Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013 Introductions Alan Jex: Chief Security Architect at HP PPS Organization [email protected].
Download ReportTranscript Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013 Introductions Alan Jex: Chief Security Architect at HP PPS Organization [email protected].
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013 Introductions Alan Jex: Chief Security Architect at HP PPS Organization [email protected] Outline • Security Concerns and Goals • OpenSAMM Framework – Business Functions – Security Practices – Assessments – Scorecards – Roadmaps Security Concerns • What is your biggest security risk? • What compliance requirements drive your business? • How do you handle security incidents? • Does your development team produce secure code? Security Goals • • • • Avoiding the “big one” (data breach) Protecting the company brand Managing real security risks Developing a secure software development lifecycle (SDLC) • Enabling new business Enter OpenSAMM • SAMM is: – A Software Assurance Maturity Model – An open framework for • Measuring security practices • Finding vulnerabilities earlier – Lightweight, Flexible, Simple-to-understand, and Complete – An OWASP project 4 Business Functions 12 Security Practices Policy and Compliance Security Requirements Security Testing Vulnerability Management SAMM Assessments • SAMM assessment is lightweight or detailed according to your security process SAMM Assessments • SAMM provides assessment worksheets for every Security Practice SAMM Scorecard Levels are from 0 to 3: 0 Starting point 1 Ad hoc (manual) 2 Increased effectiveness (automated) 3 Comprehensive mastery (audited) SAMM Roadmap SAMM Roadmap • Build your Security Program in phases • Implement levels based on security risk Roadmap Templates Government Online Service Provider Summary • SAMM allows you to: – Measure and improve security best practices – Focus on security risk to make effective use of security resources – Find vulnerabilities earlier in the development process – Prevent rather than react to security incidents References Security Maturity Models https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model http://www.opensamm.org/ http://bsimm.com/online/ http://www.microsoft.com/security/sdl/discover/default.aspx