©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

Slides:



Advertisements
Similar presentations
What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.
Advertisements

Software Assurance Maturity Model
Professional Services Overview
Page 2 Agenda Page 3 History –Blue Print, 2000 –GIS Process 1.2, 2001 (training only) –GIS Process 2.0, (ITIL based - not implemented) –Supply/Demand.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Phone: (919) Fax: (919) CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.
Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.
Stepan Potiyenko ISS Sr.SW Developer.
The Transforming Power of the ITIL Framework for the Project Manager Patrick von Schlag Deep Creek Center November 10, 2010.
Viewpoint Consulting – Committed to your success.
Term Project Teams of ~3 students Pick a system (discuss choice with me)  Want simple functionality, security issues, whole system (e. g., client and.
Term Project Pick a system (discuss choice with me)  Want simple functionality, security issues, whole system (e. g., client and server side) Submit a.
Quality evaluation and improvement for Internal Audit
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Mohammad Alshayeb 19 May Agenda Update on Computer Science Program Assessment/Accreditation Work Update on Software Engineering Program Assessment/Accreditation.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view.
Chapter : Software Process
Consultancy.
1 Jon Whitfield Agency CEO Head of Government Internal Audit.
Process-based IT Organisation at Statistics New Zealand Prepared by Matjaž Jug.
A NASSCOM ® Initiative Security and Quality Kamlesh Bajaj CEO, DSCI May 23, 2009 NASSCOM Quality Summit Hyderabad 1.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
The Evergreen, Background, Methodology and IT Service Management Model
Improving Corporate Governance in Malaysian Capital Markets – The Role of the Audit Committee Role of the Audit Committee in Assessing Audit Quality.
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.
(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.
-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.
Corporate Governance: Basel II and Beyond Corporate Governance Program for Bank Directors of Indian Banks Mumbai December 14, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lec#3 Project Quality Management Ghazala Amin. 2 Quality Specialist-Job responsibility Responsibilities Reports monitoring and measurement of processes.
The Challenge of IT-Business Alignment
Overview:  Different controls in an organization  Relationship between IT controls & financial controls  The Mega Process Leads  Application of COBIT.
Chapter 3 資訊安全管理系統. 4.1 General Requirements Develop, implement, maintain and continually improve a documented ISMS Process based on PDCA.
ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Holistic Approach to Security
Practice Management Quality Control
IS Methodologies. Systems Development Life Cycle - SDLC Planning Planning define the system to be developed define the system to be developed Set the.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Software Engineering - I
Software Assurance Maturity Model Pravir Chandra OpenSAMM Project Lead
CSCE 201 Secure Software Development Best Practices.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Overview of RUP Lunch and Learn. Overview of RUP © 2008 Cardinal Solutions Group 2 Welcome  Introductions  What is your experience with RUP  What is.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
Internal Audit Quality Assessment Guide
Security Development Lifecycle (SDL) Overview
Presented by Rob Carver
Data Architecture World Class Operations - Impact Workshop.
Software Verification and Validation
Chapter 10 Software Quality Assurance& Test Plan Software Testing
Software Development Life Cycle
Software Assurance Maturity Model
Independent Internal Audit Quality Reviews
Secure Coding: SDLC Integration Sixfold Path
Collaboration Adoption Framework
Collaboration Adoption Framework
HHS Child Welfare National IT Managers' Meeting
Presentation transcript:

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

2 2 Introduction o Me o Who Are You? –Assessment (Penetration Tester; Security Auditors) –QA Tester –Architect –Developer –Management –Business Owner –Consultant (two or more above) –Other

3 3 Agenda o Overview of Software Security Issues It is all so very young! o Introducing SAMM o Uses of SAMM o SAMM Core Functions / Activities o Use Case – SAMM to Measure o Use Case – SAMM to Implement o Future of SAMM

4 4 Overview of Software Security Issues

5 5 Software Security Issues o Relatively Same Drivers Across Industries –Compliance PCI-DSS, SOX, DPA, etc –Protection Brand/reputation; from criminals (cyber-crime) –Governance Function of good corporate governance

6 6 Software Security Issues »What does ‘it’ look like? »How can we understand and manage ‘this’? »Do we have enough resources / skills to do ‘this’? »How does ‘this’ fit in with the Security function, shouldn’t they do ‘it’? »We are used to security projects that implement tools or systems but now we need to change our processes? »Isn’t there an established method or model for all ‘this’?

7 7 Young Discipline in a Young Industry o BS7799 came out mid-90s o Shifting Focus within Industry –PBX to Infrastructure to Database/Application o PCI-DSS –CISP – 2001 – mention of change control as a best practice item –PCI-DSS v1.2 – late 2008 – Requirement 6

8 8 So what is ‘this’ discipline called? »Software Assurance »SSA - Software Security Assurance »SDL – Security Development Lifecycle »SDLC – to confuse everyone »sSDLC – secure Software Development Lifecycle »SPLC – Secure Project Lifecycle »CLASP - Comprehensive, Lightweight Application Security Process »7 Touchpoints »SSF – System Security Framework

9 9 Other approaches to Security in the SDLC

10 Motivation for a maturity model approach o Changing an organisation is hard Simple, well-defined, measurable preferred over complex, nuanced, ethereal o Software security is a result of many activities –Combination of people, process, and automation o There is no single formula for all organisations –Business risk from software depends on the nature of the business o An assurance program must be built over time –Organisations can’t change overnight. Use a phased approach.

11 The Software Assurance Maturity Model (SAMM)

12 The Software Assurance Maturity Model o Collaboratively written by experts within this field with review and feedback. o Funded by Fortify Software o Beta released in Aug 2008 o Creative Commons Attribution-Share Alike License (ie: open)

13 Goals and Purpose o To define building blocks for an assurance program –Delineate all functions within an organisation that could be improved over time o To allow organisations to create customized roadmaps –Each organisation can choose the order and extent they improve each function o To provide sample roadmaps for common types of organisations –Each roadmap is a baseline that can be tweaked based on the specific concerns of a given organisation

14 Uses for SAMM o Guidance o What needs to be done; general idea of skills and resource needs o Measurement – Assurance program scorecard o Scores /metrics against activities against defined objectives o Gaps against best practice o Demonstrate quantifiable improvement o Context / Framework for Business o Communicate outside of security office o Substantiate business requirement / risks o Set out a common understanding (get everyone on the same page) o Build Implementation Roadmap o Use Guidance o Measure o Put into business context (for funding and management support)

15 What SAMM in NOT o Prescriptive ‘howto’ document o ‘One size fits all’ methodology o Audit checklist for secure development

16 SAMM Core Functions?

17 Business Functions and Security Practices o Almost any organisation involved with software development must fulfill each of the Business Functions to some degree. o Security Practices that are the independent silos for improvement that map underneath the Business Functions of software development. 17

18 Security Practice Objectives Activities For example, Education & Guidance:

19 Policy and Compliance - PC o Understand standards and compliance drivers of the organisation in order to meet their needs. o Set out compliance gates

20 Security Requirements - SR o In order to plan for information security to be built in to software, it has to be detailed as requirements so they can be developed and tested in the same way as functional requirements o Security requirements need to be tailored based on several risk factors such as the type of software being developed, data that will be processed or who will have access.

21 Threat Assessment - TA o Threat Assessment is an activity performed in order to focus on what the threats are to an application and likely attacks it may face once developed and deployed. o Information security requirements are then matched up against the identified threats in order to determine whether such security requirements have addressed all identified threats appropriately.

22 Design Review - DR o The review of software designs and architecture models for potential security related deficiencies. o The security requirements developed for the project as well as either the organisation’s security architecture or best practices are used as the basis for the review.

23 Code Review – CR o Source code analysis for information security related issues within code. o Use checklists and sampling o Automated tools for deeper inspection

24 Security Testing – ST o This activity is the one that is most recognisable in the industry as it has been performed for many years. o Includes traditional penetration testing such as black-box and white box testing. o SAMM also suggests performing more tailored testing based on test cases derived from the security requirements

25 Using SAMM to Measure

26 BSIMM o Research conducted by Cigital and Fortify Software o Based on activities undertaken by Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and the DTCC (and two unnamed organisations) o Released March 2009 o Creative Commons Attribution-Share Alike License (ie: open) o o EU based study in progress

27 Measuring for Implementation – EU Financial Organisation o Discussed software development and related security processes within the organisation o Measured against SAMM activities o Used CMMI type scores for each activity (think COBIT controls measurement)

28 Using SAMM to Implement

29 Implementing SAMM – Large EU Organisation o Used measurement results to perform planning o Determined goals based on measurement results and chose initial activities needed to implement o Put all into context to talk with management for support o Enabled us to see dependencies on other areas of the business

30

31 About Gotham Digital Science o Gotham Digital Science (GDS) is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management. GDS clients number among the largest financial services institutions and software development companies in the world. o Offices in London and New York City