The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected]...
-
Upload
halle-bowne -
Category
Documents
-
view
235 -
download
0
Transcript of The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected]...
The OWASP Foundationhttp://www.owasp.org
OpenSAMMSoftware Assurance Maturity Model
Seba [email protected]
OWASP Foundation Board MemberOWASP Belgium Chapter Leader
SAMM project co-leader
OWASP Europe Tour 2013
Geneva
The web application security challenge
Fire
wall
Hardened OS
Web Server
App Server
Fire
wall
Data
bases
Leg
acy
Syste
ms
Web
Serv
ices
Dir
ecto
ries
Hu
man
Resrc
s
Billin
g
Custom Developed Application Code
APPLICATIONATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Ne
two
rk L
aye
rA
pp
lica
tio
n L
aye
r
Your security “perimeter” has huge holes at the application layer
“Build in” software assurance
3
Design Build Test Production
vulnerabilityscanning -
WAF
security testingdynamic test
tools
coding guidelines code reviews
static test tools
security requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle(SAMM)
D B T PSAMM
CLASP• Comprehensive, Lightweight Application Security
Process
• Centered around 7 AppSec Best Practices
• Cover the entire software lifecycle (not just development)
• Adaptable to any development process
• Defines roles across the SDLC
• 24 role-based process components
• Start small and dial-in to your needs
Microsoft SDL
• Built internally for MS software
• Extended and made public for others
• MS-only versions since public release
BSIMM• Gary McGraw’s and Cigital’s model
• Quantifies activities of software security initiatives of 51 firms
BSIMM Code
SAMM Code BSIMM Activity OpenSAMM Activity
SM 3.2 - run external marketing program 0T 3.3 - host external software security events 0CR 1.1 CR 1.A create top N bugs list (real data preferred) (T: training) Create review checklists from known security requirementsCR 1.2 CR 1.B have SSG perform ad hoc review Perform point-review of high-risk codeCR 1.4 CR 2.A use automated tools along with manual review Utilize automated code analysis toolsCR 3.1 CR 3.A use automated tools with tailored rules Customize code analysis for application-specific concernsCR 3.3 CR 3.A build capability for eradicating specific bugs from entire codebaseCustomize code analysis for application-specific concernsCR 2.3 CR 3.B make code review mandatory for all projects Establish release gates for code reviewAA 1.1 DR 1.B perform security feature review Analyze design against known security requirementsAA 2.1 DR 2.A define/use AA process Inspect for complete provision of security mechanismsAA 1.2 DR 2.B perform design review for high-risk applications Deploy design review service for project teamsAA 1.3 DR 2.B have SSG lead review efforts Deploy design review service for project teamsAA 2.2 DR 3.A standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resourcesSM 1.3 EG 1.A educate executives Conduct technical security awareness trainingT 1.1 EG 1.A provide awareness training Conduct technical security awareness trainingT 2.5 EG 1.A hold satellite training/events Conduct technical security awareness trainingSR 1.1 EG 1.B create security standards (T: sec features/design) Build and maintain technical guidelinesSR 1.2 EG 1.B create security portal Build and maintain technical guidelinesCP 2.5 EG 2.A promote executive awareness of compliance/privacy obligationsConduct role-specific application security trainingT 2.1 EG 2.A offer role-specific advanced curriculum (tools, technology stacks, bug parade) Conduct role-specific application security trainingT 2.2 EG 2.A create/use material specific to company history Conduct role-specific application security trainingT 2.4 EG 2.A offer on-demand individual training Conduct role-specific application security trainingT 3.2 EG 2.A provide training for vendors or outsource workers Conduct role-specific application security trainingT 3.4 EG 2.A require annual refresher Conduct role-specific application security trainingAA 2.3 EG 2.B make SSG available as AA resource/mentor Utilize security coaches to enhance project teamsAA 3.1 EG 2.B have software architects lead review efforts Utilize security coaches to enhance project teamsAM 2.4 EG 2.B build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teamsCR 2.5 EG 2.B assign tool mentors Utilize security coaches to enhance project teamsSM 2.3 EG 2.B create or grow social network/satellite system Utilize security coaches to enhance project teamsT 1.3 EG 2.B establish SSG office hours Utilize security coaches to enhance project teams
BSIMM – Open SAMM Mapping
Derived from SAMM beta
Lessons Learned• Microsoft SDL
• Heavyweight, good for large ISVs
• Touchpoints
• High-level, not enough details to execute against
• BSIMM
• Stats, but what to do with them?
• CLASP
• Large collection of activities, but no priority ordering
• ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf
We need a Maturity ModelAn organization’s
behavior changes slowly
over time
Changes must be iterative while
working toward long-term goals
There is no single recipe that
works for all organizations
A solution must enable risk-
based choices tailored to the organization
Guidance related to security
activities must be prescriptive
A solution must provide enough details for non-security-people
Overall, must be simple, well-defined, and measurable
OWASP Software
Assurance Maturity Model
(SAMM)
D B T PSAMM
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
SAMM Security Practices• From each of the Business Functions, 3 Security Practices are
defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
D B T PSAMM
Under each Security Practice
• Three successive Objectives under each Practice define how it can be improved over time
• This establishes a notion of a Level at which an organization fulfills a given Practice
• The three Levels for a Practice generally correspond to:
• (0: Implicit starting point with the Practice unfulfilled)
• 1: Initial understanding and ad hoc provision of the Practice
• 2: Increase efficiency and/or effectiveness of the Practice
• 3: Comprehensive mastery of the Practice at scale
D B T PSAMM
Per Level, SAMM defines...
• Objective• Activities• Results• Success Metrics• Costs• Personnel• Related Levels
D B T PSAMM
Education & Guidance
Resources:
• OWASP Top 10
• OWASP Education
• WebGoat
Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.
Chinese proverb
D B T PSAMM
A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery
(CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated
Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Education_Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP Cheat SheetsDeveloper Cheat Sheets (Builder)
Authentication Cheat SheetChoosing and Using Security Questions Cheat SheetCross-Site Request Forgery (CSRF) Prevention Cheat SheetCryptographic Storage Cheat SheetDOM based XSS Prevention Cheat SheetForgot Password Cheat SheetHTML5 Security Cheat SheetInput Validation Cheat SheetJAAS Cheat SheetLogging Cheat SheetOWASP Top Ten Cheat SheetQuery Parameterization Cheat SheetSession Management Cheat SheetSQL Injection Prevention Cheat SheetTransport Layer Protection Cheat SheetWeb Service Security Cheat SheetXSS (Cross Site Scripting) Prevention Cheat SheetUser Privacy Protection Cheat Sheet
Assessment Cheat Sheets (Breaker)
Attack Surface Analysis Cheat SheetXSS Filter Evasion Cheat Sheet
Mobile Cheat SheetsIOS Developer Cheat SheetMobile Jailbreaking Cheat Sheet
Draft Cheat SheetsAccess Control Cheat SheetApplication Security Architecture Cheat SheetClickjacking Cheat SheetPassword Storage Cheat SheetPHP Security Cheat SheetREST Security Cheat SheetSecure Coding Cheat SheetSecure SDLC Cheat SheetThreat Modeling Cheat SheetVirtual Patching Cheat SheetWeb Application Security Testing Cheat Sheet
D B T PSAMM
https://www.owasp.org/index.php/Cheat_Sheets
Secure Coding Practices Quick Reference Guide
• Technology agnostic coding practices
• What to do, not how to do it
• Compact, but comprehensive checklist format
• Focuses on secure coding requirements, rather then on vulnerabilities and exploits
• Includes a cross referenced glossary to get developers and security folks talking the same language
D B T PSAMM
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Au
then
tica
tor
Use
r
Acc
essC
on
tro
ller
Acc
essR
efer
ence
Map
Val
idat
or
En
cod
er
HT
TP
Uti
litie
s
En
cryp
tor
En
cryp
ted
Pro
per
ties
Ran
do
miz
er
Exc
epti
on
Han
dlin
g
Lo
gg
er
Intr
usi
on
Det
ecto
r
Sec
uri
tyC
on
fig
ura
tio
n
Existing Enterprise Security Services/Libraries
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Code Review
Resources:
• OWASP Code Review Guide
SDL Integration:• Multiple reviews defined as deliverables in your SDLC• Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Code review toolingCode review tools:
• OWASP LAPSE (Security scanner for Java EE Applications)
• MS FxCop / CAT.NET (Code Analysis Tool for .NET)
• Agnitio (open source Manual source code review support tool)
D B T PSAMM
https://www.owasp.org/index.php/OWASP_LAPSE_Projecthttp://www.microsoft.com/security/sdl/discover/implementation.aspxhttp://agnitiotool.sourceforge.net/
Security Testing
Resources:
• OWASP ASVS
• OWASP Testing Guide
SDL Integration:• Integrate dynamic security testing as part of you
test cycles• Derive test cases from the security requirements
that apply• Check business logic soundness as well as common
vulnerabilities• Review results with stakeholders prior to release
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Projecthttps://www.owasp.org/index.php/OWASP_Testing_Project
Security Testing• Zed Attack Proxy (ZAP) is an easy to use integrated
penetration testing tool for finding vulnerabilities in web applications
• Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually
Features:• Intercepting proxy• Automated scanner• Passive scanner• Brute force scanner• Spider• Fuzzer• Port scanner• Dynamic SSL Certificates• API• Beanshell integration
D B T PSAMM
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Web Application Firewalls
NetworkFirewall
Web Application
Firewall
WebServer
Web client(browser)
Malicious web trafficLegitimate web traffic
Port 80
ModSecurity: Worlds No 1 open source Web Application Firewallwww.modsecurity.org• HTTP Traffic Logging• Real-Time Monitoring and Attack Detection• Attack Prevention and Just-in-time Patching• Flexible Rule Engine• Embedded Deployment (Apache, IIS7 and Nginx)• Network-Based Deployment (reverse proxy)
OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
150+ OWASP ProjectsPROTECT
Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project
Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide
DETECT
Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy
Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project
LIFE CYCLE
SAMM, WebGoat, Legal Project
36
Mapping Projects / SAMMProject Type Level SAMM Practice RemarksBroken Web Applications Tools Labs EG1CSRFTester Tools Labs ST1EnDe Tools Labs ST1Fiddler Addons for Security Testing Tools Labs ST1Forward Exploit Tool Tools Labs ST1Hackademic Challenges Tools Labs EG1Hatkit Datafiddler Tools Labs ST1Hatkit Proxy Tools Labs ST1HTTP POST Tools Labs ST1Java XML Templates Tools Labs SA2JavaScript Sandboxes Tools Labs not applicableJoomla Vulnerability Scanner Tools Labs ST1LAPSE Tools Labs CR2Mantra Security Framework Tools Labs ST1Multilidea Tools Labs EG1O2 Tools Labs ST2Orizon Tools Labs CR2Srubbr Tools Labs ST1Security Assurance Testing of Virtual Worlds Tools Labs ST1Vicnum Tools Labs EG1Wapiti Tools Labs ST1Web Browser Testing System Tools Labs ST1WebScarab Tools Labs ST1Webslayer Tools Labs ST1WSFuzzer Tools Labs ST1Yasca Tools Labs CR2AppSec Tutorials Documentation Labs EG1AppSensor Documentation Labs EH3AppSensor Documentation Labs SA2Cloud 10 Documentation Labs EG1CTF Documentation Labs EG1Fuzzing Code Documentation Labs ST1Legal Documentation Labs SR3Podcast Documentation Labs EG1Virtual Patching Best Practices Documentation Labs EH3
Project Type Level SAMM Practice RemarksAntiSamy Code Flagship SA2Enterprise Security API Code Flagship SA3ModSecurity Core Rule Set Code Flagship EH3CSRFGuard Code Flagship SA2Web Testing Environment Tools Flagship ST2WebGoat Tools Flagship EG2Zed Attack Proxy Tools Flagship ST2Application Security Verification Standard Documentation Flagship DR2 ASVS-L4Application Security Verification Standard Documentation Flagship CR3 ASVS-L4Application Security Verification Standard Documentation Flagship ST3 ASVS-L4Code Review Guide Documentation Flagship CR1Codes of Conduct Documentation Flagship not applicableDevelopment Guide Documentation Flagship EG1Secure Coding Practices - Quick Reference Guide Documentation Flagship SR1Software Assurance Maturity Model Documentation Flagship SM1 Recursiveness :-)Testing Guide Documentation Flagship ST1Top Ten Documentation Flagship EG1
37
Coverage
SM1 1 PC1 0 EG1 10SM2 0 PC2 0 EG2 1SM3 0 PC3 0 EG3 0
1 0 11 12
TA1 0 SR1 1 SA1 0TA2 0 SR2 0 SA2 4TA3 0 SR3 1 SA3 1
0 2 5 7
DR1 0 CR1 1 ST1 18DR2 1 CR2 3 ST2 3DR3 0 CR3 1 ST3 1
1 5 22 28
VM1 0 EH1 0 OE1 0VM2 0 EH2 0 OE2 0VM3 0 EH3 3 OE3 0
0 3 0 3
Governance
Construction
Verification
Deployment
Design Review Code Review Security Testing
Vulnerability Management Environment Hardening Operational Hardening
Strategy & Metrics Policy & Compliance Education & Guidance
Threat Assessment Security Requirements Security Architecture
Get started
Step 1: questionnaire
as-is
Step 2: define your maturity
goal
Step 3: define phased
roadmap
D B T PSAMM
Creating Scorecards• Gap analysis
• Capturing scores from detailed assessments versus expected performance levels
• Demonstrating improvement
• Capturing scores from before and after an iteration of assurance program build-out
• Ongoing measurement
• Capturing scores over consistent time frames for an assurance program that is already in place
D B T PSAMM
Roadmap templates
• To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
• Tune these to your own targets / speed
D B T PSAMM
43
SAMM Resourceswww.opensamm.org
• Presentations
• Tools
• Assessment worksheets / templates
• Roadmap templates
• Scorecard chart generation
• Translations (Spanish / Japanese)
• SAMM mappings to ISO/EIC 27034 / BSIMM
44
Critical Success Factors
• Get initiative buy-in from all stakeholders
• Adopt a risk-based approach
• Awareness / education is the foundation
• Integrate security in your development / acquisition and deployment processes
• Provide management visibility
45
Project RoadmapBuild the SAMM community:• List of SAMM adopters• Workshops at AppSecEU and AppSecUSA
V1.1:• Incorporate tools / guidance / OWASP projects• Revamp SAMM wiki
V2.0:• Revise scoring model• Model revision necessary ? (12 practices, 3 levels, ...)• Application to agile• Roadmap planning: how to measure effort ?• Presentations & teaching material• …
Get involved
• Use and donate back!
• Attend OWASP chapter meetings and conferences
• Support OWASP becomepersonal/company memberhttps://www.owasp.org/index.php/Membership