• No results found

OpenSAMM Software Assurance Maturity Model

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "OpenSAMM Software Assurance Maturity Model"

Copied!
43
0
0

Loading.... (view fulltext now)

Download now ( 43 Page )

Full text

(1)

The OWASP Foundation

http://www.owasp.org

OpenSAMM

Software Assurance Maturity Model

Seba Deleersnyder

[email protected]

OWASP Foundation Board Member OWASP Belgium Chapter Leader

SAMM project co-leader

Libre Software Meeting Brussels 10-July-2013

(2)

The OWASP Foundation

http://www.owasp.org

OWASP World

OWASP is a worldwide free and

open community focused on improving the security of application software.

Our mission is to make

application security visible so that people and organizations can make informed decisions about application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The OWASP Foundation is a not-for-profit charitable organization that ensures the ongoing

availability and support for our work.

(3)

The web application security challenge

Fire w all Hardened OS Web Server App Server Fire w all Da ta bases Le ga cy Sy st ems W eb Serv ices Direct ories Human Re srcs Bill ing Custom Developed Application Code APPLICATION ATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Ne tw ork Lay er Application Lay er

Your security “perimeter” has huge holes at the application layer

(4)

“Build in” software assurance

4

Design Build Test Production

vulnerability scanning -WAF security testing dynamic test tools coding guidelines code reviews static test tools security

requirements / threat modeling

reactive proactive

Secure Development Lifecycle (SAMM)

D B T P

(5)

We need a Maturity Model

An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that

works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non-security-people Overall, must be simple, well-defined, and measurable OWASP Software Assurance Maturity Model (SAMM) D B T P SAMM https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

(6)

SAMM Security Practices

• From each of the Business Functions, 3 Security Practices are defined

• The Security Practices cover all areas relevant to software security assurance

• Each one is a ‘silo’ for improvement

D B T P

(7)

Under each Security

Practice

• Three successive Objectives under each Practice define how it

can be improved over time

• This establishes a notion of a Level at which an organization

fulfills a given Practice

• The three Levels for a Practice generally correspond to:

• (0: Implicit starting point with the Practice unfulfilled)

• 1: Initial understanding and ad hoc provision of the Practice

• 2: Increase efficiency and/or effectiveness of the Practice

• 3: Comprehensive mastery of the Practice at scale

D B T P

(8)

Per Level, SAMM defines...

• Objective

• Activities

• Results

• Success Metrics

• Costs

• Personnel

• Related Levels

D B T P SAMM
(9)

Strategy & Metrics

9

D B T P

(10)

Policy & Compliance

1 0

D B T P

(11)

Education & Guidance

1 1

D B T P

(12)

Education & Guidance

Resources:

OWASP Top 10

OWASP Education

WebGoat

Give a man a fish and you feed him for a day;

Teach a man to fish and you feed him for a lifetime. Chinese proverb D B T P SAMM https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

(13)

OWASP Cheat Sheets

D B T P

SAMM

(14)

Threat Assessment

1 4

D B T P

(15)

Security Requirements

1 5

D B T P

(16)

Secure Coding Practices Quick

Reference Guide

• Technology agnostic coding practices • What to do, not how to do it

• Compact, but comprehensive checklist format

• Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get

developers and security folks talking the same language

D B T P

SAMM

(17)

Secure Architecture

1 7

D B T P

(18)

The OWASP Enterprise Security API

Custom Enterprise Web Application

Enterprise Security API

Authe ntic ator User Acce ssCo ntrolle r Acce ssRe feren ceMap V alid ator Enco der HTTPUtilit ies Encry ptor Encry pted Propertie s Rando miz er Exce ptio n Han dlin g Logger Intrus ionDe tec tor Secu rity Config uratio n

Existing Enterprise Security Services/Libraries

D B T P

SAMM

(19)

Design Review

1 9

D B T P

(20)

Code Review

2 0

D B T P

(21)

Code Review

Resources:

• OWASP Code Review Guide

SDL Integration:

• Multiple reviews defined as deliverables in your SDLC

• Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases

D B T P

SAMM

(22)

Code review tooling

Code review tools:

OWASP LAPSE (Security scanner for Java EE Applications)

MS FxCop / CAT.NET (Code Analysis Tool for .NET)

Agnitio (open source Manual source code review support tool) D B T P SAMM https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/

(23)

Security Testing

2 3

D B T P

(24)

Security Testing

Resources:

OWASP ASVS

OWASP Testing Guide

SDL Integration:

• Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common

vulnerabilities

• Review results with stakeholders prior to release

D B T P

SAMM

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project

(25)

Security Testing

• Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications

• Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually

Features:

• Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration D B T P SAMM https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

(26)

Vulnerability Management

2 6

D B T P

(27)

Environment Hardening

2 7

D B T P

(28)

Web Application Firewalls

Network Firewall Web Application Firewall Web Server Web client (browser)

Malicious web traffic Legitimate web traffic

Port 80

ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org

• HTTP Traffic Logging

• Real-Time Monitoring and Attack Detection • Attack Prevention and Just-in-time Patching • Flexible Rule Engine

• Embedded Deployment (Apache, IIS7 and Nginx) • Network-Based Deployment (reverse proxy)

OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules

D B T P

SAMM

(29)

Operational Enablement

2 9

D B T P

(30)

150+ OWASP Projects

PROTECT

Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project

Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide

DETECT

Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy

Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project

LIFE CYCLE

(31)

Get started

Step 1:

questionnaire

as-is

Step 2: define

your maturity

goal

Step 3: define

phased

roadmap

D B T P SAMM
(32)

Conducting assessments

SAMM includes assessment worksheets

for each Security Practice

D B T P

(33)

Assessment process

Supports both lightweight and detailed

assessments

D B T P

(34)

Creating Scorecards

• Gap analysis

• Capturing scores from detailed assessments versus expected performance levels

• Demonstrating improvement

• Capturing scores from before and after an iteration of assurance

program build-out • Ongoing measurement

• Capturing scores over consistent time frames for an assurance program that is already in place

D B T P

(35)

Roadmap templates

• To make the “building blocks” usable, SAMM

defines Roadmaps templates for typical kinds of organizations

• Independent Software Vendors • Online Service Providers

• Financial Services Organizations • Government Organizations

• Tune these to your own targets / speed

D B T P

(36)

SAMM Resources

www.opensamm.org

• Presentations

• Tools

• Assessment worksheets / templates

• Roadmap templates

• Scorecard chart generation

• Translations (Spanish / Japanese)

• SAMM mappings to ISO/EIC 27034 / BSIMM

3 6

(37)

Critical Success Factors

• Get initiative buy-in from all stakeholders

• Adopt a risk-based approach

• Awareness / education is the foundation

• Integrate security in your development /

acquisition and deployment processes

• Provide management visibility

3 7

(38)

Project Roadmap

Build the SAMM community:

List of SAMM adopters

Workshops at AppSecEU and AppSecUSA

V1.1:

Incorporate tools / guidance / OWASP projects

Revamp SAMM wiki

V2.0:

• Revise scoring model

• Model revision necessary ? (12 practices, 3 levels, ...)

• Application to agile

• Roadmap planning: how to measure effort ?

• Presentations & teaching material

• …

3 8

(39)

Get involved

• Use and donate back!

• Attend OWASP chapter meetings and

conferences

• Support OWASP become

personal/company member

(40)
(41)

Global AppSec EMEA 2013

Aug. 20, 2013 - Aug. 23, 2013

(42)

BeNeLux 2013

28-29 november 2013

One day of trainings

One day conference

The Netherlands - Amsterdam

(43)

Thank you

• @sebadele

[email protected]

[email protected]

References

Download now ( PDF - 43 Page - 4.20 MB )

Related documents

Drilling Fluids Technology

The circulation rate can be increased to minimize the increase in density and viscosity due to the influx of solids, but this will also cause an increase in equivalent

‘Sharing’ the Catholic Faith: How Priests Establish/Maintain Religious Authority on Facebook

In this case, a Catholic priest is able to establish religious authority with new contacts in a new media environment and maintain religious authority by using Facebook to

Negative hyperselection of patients with RAS and BRAF wild-type metastatic colorectal cancer who received panitumumab-based maintenance therapy

anti – epidermal growth factor receptor (EGFR) primary resistance (primary resistance in RAS and BRAF wild- type metastatic colorectal cancer patients treated with anti-EGFR

Saving Our Sisters: Effects of a Computer-Based Version of SISTA on the HIV-Related Behaviors of African American Women

This research study examined the effectiveness of the Sistas Accessing HIV/AIDS Resources At a click (SAHARA) computer-based, behavioral prevention intervention with a population

Understanding supply chain analytics capabilities and agility for data-rich environments

Findings (mandatory): The findings of the study identify supply chain management (i.e., planning, investment, coordination & control), supply chain technology

US Regulatory Stress Testing Implications for Large Banks

• CCAR 2011, has been followed with CCAR 2012 and CCAR 2013 – in alignment with the Dodd Frank Act’s requirements for annual capital adequacy assessment and stress

MicroFIT Connection Application Guidelines

IMPORTANT NOTE - Following the OTC submission to the OPA A Connection Cost Estimate (CCE) document will be sent by email from the Generation Planning Section, once a positive offer

VIRTUAL AVIATION SIMPLE TOOL Privacy Policy [ E N G L I S H ]

Para saber mais sobre seus dados pessoais coletados, os propósitos e assuntos com o qual os dados são compartilhados, entre em contato com o Proprietário.. Proprietário de