Open SAMM Software Assurance Maturity Model Seba Deleersnyder
Open. SAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp. org SAMM project co-leaders App. Sec USA 2014 Project Talk Pravir Chandra chandra@list. org
Agenda • • Integrating software assurance Open. SAMM Quick Start OWASP Projects / SAMM activities Resources & Self-Assessment Road Map Forum
SAMM users • • • Dell Inc KBC ING Insurance Gotham Digital Science HP Fortify ISG. . . 3
Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security “perimeter” has huge holes at the application layer Databases Application Layer The web application security challenge Web Server Hardened OS Firewall Network Layer App Server You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
“Build in” software assurance proactive reactive security requirements / threat modeling coding guidelines code reviews static test tools security testing dynamic test tools vulnerability scanning WAF Design Build Test Production Secure Development Lifecycle (SAMM) 5
We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for nonsecurity-people Overall, must be simple, welldefined, and measurable OWASP Software Assurance Maturity Model (SAMM)
SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement
Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • This establishes a notion of a Level at which an organization fulfills a given Practice • The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale
Per Level, SAMM defines. . . • • Objective Activities Results Success Metrics Costs Personnel Related Levels
Education & Guidance 1
Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. A 1: Injection A 2: Cross-Site Scripting (XSS) A 3: Broken Authentication and Session Management A 4: Insecure Direct Object References A 6: Security Misconfiguration A 7: Failure to Restrict URL Access A 8: Insecure Cryptographic Storage A 9: Insufficient Transport Layer Protection A 10: Unvalidated Redirects and Forwards Chinese proverb A 5: Cross Site Request Forgery (CSRF) • Resources: • OWASP Top 10 • OWASP Education • Web. Goat https: //www. owasp. org/index. php/Category: OWASP_Top_Ten_Project https: //www. owasp. org/index. php/Category: OWASP_Education_Project https: //www. owasp. org/index. php/Category: OWASP_Web. Goat_Project
OWASP Cheat Sheets Developer Cheat Sheets (Builder) Authentication Cheat Sheet Assessment Cheat Sheets (Breaker) Choosing and Using Security Questions Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet Cryptographic Storage Cheat Sheet XSS Filter Evasion Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet Mobile Cheat Sheets HTML 5 Security Cheat Sheet IOS Developer Cheat Sheet Input Validation Cheat Sheet Mobile Jailbreaking Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet Draft Cheat Sheets OWASP Top Ten Cheat Sheet Access Control Cheat Sheet Query Parameterization Cheat Sheet Application Security Architecture Cheat Sheet Session Management Cheat Sheet Clickjacking Cheat Sheet SQL Injection Prevention Cheat Sheet Password Storage Cheat Sheet Transport Layer Protection Cheat Sheet PHP Security Cheat Sheet Web Service Security Cheat Sheet REST Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Secure Coding Cheat Sheet User Privacy Protection Cheat Sheet Secure SDLC Cheat Sheet Threat Modeling Cheat Sheet Virtual Patching Cheat Sheet Web Application Security Testing Cheat Sheet https: //www. owasp. org/index. php/Cheat_She
SAMM Quick Start ASSES questionnaire GOAL gap analysis IMPLEMENT PLAN roadmap OWASP resources
Asses • SAMM includes assessment worksheets for each Security Practice
Goal • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place
Plan • Roadmaps: to make the “building blocks” usable. • Roadmaps templates for typical kinds of organizations • • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations Tune these to your own targets / speed
150+ OWASP resources PROTECT Tools: Anti. Samy Java/: NET, Enterprise Security API (ESAPI), Mod. Security Core Rule Set Project Docs: Development Guide, . NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBro. Fuzz, Lice CD, Web. Scarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, Web. Goat, Legal Project
Critical Success Factors Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes • Measure: Provide management visibility • • 1
SAMM Resources www. opensamm. org • • • Presentations Quick Start (to be released) Assessment worksheets / templates Roadmap templates Translations (Spanish, Japanese, …) SAMM mappings to ISO/EIC 27034 – BSIMM – PCI (to be released) 1
NEW: Self-Assessment Online https: //ssa. asteriskinfosec. com. au 2
Mapping Projects / SAMM 2
Flagship Projects Coverage 2
SAMM Roadmap Build the SAMM community: • Grow list of SAMM adopters • Workshops at conferences • Dedicated SAMM summit V 1. 1: • Incorporate Quick Start / tools / guidance / OWASP projects • Revamp SAMM wiki V 2. 0: • Revise scoring model • Model revision necessary ? (12 practices, 3 levels, . . . ) • Application to agile • Roadmap planning: how to measure effort ? • Presentations & teaching material • … 2
SAMM Forum 2
Get involved • • • SAMM “Work”-shop tomorrow 1 PM-5 PM 16 th floor Project mailing list / work packages Use and donate (feed)back! Donate resources Sponsor SAMM
Measure & Improve! Open. SAMM. org
- Slides: 26