Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation 6 th OWASP AppSec Conference Milan - May The OWASP CLASP Project Pravir Chandra OWASP CLASP Project Lead Principal Consultant -- Cigital, Inc.

6 th OWASP AppSec Conference – Milan – May Agenda  What is CLASP anyway?  The CLASP philosophy and contents  Comparison to other security processes  Details on the OWASP CLASP Project

6 th OWASP AppSec Conference – Milan – May CLASP 2007  Comprehensive, Lightweight Application Security Playbook  CLASP is a prescriptive guide for organizations to address software security iteratively  Cover the entire organization (not just development)  Adaptable to any type of organization or development process  New material to reflect software security’s inexorable tie to the specifics of a business

6 th OWASP AppSec Conference – Milan – May Origins of CLASP  Original version was developed by Secure Software (acquired by Fortify Software)  Collection of ‘stuff’ - vulns, roles, activities, etc.  Heavily modified for CLASP 2007  This is the version we’ll discuss today  To be released by June 2007

6 th OWASP AppSec Conference – Milan – May Top-level organization of CLASP 2007  Think  How to think about software security  Setting long-term goals and strategy based on your business  Plan  Setting near-term goals to execute against  Planning iterations and getting immediate value  Do  The nitty-gritty details of performing activities that provide assurance  Executing and measuring success

6 th OWASP AppSec Conference – Milan – May Think

6 th OWASP AppSec Conference – Milan – May Philosophical Stuff  It’s about balancing risk, not 100% secure  Even if you don’t have well-defined process, you can make an impact  Monitor and measure to make sure you’re on track for efficiency and efficacy  Use the CLASP Best Practices as a ‘north star’

6 th OWASP AppSec Conference – Milan – May The CLASP Best Practices 1.Institute awareness programs 2.Perform application assessments 3.Capture security requirements 4.Implement secure development practices 5.Build vulnerability remediation procedures 6.Define and monitor metrics 7.Publish operational security guidelines

6 th OWASP AppSec Conference – Milan – May Key decision points  What kind of business are you in?  Regulatory requirements  Rough cut at ‘risk appetite’  How does your business rely upon software?  Do you sell boxed applications? … platforms?  Do you build and operate your own software?  Do you outsource and consume?  What top-management support is available?  How much cost can you tolerate short-term? … long-term?

6 th OWASP AppSec Conference – Milan – May Plan

6 th OWASP AppSec Conference – Milan – May Creating an action plan  CLASP 2007 introduces the concept of ‘Competencies’  High-level areas of the SDLC  Each has pre-determined maturity levels (not quite CMM-style)  Based on your drivers, pick the next Competency (or maturity level) you’ll target  A Competency level has assigned Activities (more on this later)  Provides some ready-made milestones  Grow the organization’s skill and efficiency over time  A few example roadmaps for common types of businesses are provided to get started

6 th OWASP AppSec Conference – Milan – May The CLASP Competencies 1.Security Management & Governance 2.Hardened Requirements & Design 3.Secure Implementation 4.Software Assessment & Testing 5.Safe Deployment & Operations

6 th OWASP AppSec Conference – Milan – May Do

6 th OWASP AppSec Conference – Milan – May Putting rubber on the road  Based on target Competency level, implement assigned Activities  Plan appropriate resources for the activity  Ensure correct Roles are filled  Instrument with prescribed monitors for metrics  In total, there are ~24 Activities  They’re spread across the Competency levels for bite- size consumption  Some you may never need to implement

6 th OWASP AppSec Conference – Milan – May The CLASP Activities 1.Institute Security Awareness Program 2.Perform Security Analysis of System Requirements and Design (Threat Modeling) 3.Perform Source Level Security Review 4.Identify, Implement, and Perform Security Tests 5.Verify Security Attributes of Resources 6.Research and Assess Security Posture of Technology Solutions 7.Identify Global Security Policy 8.Identify Resources and Trust Boundaries 9.Identify User Roles and Resource Capabilities 10.Specify Operational Environment 11.Detail Misuse Cases 12.Identify Attack Surface 13.Document Security Relevant Requirements 14.Apply Security Principles to Design 15.Annotate Class Designs with Security Properties 16.Implement and Elaborate Resource Policies and Security Technologies 17.Implement Interface Contracts 18.Integrate Security Analysis into Source Management Process 19.Perform Code Signing 20.Manage Security Issue Disclosure Process 21.Address Reported Security Issues 22.Monitor Security Metrics 23.Specify Database Security Configuration 24.Build Operational Security Guide

6 th OWASP AppSec Conference – Milan – May Lots of details  Each Activity is well-specified  Roles involved  Applicability and Impacts  Frequency and appx. Level-of-effort  How-to steps for executing the activity  Measurement criteria  CLASP specifies Roles as well  High-level so one person may hold >1 Role  Skills requirements for filling the Role

6 th OWASP AppSec Conference – Milan – May The CLASP Roles 1.Architect 2.Designer 3.Implementer 4.Project Manager 5.Requirements Specifier 6.Security Auditor 7.Test Analyst

6 th OWASP AppSec Conference – Milan – May Summary of CLASP 2007  Think  Philosophy of software security  Best Practices to guide decisions  Key decision points that affect logistics  Plan  Competencies and maturity levels  Sample, goal-based roadmaps  Do  Activity definitions and details  Role definitions and supporting information

6 th OWASP AppSec Conference – Milan – May On SDLCs

6 th OWASP AppSec Conference – Milan – May CLASP and other SDLC models  There are two other secure SDLC models that you may have heard of  Microsoft’s SDL (The Security Development Lifecycle. Howard, Lipner)  The Security Touchpoints (Software Security. McGraw)  These both map to CLASP in a fairly straightforward way, with a few exceptions

6 th OWASP AppSec Conference – Milan – May The Stages of Microsoft’s SDL  0: Education & Awareness  1: Project Inception  2: Define and Follow Design Best Practices  3: Product Risk Assessment  4: Risk Analysis  5: Creating Security Documents, Tools, and Best Practices for Customers  6: Secure Coding Policies  7: Secure Testing Policies  8: The Security Push  9: The Final Security Review  10: Security Response Planning  11: Product Release  12: Security Response Execution Source: The Security Development Lifecycle, by Michael Howard and Steve Lipner

6 th OWASP AppSec Conference – Milan – May CLASP and SDL  Direct mapping is tricky since SDL isn’t specified the same way as CLASP  Some Stages of SDL are activities, some are artifacts, and some are processes  SDL contains lots more tactical advice from the MS trenches  CLASP is specified more prescriptively, with fewer open-ended ideas  Timelines or impacts for SDL stages aren’t clearly defined  Makes is harder to plan for cost-effectiveness (SDL is expensive)  Following the CLASP Competency roadmap for an ISV gives a roadmap that’s darn close to SDL

6 th OWASP AppSec Conference – Milan – May The Security Touchpoints Source: Software Security, by Gary McGraw

6 th OWASP AppSec Conference – Milan – May CLASP and the Touchpoints  The Touchpoints map almost exactly to CLASP  Several CLASP activities map to a single Touchpoint in some cases  Touchpoints focus on the core of software development  CLASP aims to be a bit broader across an organization (including things like policy and awareness training)  Touchpoints have a prescribed adoption order  CLASP varies this a bit in the Competency roadmaps according to the kind of business

6 th OWASP AppSec Conference – Milan – May The bottom line  Whether it’s SDL, the Touchpoints, or CLASP, it’s all good  There’s really nothing that the three fundamentally disagree on  The real question is what applies to your organization best and what you’re most comfortable with  CLASP 2007 will contain a more detailed analysis and mapping of each

6 th OWASP AppSec Conference – Milan – May Add’l Info

6 th OWASP AppSec Conference – Milan – May The OWASP CLASP Project  Mission  Reinforce application security through prescriptive guidance that enables iterative improvement to any development model.  Tactical Goals 1.Getting draft of CLASP 2007 out for review 2.Updating OWASP Wiki with latest information and downloads 3.Beefing up CLASP materials with more practical advice/suggestions

6 th OWASP AppSec Conference – Milan – May Get involved  We need volunteers for reviewers and contributors  Start by browsing the wiki pages for CLASP  The Roles and most of the Activities are the same  The Competency information will be up as soon as it’s ready for review  Mailing list for discussions 

6 th OWASP AppSec Conference – Milan – May Pravir Chandra