Owasp SAMM v1.5
-
Upload
brian-glas -
Category
Software
-
view
86 -
download
1
Transcript of Owasp SAMM v1.5
![Page 1: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/1.jpg)
OWASPSAMMv1.5
![Page 2: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/2.jpg)
WhatisSAMM?• TheSoftwareAssuranceMaturityModel(SAMM)isanopenframework
tohelporganizationsformulateandimplementastrategyforsoftwaresecuritythatistailoredtothespecificrisksfacingtheorganization.
• TheresourcesprovidedbySAMMwillaidin:– Evaluatinganorganization’sexistingsoftwaresecuritypractices.– Buildingabalancedsoftwaresecurityassuranceprograminwell-defined
iterations.– Demonstratingconcreteimprovementstoasecurityassuranceprogram.– Definingandmeasuringsecurity-relatedactivitiesthroughoutan
organization.
![Page 3: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/3.jpg)
UsingaMaturityModel• Changesmustbeiterative whileworkingtowardlong-termgoals
Anorganization’sbehaviorchangesslowlyovertime
• Asolutionmustenablerisk-basedchoicestailoredtotheorganization
Thereisnosinglerecipethatworksforallorganizations
• Asolutionmustprovideenoughdetails fornon-security-people
Guidancerelatedtosecurityactivitiesmust
beprescriptive
• OWASPSoftwareAssuranceMaturityModel(SAMM)
Overall,mustbesimple,well-defined,andmeasurable
![Page 4: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/4.jpg)
WhySAMM?”Themostthatcanbeexpectedfromanymodelisthatitcansupplyausefulapproximationtoreality:Allmodelsarewrong;somemodelsareuseful.”– GeorgeE.P.Box
![Page 5: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/5.jpg)
ProjectHistory
OpenSAMM1.0
OWASPSAMM1.1
OWASPSAMM1.5
OWASPSAMM2.0
OpenSAMMMarch2009
March2016 February2017 2018-2019
![Page 6: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/6.jpg)
SAMMFramework• ForeachofthefourBusinessFunctions,threeSecurityPracticesaredefined• Thesecuritypracticescoverareasrelevanttosoftwaresecurityassurance
![Page 7: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/7.jpg)
Example:Education&Guidance
7
![Page 8: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/8.jpg)
Leveldefinitions...• Objective• Activities• Assessment• Results• SuccessMetrics• Costs• Personnel• RelatedLevels
![Page 9: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/9.jpg)
MaturityLevels& AssessmentScoresComprehensivemastery
atscale
Increasedefficiency/effectiveness
Ad-hocprovision
Practiceunfulfilled • Transparentviewoverdifferentlevels• Fine-grainedimprovementsarevisible
No
Few/Some
AtLeastHalfMany/Most
![Page 10: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/10.jpg)
• ContinuousImprovement
• Iterative
• SmallSteps
ASSESSquestionnaire
GOALgapanalysis
PLANroadmap
IMPLEMENTOWASPresources
SAMMQuickStart
![Page 11: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/11.jpg)
AssessviaWorksheet
![Page 12: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/12.jpg)
AssessviaToolbox
![Page 13: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/13.jpg)
Goal• Gapanalysis• Demonstratingimprovement• Ongoingmeasurement
![Page 14: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/14.jpg)
Plan• Roadmaps:usethe“buildingblocks”
• Templatesfortypicalkindsoforganizations
• Tunethesetoyourowntargets/speed
![Page 15: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/15.jpg)
Implement:150+OWASPresources
DevelopmentGuideCheatSheetsQuickReferenceGuide
WebGoat,iGoat,GoatDroid,AppSecTutorials,TopTen Education TestingGuide
HackademicChallengesRedBook
![Page 16: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/16.jpg)
SAMMToolbox– Interview
![Page 17: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/17.jpg)
SAMMToolbox– Scorecard
![Page 18: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/18.jpg)
SAMMToolbox– Roadmap
![Page 19: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/19.jpg)
SAMMToolbox– RoadmapChart
![Page 20: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/20.jpg)
![Page 21: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/21.jpg)
SAMMProjectRoadmapv2.0(InProgress):• Modelrevision• MoreMetrics!• Applicationtoagile• Roadmapeffortplanning• Benchmarking
Buildthecommunity:• GrowlistofSAMMadopters• Workshopsatconferences• DedicatedSAMMSummit• ContributeAnonResults
21
![Page 22: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/22.jpg)
Getinvolved• Projectmailinglist/workpackages• Useanddonate(feed)back!• Donateresources• SponsorSAMM
![Page 23: Owasp SAMM v1.5](https://reader030.fdocuments.in/reader030/viewer/2022021420/58ee322a1a28abe55f8b468f/html5/thumbnails/23.jpg)
FollowOWASPSAMM
twitter.com/OwaspSAMM