practices defines the roles of an organization that strives to design and build secure software as part of its standard development process • Some security risks can be reduced by integrating reusable components and services into the software design process • By beginning with simple implementations of software frameworks and secure design principles • An organization naturally evolves toward consistent use of design patterns for its security functions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  25. Verification Business Function • The purpose of verification is to determine whether the products of a software activity fulfill the requirements or conditions imposed on them in a previous activity of the lifecycle model • Security practices defined at this level are: • Design review • Code review • Security testing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  26. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  27. Design Review Practice • Design review defines activities that aim to identify and assess software design and architecture for security problems • Activities for this practice allow an organization to detect architecture-level issues early in software development • Avoiding potentially large costs from revisiting earlier lifecycle processes as a result of security concerns Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  28. Code Review Practice • Code review focuses on activities that are normally performed by the programmer of a project team • This practice emphasizes software inspection at the source-code level • To find security vulnerabilities • Typically found through unit testing • An organization uses checklists that correspond to previously developed and documented test cases Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  29. Security Testing Practice • Security testing focuses on inspecting software in the runtime environment to find security problems • Performed through penetration testing and high-level test cases • These activities strengthen the assurance case for software • By checking it under real-world conditions • Doing so, draws attention to mistakes in business logic that are difficult to find otherwise Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  30. Deployment Business Function • Software deployment is a large and complex task • Creates new challenges in the areas of release, installation, activation, deactivation, updates, and removal of components • Security practices defined by SAMM’s deployment business function: • Vulnerability management • Environment hardening • Operational enablement Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  31. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  32. Vulnerability Management Practice • This practice focuses on the activities of an organization with respect to handling vulnerability reports and security incidents • By having this framework in place • Organizations can run projects more consistently and handle security events with increased efficiency • A key to successful vulnerability management is to understand the roles each person plays in a security incident • And effectively identify and handle vulnerabilities through reporting procedures Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  33. Environment Hardening Practice • This practice helps an organization build assurance for its software’s operating environment • There is a new obstacle in building assurance into “as-a-service” architectures • These architectures have become popular with the emergence of cloud computing solutions • The best starting point for hardening the environment is to track and distribute information to keep development teams informed • Use scalable methods for deploying security patches and early-warning detectors Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  34. Operational Enablement Practice The focus of this practice is to keep software users and operators informed It is suggested to avoid overwritten documentation with a lot of technical jargon Start with simple documentation to capture the most important details for users and operators Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  35. Applying SAMM-Getting the Job Done IT managers must be able to implement and manage the success of each business function and security practice Using scorecards, an organization can demonstrate its improvement through a process of integrating software assurance into existing company policies and procedures An organization can use SAMM as a road map to assist in building or improving a security assurance initiative Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  36. Understanding the Maturity Levels • Each level within the 12 security practices has an assigned objective • Objective is a general statement of goals for achieving that level • The objectives at each level are attained by successful completion of activities defined by SAMM • SAMM characterizes capabilities and deliverables as “results” obtained by achieving the given level • SAMM provides specific example benchmarks that it calls success metrics Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  37. Understanding the Maturity Levels • Choices for data collection and management are left to the organization • The model does recommend data sources and thresholds • The model provides information on expenses an organization may incur by attaining a given level • These costs are not exhaustive • Additional expenses are possible depending on how the security practice is performed within the organization Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  38. Understanding the Maturity Levels • SAMM identifies seven IT job functions that can affect the success of software assurance: • Developers • Architects • Managers • QA testers • Security auditors • Business owners • Support operations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  39. SAMM Approach to Assessment • To perform an assessment, an organization must establish a set of well-defined benchmarks (or metrics) • And then adopt and perform a measurement process against those benchmarks • SAMM uses a set of predefined worksheets that serve as a starting point for determining the efficiency of each security practice being performed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  40. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  41. SAMM Approach to Assessment • Each worksheet is evaluated based on one of two recommended approaches: • Lightweight - the worksheets are evaluated for each practice and scores are assigned based on the answers • Detailed - the worksheets are evaluated for each practice, followed by additional audits to ensure activities defined for that practice are in place Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  42. SAMM Approach to Assessment An organization might fall within level 2 of a particular practice but perform other activities that are not substantial enough to achieve level 3 In those cases, the score should be annotated with a + symbol to indicate that additional assurances are in place beyond the level obtained Organizations could end up with a maturity level score of 1, 1+, 2, 2+, 3, or 3+ Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  43. Using Scorecards to Measure Success • Using interval scorecards is encouraged in several situations, according to the 2009 version of SAMM: • Gap analysis - capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement - capturing scores from before and after an iteration of the assurance program’s roll-out • Ongoing measurement - capturing scores over consistent time frames for an assurance program that is already in place Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  44. Summary • The Software Assurance Maturity Model (SAMM) is an open framework for formulating and implementing a software security strategy that is specifically tailored to an organization’s risks • The resources provided by SAMM help an organization evaluate its existing software security practices, build a balanced software security assurance program in well-defined iterations, demonstrate concrete improvements to a security assurance program, and define and measure security activities throughout the organization Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  45. Summary • SAMM was defined with flexibility in mind so it can be used by any organization, regardless of its size or style of software development • A software security framework must be flexible and allow organizations to tailor their choices based on risk tolerance and the way they build and use software • Guidance related to security activities must be prescriptive • SAMM’s foundation is built on the core business functions of software development and the security practices associated with each Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

More Related