Measuring Security Best Practices with OpenSAMM

Alan JexSnowFROC 2013

Alan Jex: Chief Security Architect at HPPPS Organizationalan.jex@hp.com

Introductions

• Security Concerns and Goals• OpenSAMM Framework

– Business Functions– Security Practices– Assessments– Scorecards– Roadmaps

Outline

Security Concerns

• What is your biggest security risk?• What compliance requirements drive your

business?• How do you handle security incidents?• Does your development team produce secure

code?

Security Goals

• Avoiding the “big one” (data breach)• Protecting the company brand• Managing real security risks• Developing a secure software development

lifecycle (SDLC)• Enabling new business

• SAMM is:– A Software Assurance Maturity Model– An open framework for

• Measuring security practices • Finding vulnerabilities earlier

– Lightweight, Flexible, Simple-to-understand, and Complete

– An OWASP project

Enter OpenSAMM

4 Business Functions

12 Security Practices

Policy and Compliance

Security Requirements

Security Testing

Vulnerability Management

SAMM Assessments

• SAMM assessment is lightweight or detailed according to your security process

SAMM Assessments

• SAMM provides assessment worksheets for every Security Practice

SAMM Scorecard

Levels are from 0 to 3:

0 Starting point

1 Ad hoc (manual)

2 Increased effectiveness (automated)

3 Comprehensive mastery (audited)

SAMM Roadmap

SAMM Roadmap• Build your Security Program in phases• Implement levels based on security risk

Roadmap Templates

Government Online Service Provider

Summary

• SAMM allows you to:– Measure and improve security best practices– Focus on security risk to make effective use of

security resources– Find vulnerabilities earlier in the development

process – Prevent rather than react to security incidents

References

Security Maturity Models