OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected] SAMM project co-leaders...
-
Upload
brooke-rix -
Category
Documents
-
view
212 -
download
0
Transcript of OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected] SAMM project co-leaders...
OpenSAMMSoftware Assurance Maturity Model
Seba [email protected]
SAMM project co-leaders
Pravir [email protected]
AppSec USA 2014 Project Talk
Agenda
• Integrating software assurance• OpenSAMM• Quick Start• OWASP Projects / SAMM activities• Resources & Self-Assessment• Road Map• Forum
SAMM users
3
• Dell Inc• KBC• ING Insurance• Gotham Digital Science• HP Fortify• ISG ...
The web application security challenge
Firew
all
Hardened OS
Web Server
App Server
Firew
all
Dat
abas
es
Leg
acy
Sys
tem
s
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bil
lin
gCustom Developed Application Code
APPLICATIONATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Net
wo
rk L
ayer
Ap
pli
cati
on
Lay
er
Your security “perimeter” has huge holes at the application layer
“Build in” software assurance
5
Design Build Test Production
vulnerabilityscanning -
WAF
security testingdynamic test
tools
coding guidelines code reviews
static test tools
security requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle(SAMM)
We need a Maturity ModelAn organization’s behavior changes slowly over time
Changes must be iterative while
working toward long-term goals
There is no single recipe that works
for all organizations
A solution must enable risk-based choices tailored to the organization
Guidance related to security
activities must be prescriptive
A solution must provide enough details for non-security-people
Overall, must be simple, well-defined, and measurable
OWASP Software Assurance
Maturity Model (SAMM)
SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
Under each Security Practice• Three successive Objectives under each Practice define how it can be
improved over time
• This establishes a notion of a Level at which an organization fulfills a given Practice
• The three Levels for a Practice generally correspond to:
• (0: Implicit starting point with the Practice unfulfilled)
• 1: Initial understanding and ad hoc provision of the Practice
• 2: Increase efficiency and/or effectiveness of the Practice
• 3: Comprehensive mastery of the Practice at scale
Per Level, SAMM defines...
• Objective• Activities• Results• Success Metrics• Costs• Personnel• Related Levels
Education & Guidance
10
Education & Guidance
•Resources: • OWASP Top 10• OWASP Education• WebGoat
Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.
Chinese proverb
A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery
(CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated Redirects and
Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Education_Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP Cheat Sheets
Developer Cheat Sheets (Builder)
Authentication Cheat SheetChoosing and Using Security Questions Cheat SheetCross-Site Request Forgery (CSRF) Prevention Cheat SheetCryptographic Storage Cheat SheetDOM based XSS Prevention Cheat SheetForgot Password Cheat SheetHTML5 Security Cheat SheetInput Validation Cheat SheetJAAS Cheat SheetLogging Cheat SheetOWASP Top Ten Cheat SheetQuery Parameterization Cheat SheetSession Management Cheat SheetSQL Injection Prevention Cheat SheetTransport Layer Protection Cheat SheetWeb Service Security Cheat SheetXSS (Cross Site Scripting) Prevention Cheat SheetUser Privacy Protection Cheat Sheet
Assessment Cheat Sheets (Breaker)
Attack Surface Analysis Cheat SheetXSS Filter Evasion Cheat Sheet
Mobile Cheat SheetsIOS Developer Cheat SheetMobile Jailbreaking Cheat Sheet
Draft Cheat SheetsAccess Control Cheat SheetApplication Security Architecture Cheat SheetClickjacking Cheat SheetPassword Storage Cheat SheetPHP Security Cheat SheetREST Security Cheat SheetSecure Coding Cheat SheetSecure SDLC Cheat SheetThreat Modeling Cheat SheetVirtual Patching Cheat SheetWeb Application Security Testing Cheat Sheet
https://www.owasp.org/index.php/Cheat_Sheets
SAMM Quick Start
ASSES
questionnaireGOAL
gap analysis
PLAN roadmap
IMPLEMENT
OWASP resources
Asses•SAMM includes assessment worksheets for each Security Practice
Goal
• Gap analysis
• Capturing scores from detailed assessments versus expected performance levels
• Demonstrating improvement
• Capturing scores from before and after an iteration of assurance program build-out
• Ongoing measurement
• Capturing scores over consistent time frames for an assurance program that is already in place
Plan
• Roadmaps: to make the “building blocks” usable.
• Roadmaps templates for typical kinds of organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
• Tune these to your own targets / speed
150+ OWASP resourcesPROTECT
Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project
Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide
DETECT
Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy
Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project
LIFE CYCLE
SAMM, WebGoat, Legal Project
Critical Success Factors
• Get initiative buy-in from all stakeholders• Adopt a risk-based approach• Awareness / education is the foundation• Integrate security in your development /
acquisition and deployment processes• Measure: Provide management visibility
18
SAMM Resourceswww.opensamm.org
• Presentations• Quick Start (to be released)• Assessment worksheets / templates• Roadmap templates• Translations (Spanish, Japanese, …)• SAMM mappings to ISO/EIC 27034 – BSIMM – PCI (to be
released)
19
NEW: Self-Assessment Online
https://ssa.asteriskinfosec.com.au20
Mapping Projects / SAMM
21
Project Type Level SAMM Practice RemarksBroken Web Applications Tools Labs EG1CSRFTester Tools Labs ST1EnDe Tools Labs ST1Fiddler Addons for Security Testing Tools Labs ST1Forward Exploit Tool Tools Labs ST1Hackademic Challenges Tools Labs EG1Hatkit Datafiddler Tools Labs ST1Hatkit Proxy Tools Labs ST1HTTP POST Tools Labs ST1Java XML Templates Tools Labs SA2JavaScript Sandboxes Tools Labs not applicableJoomla Vulnerability Scanner Tools Labs ST1LAPSE Tools Labs CR2Mantra Security Framework Tools Labs ST1Multilidea Tools Labs EG1O2 Tools Labs ST2Orizon Tools Labs CR2Srubbr Tools Labs ST1Security Assurance Testing of Virtual Worlds Tools Labs ST1Vicnum Tools Labs EG1Wapiti Tools Labs ST1Web Browser Testing System Tools Labs ST1WebScarab Tools Labs ST1Webslayer Tools Labs ST1WSFuzzer Tools Labs ST1Yasca Tools Labs CR2AppSec Tutorials Documentation Labs EG1AppSensor Documentation Labs EH3AppSensor Documentation Labs SA2Cloud 10 Documentation Labs EG1CTF Documentation Labs EG1Fuzzing Code Documentation Labs ST1Legal Documentation Labs SR3Podcast Documentation Labs EG1Virtual Patching Best Practices Documentation Labs EH3
Project Type Level SAMM Practice RemarksAntiSamy Code Flagship SA2Enterprise Security API Code Flagship SA3ModSecurity Core Rule Set Code Flagship EH3CSRFGuard Code Flagship SA2Web Testing Environment Tools Flagship ST2WebGoat Tools Flagship EG2Zed Attack Proxy Tools Flagship ST2Application Security Verification Standard Documentation Flagship DR2 ASVS-L4Application Security Verification Standard Documentation Flagship CR3 ASVS-L4Application Security Verification Standard Documentation Flagship ST3 ASVS-L4Code Review Guide Documentation Flagship CR1Codes of Conduct Documentation Flagship not applicableDevelopment Guide Documentation Flagship EG1Secure Coding Practices - Quick Reference Guide Documentation Flagship SR1Software Assurance Maturity Model Documentation Flagship SM1 Recursiveness :-)Testing Guide Documentation Flagship ST1Top Ten Documentation Flagship EG1
Flagship Projects Coverage
22
SM1 1 PC1 0 EG1 10SM2 0 PC2 0 EG2 1SM3 0 PC3 0 EG3 0
1 0 11 12
TA1 0 SR1 1 SA1 0TA2 0 SR2 0 SA2 4TA3 0 SR3 1 SA3 1
0 2 5 7
DR1 0 CR1 1 ST1 18DR2 1 CR2 3 ST2 3DR3 0 CR3 1 ST3 1
1 5 22 28
VM1 0 EH1 0 OE1 0VM2 0 EH2 0 OE2 0VM3 0 EH3 3 OE3 0
0 3 0 3
Governance
Construction
Verification
Deployment
Design Review Code Review Security Testing
Vulnerability Management Environment Hardening Operational Hardening
Strategy & Metrics Policy & Compliance Education & Guidance
Threat Assessment Security Requirements Security Architecture
SAMM RoadmapBuild the SAMM community:•Grow list of SAMM adopters•Workshops at conferences•Dedicated SAMM summit
V1.1:•Incorporate Quick Start / tools / guidance / OWASP projects•Revamp SAMM wikiV2.0:•Revise scoring model•Model revision necessary ? (12 practices, 3 levels, ...)•Application to agile•Roadmap planning: how to measure effort ?•Presentations & teaching material•…
23
SAMM Forum
24
Get involved
• SAMM “Work”-shop tomorrow 1PM-5PM 16th floor• Project mailing list / work packages• Use and donate (feed)back!• Donate resources• Sponsor SAMM
Measure & Improve!
OpenSAMM.org