Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.

Published byHalle Bowne Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader OWASP Europe Tour 2013 Geneva

2 The web application security challenge Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer

3 “Build in” software assurance 3 DesignBuildTestProduction vulnerability scanning - WAF security testing dynamic test tools coding guidelines code reviews static test tools security requirements / threat modeling reactiveproactive Secure Development Lifecycle (SAMM) D D B B T T P P SAMM

4 CLASP Comprehensive, Lightweight Application Security Process Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development) Adaptable to any development process Defines roles across the SDLC 24 role-based process components Start small and dial-in to your needs

5 Microsoft SDL Built internally for MS software Extended and made public for others MS-only versions since public release

6 Touchpoints Gary McGraw’s and Cigital’s model

7 BSIMM Gary McGraw’s and Cigital’s model Quantifies activities of software security initiatives of 51 firms BSIMM – Open SAMM Mapping Derived from SAMM beta

8 Lessons Learned Microsoft SDL Heavyweight, good for large ISVs Touchpoints High-level, not enough details to execute against BSIMM Stats, but what to do with them? CLASP Large collection of activities, but no priority ordering ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf

9 We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk- based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non- security-people Overall, must be simple, well- defined, and measurable OWASP Software Assurance Maturity Model (SAMM) D D B B T T P P SAMM https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

10 SAMM Security Practices From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a ‘silo’ for improvement D D B B T T P P SAMM

11 Under each Security Practice Three successive Objectives under each Practice define how it can be improved over time This establishes a notion of a Level at which an organization fulfills a given Practice The three Levels for a Practice generally correspond to: (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice 3: Comprehensive mastery of the Practice at scale D D B B T T P P SAMM

12 Per Level, SAMM defines... Objective Activities Results Success Metrics Costs Personnel Related Levels D D B B T T P P SAMM

13 Strategy & Metrics 13 D D B B T T P P SAMM

14 Policy & Compliance 14 D D B B T T P P SAMM

15 Education & Guidance 15 D D B B T T P P SAMM

16 Education & Guidance Resources: OWASP Top 10 OWASP Education WebGoat Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb D D B B T T P P SAMM https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

17 OWASP Cheat Sheets D D B B T T P P SAMM https://www.owasp.org/index.php/Cheat_Sheets

18 Threat Assessment 18 D D B B T T P P SAMM

19 Security Requirements 19 D D B B T T P P SAMM

20 Secure Coding Practices Quick Reference Guide Technology agnostic coding practices What to do, not how to do it Compact, but comprehensive checklist format Focuses on secure coding requirements, rather then on vulnerabilities and exploits Includes a cross referenced glossary to get developers and security folks talking the same language D D B B T T P P SAMM https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

21 Secure Architecture 21 D D B B T T P P SAMM

22 The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries D D B B T T P P SAMM https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

23 Validation, Encoding, and Injection Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… Set Character Set Encode For HTML Any Encoding Global Validate Any Interpreter Canonicalize Specific Validate Sanitize Canonicalize Validate Example and working code snippets to perform input validation and output encoding D D B B T T P P SAMM

24 Design Review 24 D D B B T T P P SAMM

25 Code Review 25 D D B B T T P P SAMM

26 Code Review Resources: OWASP Code Review Guide SDL Integration: Multiple reviews defined as deliverables in your SDLC Structured, repeatable process with management support Reviews are exit criteria for the development and test phases D D B B T T P P SAMM https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

27 Code review tooling Code review tools: OWASP LAPSE (Security scanner for Java EE Applications) MS FxCop / CAT.NET (Code Analysis Tool for.NET) Agnitio (open source Manual source code review support tool) D D B B T T P P SAMM https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/

28 Security Testing 28 D D B B T T P P SAMM

29 Security Testing Resources: OWASP ASVS OWASP Testing Guide SDL Integration: Integrate dynamic security testing as part of you test cycles Derive test cases from the security requirements that apply Check business logic soundness as well as common vulnerabilities Review results with stakeholders prior to release D D B B T T P P SAMM https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project

30 Security Testing Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually Features: Intercepting proxy Automated scanner Passive scanner Brute force scanner Spider Fuzzer Port scanner Dynamic SSL Certificates API Beanshell integration D D B B T T P P SAMM https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

31 Vulnerability Management 31 D D B B T T P P SAMM

32 Environment Hardening 32 D D B B T T P P SAMM

33 Web Application Firewalls ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org HTTP Traffic Logging Real-Time Monitoring and Attack Detection Attack Prevention and Just-in-time Patching Flexible Rule Engine Embedded Deployment (Apache, IIS7 and Nginx) Network-Based Deployment (reverse proxy) OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules D D B B T T P P SAMM https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

34 Operational Enablement 34 D D B B T T P P SAMM

35 150+ OWASP Projects PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide,.NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECTTools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLESAMM, WebGoat, Legal Project

36 Mapping Projects / SAMM 36

37 Coverage 37

38 Get started Step 1: questionnaire as-is Step 2: define your maturity goal Step 3: define phased roadmap D D B B T T P P SAMM

39 Conducting assessments SAMM includes assessment worksheets for each Security Practice D D B B T T P P SAMM

40 Assessment process Supports both lightweight and detailed assessments D D B B T T P P SAMM

41 Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place D D B B T T P P SAMM

42 Roadmap templates To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations Independent Software Vendors Online Service Providers Financial Services Organizations Government Organizations Tune these to your own targets / speed D D B B T T P P SAMM

43 SAMM Resources www.opensamm.org Presentations Tools Assessment worksheets / templates Roadmap templates Scorecard chart generation Translations (Spanish / Japanese) SAMM mappings to ISO/EIC 27034 / BSIMM 43

44 Critical Success Factors Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes Provide management visibility 44

45 Project Roadmap Build the SAMM community: List of SAMM adopters Workshops at AppSecEU and AppSecUSA V1.1: Incorporate tools / guidance / OWASP projects Revamp SAMM wiki V2.0: Revise scoring model Model revision necessary ? (12 practices, 3 levels,...) Application to agile Roadmap planning: how to measure effort ? Presentations & teaching material … 45

46 Get involved Use and donate back! Attend OWASP chapter meetings and conferences Support OWASP become personal/company member https://www.owasp.org/index.php/Membership

47 Q&A

48 Thank you @sebadele seba@owasp.org seba@deleersnyder.eu www.linkedin.com/in/sebadele

Download ppt "The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Assurance Maturity Model

Software Assurance Maturity Model
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
CASE Tools CIS 376 Bruce R. Maxim UM-Dearborn. Prerequisites to Software Tool Use Collection of useful tools that help in every step of building a product.

CASE Tools CIS 376 Bruce R. Maxim UM-Dearborn. Prerequisites to Software Tool Use Collection of useful tools that help in every step of building a product.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.

.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google