OWASP SAMM v1.5 OWASP GoSec - s3.amazonaws.com · •OWASP Software Assurance Maturity Model (SAMM)...
Transcript of OWASP SAMM v1.5 OWASP GoSec - s3.amazonaws.com · •OWASP Software Assurance Maturity Model (SAMM)...
OWASPSAMMv1.5
WhatisSAMM?• TheSoftwareAssuranceMaturityModel(SAMM)isanopenframework
tohelporganizationsformulateandimplementastrategyforsoftwaresecuritythatistailoredtothespecificrisksfacingtheorganization.
• TheresourcesprovidedbySAMMwillaidin:– Evaluatinganorganization’sexistingsoftwaresecuritypractices.– Buildingabalancedsoftwaresecurityassuranceprograminwell-defined
iterations.– Demonstratingconcreteimprovementstoasecurityassuranceprogram.– Definingandmeasuringsecurity-relatedactivitiesthroughoutan
organization.
WhySAMM?”Themostthatcanbeexpectedfromanymodelisthatitcansupplyausefulapproximationtoreality:Allmodelsarewrong;somemodelsareuseful.”– GeorgeE.P.Box
CorePrinciplesofSAMM•Changesmustbeiterative whileworkingtowardlong-termgoals
Anorganization’sbehaviorchangesslowlyovertime
• Asolutionmustenablerisk-basedchoicestailoredtotheorganization
Thereisnosinglerecipethatworksforallorganizations
• Asolutionmustprovideenoughdetails fornon-security-people
Guidancerelatedtosecurityactivitiesmust
beprescriptive
• OWASPSoftwareAssuranceMaturityModel(SAMM)
Overall,mustbesimple,well-defined,andmeasurable
ProjectHistory
OpenSAMM1.0
OWASPSAMM1.1
OWASPSAMM1.5
OWASPSAMM2.0
OpenSAMMMarch2009
March2016 February2017 2018-2019
SAMMFramework• ForeachofthefourBusinessFunctions,threeSecurityPracticesaredefined• Thesecuritypracticescoverareasrelevanttosoftwaresecurityassurance
MaturityLevels& AssessmentScoresComprehensivemastery
atscale
Increasedefficiency/effectiveness
Ad-hocprovision
Practiceunfulfilled • Transparentviewoverdifferentlevels• Fine-grainedimprovementsarevisible
No
Few/Some
AtLeastHalfMany/Most
Example:Education&Guidance
8
Leveldefinitions...• Objective• Activities• Assessment• Results• SuccessMetrics• Costs• Personnel• RelatedLevels
• ContinuousImprovement
• Iterative
• SmallSteps
ASSESSquestionnaire
GOALgapanalysis
PLANroadmap
IMPLEMENTresources
SAMMQuickStart
AssessviaWorksheet
AssessviaToolbox
Assess– BestPractices• Buildmoretargeted”conversationalprompts”fordifferentroles:
• Management,Architects,Developers,Analysts,Ops,etc.
• Trydifferentformats(interviews,workshops,etc.)• Validateresults:
• Repeatquestionstoseveralpeople
• Aggregategatheredinformation
Goal• Gapanalysis• Demonstratingimprovement• Ongoingmeasurement
Goal– BestPractices• Getconsensusandmanagementsupport• Bepreparedwithbudget/LOEestimates• ThinkcarefullyabouttargetSAMMlevel– Soyouwanttoachieveall3’s.(Ilikeyourbudget,canIhavesome?)– Respectpracticedependencies– Itcanmakesensenottoincludeparticularlow-levelactivities
Plan• Roadmaps:usethe“buildingblocks”
• Templatesfortypicalkindsoforganizations
• Tunethesetoyourowntargets/speed
Plan– BestPractices• Identifyquickwins(Needshort,mid,longtermtargets)• Startwithawareness/training/expectations• Adapttoupcomingreleasecycles/keyprojects• Spreadeffort&“gapstoclose”overrealisticiterations• Spreadwork,roles,&responsibilities
– AppSec resources,development,security,operations– Forinstanceserviceportfolioandguidelines:whenandwho?
• Takeintoaccountdependencies
Implement:150+OWASPresources
DevelopmentGuideCheatSheetsQuickReferenceGuide
WebGoat,iGoat,GoatDroid,AppSecTutorials,TopTen Education TestingGuide
HackademicChallengesRedBook
Implement– BestPractices• Categorizeapplications:High,Medium,Low
basedonrisk:e.g.Internetfacing,transactions,...• Recheckprogress&derivelessonslearnedateachiteration• Create&improvereportingdashboard
– Application&processmetrics
• Treatnew&legacycodebasesdifferently• Balanceplanningonpeople,process,knowledge,andtools
CriticalSuccessFactors• Getbuy-infromstakeholders• Adoptarisk-basedapproach• Awareness&Educationisthefoundation• Integrate&automatesecurityinyourdevelopment,acquisition,anddeploymentprocesses
• Measure:ProvideManagementVisibility
SAMMcanmaptoBSIMM
SAMM BSIMM
SAMMProjectRoadmapv2.0(InProgress):• Modelrevision• MoreMetrics!• Applicationtoagile/devops• Roadmapeffortplanning• Benchmarking
Buildthecommunity:• GrowlistofSAMMadopters• Workshopsatconferences• DedicatedSAMMSummit• ContributeAnonResults
22
OWASPSummit2017• RestructureSAMMactivitieswithanincreasingmaturityof
implementation• ApplythisrestructureexercisetoallSAMMpractisesand
activities(highlevel).• Createoneormoredetaileddescriptionswith
implementationguidance.• Modernizethemoretraditionallanguageandterminology.
***UnderConsiderationforV2.0***SAMMOverview
BusinessFunction
SecurityPractices
SoftwareAssuranceLifecycle
Governance Design Build&Deploy Verification Operations
ThreatAssessment
SecurityRequirements
SecureArchitecture
Strategy&Metrics
Policy&Compliance
Education&Guidance
IncidentManagement
EnvironmentHardening
OperationalEnablement
DesignAnalysis
ImplementationReview
SecurityTesting
SecureBuild
SecureDeployment
DefectManagement
Getinvolved• Projectmailinglist/workpackages• Useanddonate(feed)back!• Donateresources• SponsorSAMM
Thankyou!
SAMMToolbox