OpenSAMM_-_OWASP_USA_2014_-_Seba

Download Report

Transcript OpenSAMM_-_OWASP_USA_2014_-_Seba

OpenSAMM Software Assurance Maturity Model

Seba Deleersnyder [email protected]

Pravir Chandra [email protected]

SAMM project co-leaders AppSec USA 2014 Project Talk

Agenda

• • • • • • • Integrating software assurance OpenSAMM Quick Start OWASP Projects / SAMM activities Resources & Self-Assessment Road Map Forum

SAMM users

• • • • • • Dell Inc KBC ING Insurance Gotham Digital Science HP Fortify ISG ...

3

The web application security challenge

APPLICATION ATTACK Your security “perimeter” has huge holes at the application layer Custom Developed Application Code App Server Web Server Hardened OS You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

5

“Build in” software assurance

proactive reactive

security requirements / threat modeling coding guidelines code reviews static test tools security testing dynamic test tools vulnerability scanning WAF

Design Build Test Production Secure Development Lifecycle (SAMM)

We need a Maturity Model

An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations Guidance related to security activities must be prescriptive Overall, must be simple, well defined, and measurable A solution must enable risk-based choices tailored to the organization A solution must provide enough details for non security-people OWASP Software Assurance Maturity Model (SAMM)

SAMM Security Practices

• From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement

Under each Security Practice

• Three successive Objectives under each Practice define how it can be improved over time • This establishes a notion of a Level at which an organization fulfills a given Practice • • • The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale

Per Level, SAMM defines...

• • • • • • •

Objective Activities Results Success Metrics Costs Personnel Related Levels

Education & Guidance

1 0

Education & Guidance

Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime.

Chinese proverb

• • • •Resources: OWASP Top 10 OWASP Education WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

OWASP Cheat Sheets

https://www.owasp.org/index.php/Cheat_Sheets

SAMM Quick Start

ASSES questionnaire GOAL gap analysis IMPLEMENT OWASP resources PLAN roadmap

Asses

•SAMM includes assessment worksheets for each Security Practice

Goal

• Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place

Plan

• • Roadmaps: to make the “building blocks” usable.

Roadmaps templates for typical kinds of organizations • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations • Tune these to your own targets / speed

150+ OWASP resources

PROTECT

Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide

DETECT

Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project

LIFE CYCLE

SAMM, WebGoat, Legal Project

Critical Success Factors

• • • • • Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes Measure: Provide management visibility 1 8

• • • • • •

SAMM Resources www.opensamm.org

Presentations Quick Start (to be released) Assessment worksheets / templates Roadmap templates Translations (Spanish, Japanese, …) SAMM mappings to ISO/EIC 27034 – BSIMM – PCI (to be released) 1 9

NEW: Self-Assessment Online

https://ssa.asteriskinfosec.com.au

2 0

Mapping Projects / SAMM

Project AntiSamy Enterprise Security API ModSecurity Core Rule Set CSRFGuard Web Testing Environment WebGoat Zed Attack Proxy Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Code Review Guide Codes of Conduct Development Guide Secure Coding Practices - Quick Reference Guide Software Assurance Maturity Model Testing Guide Top Ten Type Code Code Code Code Tools Tools Tools Level SAMM Practice Remarks Flagship SA2 Flagship SA3 Flagship EH3 Flagship SA2 Flagship ST2 Flagship EG2 Flagship ST2 Documentation Flagship DR2 Documentation Flagship CR3 Documentation Flagship ST3 Documentation Flagship CR1 Documentation Flagship Documentation Flagship EG1 Documentation Flagship SR1 Documentation Flagship SM1 Documentation Flagship ST1 Documentation Flagship EG1 Project Broken Web Applications CSRFTester EnDe Fiddler Addons for Security Testing Forward Exploit Tool Hackademic Challenges Hatkit Datafiddler HTTP POST ASVS-L4 Java XML Templates ASVS-L4 JavaScript Sandboxes Joomla Vulnerability Scanner LAPSE not applicable Mantra Security Framework Multilidea O2 Orizon Recursiveness :-) Srubbr Security Assurance Testing of Virtual Worlds Vicnum Wapiti Web Browser Testing System WebScarab Webslayer WSFuzzer Yasca AppSec Tutorials AppSensor AppSensor Cloud 10 CTF Fuzzing Code Legal Podcast Virtual Patching Best Practices Type Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Labs Labs Labs Tools Labs Documentation Labs Documentation Labs Documentation Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Level Labs Labs Labs Labs Labs Labs Documentation Labs Documentation Labs Documentation Labs Documentation Labs Documentation Labs Documentation Labs CR2 EG1 EH3 SA2 EG1 EG1 ST1 SR3 EG1 EH3 ST1 CR2 ST1 EG1 ST2 CR2 ST1 ST1 EG1 ST1 ST1 ST1 ST1 ST1 SAMM Practice Remarks EG1 ST1 ST1 ST1 ST1 EG1 ST1 ST1 ST1 SA2 not applicable 2 1

Flagship Projects Coverage

Strategy & Metrics SM1 SM2 SM3 Threat Assessment TA1 TA2 TA3 Design Review DR1 DR2 DR3 1 0 0 0 0 0 0 1 0 1 0 1 Vulnerability Management VM1 0 VM2 VM3 0 0 0 Governance Policy & Compliance PC1 PC2 PC3 0 0 0 0 Construction Security Requirements SR1 SR2 SR3 1 0 1 2 Verification Code Review CR1 CR2 CR3 1 3 1 Deployment Environment Hardening EH1 EH2 EH3 0 0 3 5 3 Education & Guidance EG1 EG2 EG3 SA1 SA2 SA3 ST1 ST2 ST3 10 1 0 Security Architecture 0 4 1 Security Testing 18 3 1 11 5 22 Operational Hardening OE1 0 OE2 OE3 0 0 0 12 7 28 3 2 2

SAMM Roadmap

Build the SAMM community: •Grow list of SAMM adopters •Workshops at conferences •Dedicated SAMM summit V1.1: •Incorporate Quick Start / tools / guidance / OWASP projects •Revamp SAMM wiki V2.0: •Revise scoring model •Model revision necessary ? (12 practices, 3 levels, ...) •Application to agile •Roadmap planning: how to measure effort ?

•Presentations & teaching material •… 2 3

SAMM Forum

2 4

Get involved

• • • • • SAMM “Work”-shop tomorrow 1PM-5PM 16th floor Project mailing list / work packages Use and donate (feed)back!

Donate resources Sponsor SAMM

Measure & Improve!

OpenSAMM.org