Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

Published byBrooke Rix Modified over 9 years ago

Similar presentations

Presentation on theme: "OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project."— Presentation transcript:

1 OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org SAMM project co-leaders Pravir Chandra chandra@list.org AppSec USA 2014 Project Talk

2 Agenda Integrating software assurance OpenSAMM Quick Start OWASP Projects / SAMM activities Resources & Self-Assessment Road Map Forum

3 SAMM users 3 Dell Inc KBC ING Insurance Gotham Digital Science HP Fortify ISG...

4 The web application security challenge Firewall Hardened OS Web Server App Server Firewall DatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBilling Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer

5 “Build in” software assurance 5 Design Build Test Production vulnerability scanning - WAF vulnerability scanning - WAF security testing dynamic test tools security testing dynamic test tools coding guidelines code reviews static test tools security requirements / threat modeling security requirements / threat modeling reactiveproactive Secure Development Lifecycle (SAMM)

6 We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non- security-people Overall, must be simple, well- defined, and measurable OWASP Software Assurance Maturity Model (SAMM)

7 SAMM Security Practices From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a ‘silo’ for improvement

8 Under each Security Practice Three successive Objectives under each Practice define how it can be improved over time This establishes a notion of a Level at which an organization fulfills a given Practice The three Levels for a Practice generally correspond to: (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice 3: Comprehensive mastery of the Practice at scale

9 Per Level, SAMM defines... Objective Activities Results Success Metrics Costs Personnel Related Levels

10 Education & Guidance 10

11 Resources: OWASP Top 10 OWASP Education WebGoat Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

12 OWASP Cheat Sheets https://www.owasp.org/index.php/Cheat_Sheets

13 SAMM Quick Start ASSES questionnaire GOAL gap analysis PLAN roadmap IMPLEMENT OWASP resources

14 Asses SAMM includes assessment worksheets for each Security Practice

15 Goal Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place

16 Plan Roadmaps: to make the “ building blocks ” usable. Roadmaps templates for typical kinds of organizations Independent Software Vendors Online Service Providers Financial Services Organizations Government Organizations Tune these to your own targets / speed

17 150+ OWASP resources PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide,.NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECTTools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLESAMM, WebGoat, Legal Project

18 Critical Success Factors Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes Measure: Provide management visibility 18

19 SAMM Resources www.opensamm.org Presentations Quick Start (to be released) Assessment worksheets / templates Roadmap templates Translations (Spanish, Japanese, …) SAMM mappings to ISO/EIC 27034 – BSIMM – PCI (to be released) 19

20 NEW: Self-Assessment Online https://ssa.asteriskinfosec.com.au 20

21 Mapping Projects / SAMM 21

22 Flagship Projects Coverage 22

23 SAMM Roadmap Build the SAMM community: Grow list of SAMM adopters Workshops at conferences Dedicated SAMM summit V1.1: Incorporate Quick Start / tools / guidance / OWASP projects Revamp SAMM wiki V2.0: Revise scoring model Model revision necessary ? (12 practices, 3 levels,...) Application to agile Roadmap planning: how to measure effort ? Presentations & teaching material … 23

24 SAMM Forum 24

25 Get involved SAMM “Work”-shop tomorrow 1PM-5PM 16th floor Project mailing list / work packages Use and donate (feed)back! Donate resources Sponsor SAMM

26 Measure & Improve! OpenSAMM.org

Download ppt "OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Software Assurance Maturity Model

Software Assurance Maturity Model
Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,

Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.

The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
Presentation Overview

Presentation Overview
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view.

Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Similar presentations

Ads by Google