Candidate Experience: Debunking the Myths, Measuring its Value, Aligning Your Practices
Measuring Security Best Practices with OpenSAMM
description
Transcript of Measuring Security Best Practices with OpenSAMM
Measuring Security Best Practices with OpenSAMM
Alan JexSnowFROC 2013
Alan Jex: Chief Security Architect at HPPPS [email protected]
Introductions
• Security Concerns and Goals• OpenSAMM Framework
– Business Functions– Security Practices– Assessments– Scorecards– Roadmaps
Outline
Security Concerns
• What is your biggest security risk?• What compliance requirements drive your
business?• How do you handle security incidents?• Does your development team produce secure
code?
Security Goals
• Avoiding the “big one” (data breach)• Protecting the company brand• Managing real security risks• Developing a secure software development
lifecycle (SDLC)• Enabling new business
• SAMM is:– A Software Assurance Maturity Model– An open framework for
• Measuring security practices • Finding vulnerabilities earlier
– Lightweight, Flexible, Simple-to-understand, and Complete
– An OWASP project
Enter OpenSAMM
4 Business Functions
12 Security Practices
Policy and Compliance
Security Requirements
Security Testing
Vulnerability Management
SAMM Assessments
• SAMM assessment is lightweight or detailed according to your security process
SAMM Assessments
• SAMM provides assessment worksheets for every Security Practice
SAMM Scorecard
Levels are from 0 to 3:
0 Starting point
1 Ad hoc (manual)
2 Increased effectiveness (automated)
3 Comprehensive mastery (audited)
SAMM Roadmap
SAMM Roadmap• Build your Security Program in phases• Implement levels based on security risk
Roadmap Templates
Government Online Service Provider
Summary
• SAMM allows you to:– Measure and improve security best practices– Focus on security risk to make effective use of
security resources– Find vulnerabilities earlier in the development
process – Prevent rather than react to security incidents
References
Security Maturity Models