OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected]

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected] SAMM project co-leaders AppSec USA 2014 Project Talk Pravir Chandra [email protected] Agenda Integrating software assurance OpenSAMM Quick Start OWASP Projects / SAMM activities Resources & Self-Assessment Road Map Forum SAMM users Dell Inc KBC ING Insurance Gotham Digital Science HP Fortify

ISG ... 3 Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security perimeter has huge holes at the application layer Databases Application Layer The web application security challenge Web Server Hardened OS Firewall Firewall Network Layer App Server You cant use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Build in software assurance proactive reactive security requirements / threat modeling coding guidelines code reviews static test tools security testing dynamic test tools vulnerability scanning WAF Design Build Test Production Secure Development Lifecycle (SAMM) 5 We need a Maturity Model An organizations behavior changes slowly over time Changes must be iterative while working toward

long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for nonsecurity-people Overall, must be simple, welldefined, and measurable OWASP Software Assurance Maturity Model (SAMM) SAMM Security Practices From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a silo for improvement Under each Security Practice Three successive Objectives under each Practice define how it can be improved over time

This establishes a notion of a Level at which an organization fulfills a given Practice The three Levels for a Practice generally correspond to: (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice 3: Comprehensive mastery of the Practice at scale Per Level, SAMM defines... Objective Activities Results Success Metrics Costs Personnel Related Levels

Education & Guidance 1 Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. A1: Injection A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access A8: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards Chinese proverb Resources: OWASP Top 10 OWASP Education WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP Cheat Sheets Developer Cheat Sheets (Builder) Authentication Cheat Sheet Assessment Cheat Sheets (Breaker) Choosing and Using Security Questions Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet Cryptographic Storage Cheat Sheet XSS Filter Evasion Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet Mobile Cheat Sheets HTML5 Security Cheat Sheet IOS Developer Cheat Sheet Input Validation Cheat Sheet Mobile Jailbreaking Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet Draft Cheat Sheets

OWASP Top Ten Cheat Sheet Access Control Cheat Sheet Query Parameterization Cheat Sheet Application Security Architecture Cheat Sheet Session Management Cheat Sheet Clickjacking Cheat Sheet SQL Injection Prevention Cheat Sheet Password Storage Cheat Sheet Transport Layer Protection Cheat Sheet PHP Security Cheat Sheet Web Service Security Cheat Sheet REST Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Secure Coding Cheat Sheet User Privacy Protection Cheat Sheet Secure SDLC Cheat Sheet Threat Modeling Cheat Sheet Virtual Patching Cheat Sheet Web Application Security Testing Cheat Sheet https://www.owasp.org/index.php/Cheat_She SAMM Quick Start ASSES questionnaire GOAL gap analysis IMPLEMENT OWASP resources PLAN roadmap Asses SAMM includes assessment worksheets for each Security Practice Goal

Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place Plan Roadmaps: to make the building blocks usable. Roadmaps templates for typical kinds of organizations Independent Software Vendors Online Service Providers Financial Services Organizations Government Organizations Tune these to your own targets / speed 150+ OWASP resources

PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project Critical Success Factors Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes Measure: Provide management visibility 1 SAMM Resources www.opensamm.org Presentations Quick Start (to be released) Assessment worksheets / templates Roadmap templates Translations (Spanish, Japanese, )

SAMM mappings to ISO/EIC 27034 BSIMM PCI (to be released) 1 NEW: Self-Assessment Online https://ssa.asteriskinfosec.com.au 2 Mapping Projects / SAMM Project Project AntiSamy AntiSamy Enterprise Security API Enterprise Security API ModSecurity Core Rule Set ModSecurity Core Rule Set CSRFGuard CSRFGuard Web Testing Environment Web Testing Environment WebGoat WebGoat Zed Attack Proxy Zed Attack Proxy Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Code Review Guide Code Review Guide Codes of Conduct Codes of Conduct Development Guide Development Guide Secure Coding Practices - Quick Reference Guide Secure Coding Practices - Quick Reference Guide

Softw are Assurance Maturity Model Softw are Assurance Maturity Model Testing Guide Testing Guide Top Ten Top Ten Type Level SAMM Practice Remarks Type Level SAMM Practice Remarks Code Flagship SA2 Code Flagship SA2 Project Code Flagship SA3 Project Code Flagship SA3 Broken Web Applications Code Flagship EH3 Broken Web Applications CSRFTester Code Flagship EH3 CSRFTester EnDe Code Flagship SA2 EnDeAddons for Security Testin g Code Flagship SA2 Fiddler Tools Flagship ST2 FiddlerExploit Addons for Security Testing Tool

Tools Flagship ST2 Forward Tools Flagship EG2 Forward Exploit Tool Tools Flagship EG2 Hackademic Challenges Tools Flagship ST2 Hackademic Challenges Hatkit Datafiddler Tools Flagship ST2 Hatkit Hatkit Datafi d dler Proxy Documentation Flagship DR2 ASVS-L4 Hatkit Proxy Documentation Flagship DR2 HTTP ASVS-L4 POST Documentation Flagship CR3 ASVS-L4 HTTP POST Java XML Templates Documentation Flagship CR3 ASVS-L4 Documentation Flagship ST3 ASVS-L4 Java XML Templates Documentation Flagship ST3 JavaScript Sandboxes ASVS-L4

Documentation Flagship CR1 JavaScript Sandboxes Joomla Vulnerability Scanner Documentation Flagship CR1 LAPSE Joomla Vulnerability Scanner Documentation Flagship not applicable LAPSESecurity Documentation Flagship notFramework applicable Mantra Documentation Flagship EG1 Mantra lidea Security Framework Documentation Flagship EG1 Multi Documentation Flagship SR1 O2Multil idea Documentation Flagship SR1 O2 Documentation Flagship SM1 Recursiveness :-) Orizon Documentation Flagship SM1 Srubbr Orizon Recursiveness :-) Documentation Flagship ST1 SrubbrAssurance Testing of Virtual Worlds Documentation Flagship ST1 Security Documentation Flagship EG1 Security Assurance Testing of Virtual Worlds Documentation Flagship EG1 Vicnum Vicnum Wapiti Wapiti Web Browser Testin g System

Web Browser Testing System WebScarab WebScarab Webslayer Webslayer WSFuzzer WSFuzzer Yasca YascaTutorials AppSec AppSec Tutorials AppSensor AppSensor AppSensor AppSensor Cloud 10 CTFCloud 10 CTF Code Fuzzing Fuzzing Code Legal Legal Podcast Podcast Virtual Patching Best Practices Virtual Patching Best Practices Type Level Type Level Tools Labs Tools Labs Tools Labs Tools Labs

Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools

Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs

Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Tools Labs Documentati on Labs Documentati Labs Documentati on onLabs Documentati Labs Documentati on onLabs Documentati Labs Documentati on onLabs Documentati Labs Documentati on onLabs Documentati Labs Documentati on onLabs Documentati Labs Documentati on onLabs Documentati

Labs Documentati on onLabs Documentati Labs Documentati on onLabs Documentation Labs SAMM Practice Remarks EG1SAMM Practice Remarks ST1EG1 ST1ST1 ST1ST1 ST1ST1 EG1ST1 ST1EG1 ST1ST1 ST1ST1 SA2ST1 SA2 not applicable not applicable ST1 CR2ST1 ST1CR2 EG1ST1 ST2EG1 CR2ST2 ST1CR2 ST1ST1 EG1ST1 ST1EG1 ST1ST1 ST1ST1 ST1ST1 ST1ST1 CR2ST1 EG1CR2 EH3EG1 SA2EH3

EG1SA2 EG1EG1 ST1EG1 SR3ST1 EG1SR3 EH3EG1 EH3 2 Flagship Projects Coverage Strategy & Metrics Strategy & Metrics SM1 1 SM1 1 SM2 0 SM2 0 SM3 0 SM3 0 Threat Assessment Threat Assessment TA1 0 TA1 0 TA2 0 TA2 0 TA3 0 TA3 0

Design Review Design Review DR1 0 DR1 0 DR2 1 DR2 1 DR3 0 DR3 0 1 0 1 Governance Governance Policy & Compliance Policy & Compliance PC1 0 PC1 0 PC2 0 PC2 0 PC3 0 PC3 0 1 0

1 Vulnerability Management Vulnerability Management VM1 0 VM1 0 VM2 0 VM2 0 VM3 0 VM3 0 0 0 Education & Guidance Education & Guidance EG1 10 EG1 10 EG2 1 EG2 1 EG3 0 EG3 0 0 11 0 11 Construction Construction Security Requirements

Security Architecture Security Requirements Security Architecture SR1 1 SA1 0 SR1 1 SA1 0 SR2 0 SA2 4 SR2 0 SA2 4 SR3 1 SA3 1 SR3 1 SA3 1 2 5 2 5 Verification Verification Code Review Security Testing Code Review Security Testing CR1 1 ST1 18

CR1 1 ST1 18 CR2 3 ST2 3 CR2 3 ST2 3 CR3 1 ST3 1 CR3 1 ST3 1 5 22 5 22 Deployment Deployment Environment Hardening Operational Hardening Environment Hardening Operational Hardening EH1 0 OE1 0 EH1 0 OE1 0 EH2 0 OE2

0 EH2 0 OE2 0 EH3 3 OE3 0 EH3 3 OE3 0 3 0 3 0 12 12 7 7 28 28 3 3 2 SAMM Roadmap Build the SAMM community: Grow list of SAMM adopters Workshops at conferences Dedicated SAMM summit V1.1: Incorporate Quick Start / tools / guidance / OWASP projects

Revamp SAMM wiki V2.0: Revise scoring model Model revision necessary ? (12 practices, 3 levels, ...) Application to agile Roadmap planning: how to measure effort ? Presentations & teaching material 2 SAMM Forum 2 Get involved SAMM Work-shop tomorrow 1PM-5PM 16th floor Project mailing list / work packages Use and donate (feed)back! Donate resources Sponsor SAMM Measure & Improve! OpenSAMM.org

Recently Viewed Presentations

  • Gear Up - Quad Cities Tax, Accounting, Consulting Services

    Gear Up - Quad Cities Tax, Accounting, Consulting Services

    The Internal Revenue Manual will be the playbook for determination of most cases. IRM 5.8.5.22.1 - Necessary Expenses - Food, Clothing, Supplies, Etc. and Production of Income ... The Form 433 series that the IRS uses is a difficult form...
  • Designing your own experiment - Ecological Society of America

    Designing your own experiment - Ecological Society of America

    Promoter Transcribed region Terminator Figure 3: A simplified diagram of the structure of a eukaryotic gene that encodes a protein. drt2-promoter GFP (green fluorescent protein) coding region NOS-ter Figure 4: Structure of a cold inducible chimeric gene.
  • Low-power, Low-noise, Low -voltage Amplifier for Very Low ...

    Low-power, Low-noise, Low -voltage Amplifier for Very Low ...

    CL= 0pF CL= 10pF CL= 100pF CL= 1000pF Ideal CHopper Amplifier with Modulator - Block Diagram Ideal CHopper Amplifier with Modulator - Sim Results Vsig is chosen to be a sinewave of 4.5kHz, with maximum amplitude of 100uV The signal...
  • Finding peace for Malik Like Mary before her,

    Finding peace for Malik Like Mary before her,

    One of the staff at Embrace's partner in Lebanon says: 'We work to take on the challenge of poverty we see around us. 'Every . day we have new families arriving and that's been happening for years now.
  • Types of electrical noises (i) Johnson Noise Johnson

    Types of electrical noises (i) Johnson Noise Johnson

    k=Boltzmann's constant (1.4×10 J/K) 1. 1 joule = 0.2388 calorie. It is named after James Joule. When the point of application of a force of one Newton moves, in the direction of the force, a distance of one metre. 2....
  • e g a u g n a L

    e g a u g n a L

    Mark the prompt. Carefully read the following six sources, including the introductory information for each source. Then synthesize material from at least three sources and incorporate it into a coherent, well-developed essay that defends, challenges or qualifies the notion that...
  • Le rayonnement du corps noir - AMESSI.ORG

    Le rayonnement du corps noir - AMESSI.ORG

    Le rayonnement du corps noir et l'effet photoélectrique Dérivation de la formule de Planck La formule de Boltzmann La loi de Stefan-Boltzmann Le modèle des "résonateurs" de Planck et le calcul du nombre de complexions N résonateurs, absorbant ou émettant...
  • 7.3 Volume: The Shell Method

    7.3 Volume: The Shell Method

    7.3 Volume: The Shell Method Using the Shell Method to find Volume Find the volume of the solid of revolution formed by revolving the region bounded by y and the x-axis about the y-axis. Using the Shell Method to Find...