Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Assurance Maturity Model

Published byΠρόκρις Δεσποτόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Software Assurance Maturity Model"— Presentation transcript:

1 Software Assurance Maturity Model
Tampa OWASP, May 20, 2009.

2 Introduction Who am I? What are we doing here?
What am I talking about ?

3 Open SAMM – Executive Brief
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in: Evaluating an organization’s existing software security practices Building a balanced software security assurance program in well-defined iterations Demonstrating concrete improvements to a security assurance program Defining and measuring security-related activities throughout an organization

4 SAMM Overview

5 Governance The Strategy & Metrics (SM) Practice is focused on establishing the framework within an organization for a software security assurance program.

6 Governance The Policy & Compliance (PC) Practice is focused on understanding and meeting external legal and regulatory requirements while also driving internal security standards to ensure compliance in a way that’s aligned with the business purpose of the organization.

7 Governance The Education & Guidance (EG) Practice is focused on arming personnel involved in the software life-cycle with knowledge and resources to design, develop, and deploy secure software.

8 Construction The Threat Assessment (TA) Practice is centered on identification and understanding the project-level risks based on the functionality of the software being developed and characteristics of the runtime environment.

9 Construction The Security Requirements (SR) Practice is focused on proactively specifying the expected behavior of software with respect to security.

10 Construction The Secure Architecture (SA) Practice is focused on proactive steps for an organization to design and build secure software by default.

11 Verification The Design Review (DR) Practice is focused on assessment of software design and architecture for security-related problems.

12 Verification The Code Review (CR) Practice is focused on inspection of software at the source code level in order to find security vulnerabilities.

13 Verification The Security Testing (ST) Practice is focused on inspection of software in the runtime environment in order to find security problems.

14 Deployment The Vulnerability Management (VM) Practice is focused on the processes within an organization with respect to handling vulnerability reports and operational incidents.

15 Deployment The Environment Hardening (EH) Practice is focused on building assurance for the runtime environment that hosts the organization’s software.

16 Deployment The Operational Enablement (OE) Practice is focused on gathering security critical information from the project teams building software and communicating it to the users and operators of the software.

17 So how do we use this ? Conduct Assessments Create Score Cards
Lightweight Detailed Conduct Assessments Gap Analysis Show Improvement Current Progress Create Score Cards Set Metrics Roadmap Building Your Program

18 Assessment Worksheets
Example shows just Governance Similar to other self audits for things such as PCI Very basic, doesn’t involve testing

19 Lightweight Assessment
The assessment worksheets for each Practice are evaluated and scores are assigned based on answers. This type of assessment is usually sufficient for an organization that is trying to map their existing assurance program into SAMM and just wants to get a quick picture of where they stand. Complete Worksheet, assign score per practice.

20 Detailed Assessment After completion of the assessment worksheets, additional audit work is performed to check the organization to ensure the Activities prescribed by each Practice are in place. Additionally since each Practice also specifies Success Metrics, that data should be collected to ensure that the organization is performing as expected.

21 Score Cards Used to show gaps in the current program
Show current vs. proposed progress Interim scorecards can be used to show current status.

22 Example Score Card Example to the right shows the level of each Program at the start of the phase, and the current level of the program. A lot of information about change in Software Assurance in a simple graphic.

23 Build your Program Roadmap
A roadmap is a phased plan for achieving Objectives for each security Function Use Scorecard to see what Practices need improvement Create Phased roadmap to improve the practices that YOU feel need the most improvement Take small steps, apply the activities and success metrics to make small improvements Redo scorecards often to check progress

24 Roadmap Example In the sample on the right in Phase 1, several Functions are moved from 0 to 1 In Phase 2, some are further advanced from 1 to 2, some remain at 1, and others are moved from 0 to 1 SAMM includes case studies with specific details on implementation

25 Summary Model to measure maturity of your software assurance program.
Based on 4 Business Functions Governance Construction Verification Deployment Looks kind of like a SDLC doesn’t it ? Can be light weight or in depth, simple or complex. Provides estimates of man hours, who should be involved, success metrics, activities.

26 More Info http://www.owasp.org/index.php/SAMM http://www.opensamm.org/

27 Questions ? OMG! BOMB

Download ppt "Software Assurance Maturity Model"

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Assurance Maturity Model

Software Assurance Maturity Model
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Quality Management System SEETHARAM- Quality Assurance

Quality Management System SEETHARAM- Quality Assurance
Practical Uses of Software Measurement for Process Improvement January 10, 2007 - V1.0 Larry Dribin, Ph.D. 847-807-7390.

Practical Uses of Software Measurement for Process Improvement January 10, V1.0 Larry Dribin, Ph.D
Security Controls – What Works

Security Controls – What Works
Stepan Potiyenko ISS Sr.SW Developer.

Stepan Potiyenko ISS Sr.SW Developer.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
The Information Systems Audit Process

The Information Systems Audit Process
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
project management office(PMO)

project management office(PMO)
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 11 System Test Design ------------------------------------------------------------------

Handouts Software Testing and Quality Assurance Theory and Practice Chapter 11 System Test Design
19 March 2008Corruption Risk Mapping1 Corruption risk mapping Towards an Integrity risk map for the Hungarian public sector.

19 March 2008Corruption Risk Mapping1 Corruption risk mapping Towards an Integrity risk map for the Hungarian public sector.
ISO 9001 Auditing Practices Group

ISO 9001 Auditing Practices Group
Consultancy.

Consultancy.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
The Evergreen, Background, Methodology and IT Service Management Model

The Evergreen, Background, Methodology and IT Service Management Model
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Similar presentations

Ads by Google