Owasp hyd 28_dec2013_opensamm

Good Morning

http://digitalcatharsis.files.wordpress.com/2008/10/sleeping-man_ml.jpg

{openSAMM

Why & How?

http://api.ning.com/files/OMGuiScfW0WEzLqgZ-vEG1Gocfg9TzXJ*3p8tfJVh6piUZb380lsGCXDJa0aFePIDX7q-FwM16dSET5kxHSYqOcFNjdBtZiK/elephant.jpg

People

ProcessTechnology

http://30dom.com/wp-content/uploads/2013/11/olympic-weight-lifting-wallpaperli-xueying-weightlifting-olympic--china-photos-and-wallpapers-nusxdel.jpg

http://www.veracode.com/blog/wp-content/uploads/2013/06/bug-bounty-programs.jpg

https://www.owasp.org/images/thumb/f/ff/Security_in_the_SDLC_Process.png/600px-Security_in_the_SDLC_Process.png

http://devpolicy.org/wp-content/uploads/2013/08/Value-for-money.jpg

http://www.rms.net/roi_investreturn.gif

http://www.shipulski.com/wp-content/uploads/2012/06/Impossible.jpeg

https://s3.amazonaws.com/pbblogassets/uploads/2013/04/donkey-pulling-cart.jpg

http://www.you-stylish-barcelona-apartments.com/blog/wp-content/uploads/2010/09/what-to-do.JPG.jpeg

Classification system for a set of processes / function

Shows characteristics of processes over different levels

Examples CMMI (DEV, SVC, ACQ) SSE-CMM BSIMM, openSAMM, etc

Maturity Models

Open Software Assurance Maturity Model

OWASP Project Open framework to help organizations

Formulate Implement Strategy for software security Tailored to the specific risks facing the

organization

openSAMM

Recognizes 4 type of business functions

Any organization performing software development would have these (names could be different)

3 business practices for each function 3 objectives (for levels) under each practice

0 (implied starting point, not included) 1 (initial understanding and ad hoc provision of practice) 2 (increase efficiency / effectiveness of practice) 3 (comprehensive mastery of the practice)

openSAMM - Security Practices

openSAMM - Example

For every level, SAMM defines Objective Activities Results Success Metrics Costs Personnel Related Levels

openSAMM

http://creativeconstruction.files.wordpress.com/2013/02/how_to_do_one_thing_at_a_time.jpg

http://www.jasonshen.com/wp-content/uploads/2012/04/buy-in-image-560x355.jpg

Step 2 - Perform Gap Assessment

Step 3 - Create Roadmap / Assurance Program

Perform practices / activities for level 1 Keep assessing it till you are satisfied

and the scorecard tells you to Inform management with the updated

roadmap in a periodic manner Move to next level after you are done

with the previous one

Step 4 - Execute with periodic reviews

www.sripati.info http://in.linkedin.com/in/sripati

Who Am I

http://www.opensamm.org/downloads/resources/OpenSAMM-1.0.ppt

http://www.opensamm.org/downloads/resources/20090602-Software%20Assurance%20Maturity%20Model.ppt

Credits

Owasp hyd 28_dec2013_opensamm

Technology

Transcript of Owasp hyd 28_dec2013_opensamm

OWASP Education OWASP Global Summit Portugal 2011

OWASP 2013 APPSEC USA Talk - OWASP ZAP

OWASP Testing Guide - OWASP Summit 2011

OWASP OTG-configuration (OWASP Thailand chapter november 2015)

OWASP The OWASP Foundation

HYD HYD Collection

What is OWASP OWASP Live CD Live Demo

Hyd Turbines

OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

The OWASP Foundation OWASP Chennai 2007 Phishing.

Hyd Projection

Application Security Awareness - OWASP Foundation · 2020-01-17 · Short Description Promote OWASP projects, events, education material and OWASP mission. Related Projects OWASP

Owasp Mosc2010 - Tour of Owasp Projects

OWASP Day - OWASP Day - Lets secure!

Parker Hyd

Preparation hyd

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

ng-owasp: OWASP Top 10 for AngularJS Applications

The OWASP Foundation OWASP AppSec Aguascalientes 2010 ¿Qué es OWASP? Miguel Pérez-Milicua Softtek Miembro de OWASP capítulo Aguacalientes.

Proactive Web Application Defenses. Jim Manico @manicode – OWASP Volunteer Global OWASP Board Member Global OWASP Board Member OWASP Cheat-Sheet Series.