1 / 47

OpenSAMM Software Assurance Maturity Model

OpenSAMM Software Assurance Maturity Model. Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader. OWASP Czech Republic Chapter Meeting. The web application security challenge.

roana
Download Presentation

OpenSAMM Software Assurance Maturity Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OpenSAMMSoftware Assurance Maturity Model Seba Deleersnyderseba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader OWASP Czech Republic Chapter Meeting

  2. The web application security challenge Your security “perimeter” has huge holes at the application layer Custom Developed Application Code Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATIONATTACK App Server Web Server Hardened OS Network Layer Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

  3. B T P D SAMM “Build in” software assurance proactive reactive security requirements / threat modeling coding guidelines code reviews static test tools vulnerability scanning - WAF security testingdynamic test tools Design Build Test Production Secure Development Lifecycle (SAMM)  3 

  4. CLASP • Comprehensive, Lightweight Application Security Process • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • Defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs

  5. Microsoft SDL • Built internally for MS software • Extended and made public for others • MS-only versions since public release

  6. Touchpoints • Gary McGraw’s and Cigital’s model

  7. BSIMM • Gary McGraw’s and Cigital’s model • Quantifies activities of software security initiatives of 51 firms Derived from SAMM beta BSIMM – Open SAMM Mapping

  8. Lessons Learned • Microsoft SDL • Heavyweight, good for large ISVs • Touchpoints • High-level, not enough details to execute against • BSIMM • Stats, but what to do with them? • CLASP • Large collection of activities, but no priority ordering • ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf

  9. B T P D SAMM We need a Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

  10. B T P D SAMM SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement

  11. B T P D SAMM Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • This establishes a notion of a Level at which an organization fulfills a given Practice • The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale

  12. B T P D SAMM Per Level, SAMM defines... • Objective • Activities • Results • Success Metrics • Costs • Personnel • Related Levels

  13. B T P D SAMM Strategy & Metrics

  14. B T P D SAMM Policy & Compliance

  15. B T P D SAMM Education & Guidance

  16. B T P D SAMM Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb • Resources: • OWASP Top 10 • OWASP Education • WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

  17. B T P D SAMM OWASP Cheat Sheets Developer Cheat Sheets (Builder) Authentication Cheat Sheet Choosing and Using Security Questions Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet OWASP Top Ten Cheat Sheet Query Parameterization Cheat Sheet Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet User Privacy Protection Cheat Sheet Assessment Cheat Sheets (Breaker) Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet Mobile Cheat Sheets IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet Draft Cheat Sheets Access Control Cheat Sheet Application Security Architecture Cheat Sheet Clickjacking Cheat Sheet Password Storage Cheat Sheet PHP Security Cheat Sheet REST Security Cheat Sheet Secure Coding Cheat Sheet Secure SDLC Cheat Sheet Threat Modeling Cheat Sheet Virtual Patching Cheat Sheet Web Application Security Testing Cheat Sheet https://www.owasp.org/index.php/Cheat_Sheets

  18. B T P D SAMM Threat Assessment

  19. B T P D SAMM Security Requirements

  20. B T P D SAMM Secure Coding Practices Quick Reference Guide • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

  21. B T P D SAMM Secure Architecture

  22. B T P D Existing Enterprise Security Services/Libraries SAMM The OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

  23. B T P D SAMM Design Review

  24. B T P D SAMM Code Review

  25. B T P D SAMM Code Review • Resources: • OWASP Code Review Guide • SDL Integration: • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

  26. B T P D SAMM Code review tooling • Code review tools: • OWASP LAPSE (Security scanner for Java EE Applications) • MS FxCop / CAT.NET (Code Analysis Tool for .NET) • Agnitio (open source Manual source code review support tool) https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/

  27. B T P D SAMM Security Testing

  28. B T P D SAMM Security Testing • SDL Integration: • Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common vulnerabilities • Review results with stakeholders prior to release • Resources: • OWASP ASVS • OWASP Testing Guide https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project

  29. B T P D SAMM Security Testing • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications • Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually • Features: • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  30. B T P D SAMM Vulnerability Management

  31. B T P D SAMM Environment Hardening

  32. ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org HTTP Traffic Logging Real-Time Monitoring and Attack Detection Attack Prevention and Just-in-time Patching Flexible Rule Engine Embedded Deployment (Apache, IIS7 and Nginx) Network-Based Deployment (reverse proxy) OWASP ModSecurityCore Rule Set Project, generic, plug-n-play set of WAF rules B T P D SAMM Web Application Firewalls https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  33. B T P D SAMM Operational Enablement

  34. 150+ OWASP Projects

  35. Mapping Projects / SAMM

  36. Coverage

  37. B T P D SAMM Get started

  38. B T P D SAMM Conducting assessments • SAMM includes assessment worksheets for each Security Practice

  39. B T P D SAMM Assessment process • Supports both lightweight and detailed assessments

  40. B T P D SAMM Creating Scorecards • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place

  41. B T P D SAMM Roadmap templates • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations • Tune these to your own targets / speed

  42. SAMM Resourceswww.opensamm.org • Presentations • Tools • Assessment worksheets / templates • Roadmap templates • Scorecard chart generation • Translations (Spanish / Japanese) • SAMM mappings to ISO/EIC 27034 / BSIMM

  43. Critical Success Factors • Get initiative buy-in from all stakeholders • Adopt a risk-based approach • Awareness / education is the foundation • Integrate security in your development / acquisition and deployment processes • Provide management visibility

  44. Project Roadmap • Build the SAMM community: • List of SAMM adopters • Workshops at AppSecEU and AppSecUSA • V1.1: • Incorporate tools / guidance / OWASP projects • Revamp SAMM wiki • V2.0: • Revise scoring model • Model revision necessary ? (12 practices, 3 levels, ...) • Application to agile • Roadmap planning: how to measure effort ? • Presentations & teaching material • …

  45. Get involved • Use and donate back! • Attend OWASP chapter meetings and conferences • Support OWASP becomepersonal/company memberhttps://www.owasp.org/index.php/Membership

  46. Q&A

  47. Thankyou • @sebadele • seba@owasp.org • seba@deleersnyder.eu • www.linkedin.com/in/sebadele

More Related