Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenSAMM Best Practices, Lessons from the Trenches

Published byLily Bell Modified over 7 years ago

Similar presentations

Presentation on theme: "OpenSAMM Best Practices, Lessons from the Trenches"— Presentation transcript:

1 OpenSAMM Best Practices, Lessons from the Trenches
Seba Deleersnyder OpenSAMM project co-leaders Bart De Win Managing all application security activities as part of development and deployment of applications can be an overwhelming challenge. OWASP OpenSAMM gives you a structural and measurable blueprint to integrate OWASP best practices in your software life cycle. This OWASP framework allows you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. During this talk Bart and Sebastien will get you up to speed on the OpenSAMM framework and share their important challenges they faced in implementing the framework within various organisations. Important topics that will be covered during this presentation are: What is the optimal OpenSAMM maturity level for your organisation? At which level to implement OpenSAMM in the organisation: at company, business unit or development team level? How to integrate OpenSAMM activities in agile development? How to apply OpenSAMM on suppliers or outsourced development? What metrics does OpenSAMM provide to manage your secure development life cycle? Practical lessons learned and use cases from the trenches that make OWASP OpenSAMM a valuable methodology and which you should apply for your secure development life cycle! Prior to the conference we organise a full day training on OpenSAMM, make sure to reserve your seat at this free OWASP training. After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on AppSec Europe 2014 Project Talk

2 Bart / Seba ? fixme: introduction slides (keep it short)

3 Agenda Integrating software assurance? OpenSAMM Quick Start
Lessons Learned Resources & Self-Assessment OpenSAMM Road Map fixme: how much time do we have? 50 totaal. how much time to spend per topic? who does which slides?

4 The web application security challenge
Your security “perimeter” has huge holes at the application layer Custom Developed Application Code Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK App Server MAIN THEME: applications are different than networks – software is full of holes need for software assurance Web Server Hardened OS Network Layer Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

5 “Build in” software assurance
proactive reactive security requirements / threat modeling coding guidelines code reviews static test tools security testing dynamic test tools vulnerability scanning - WAF Design Build Test Production go to the “left” Secure Development Lifecycle (SAMM)  5 

6 We need a Maturity Model
An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non-security-people Overall, must be simple, well-defined, and measurable OWASP Software Assurance Maturity Model (SAMM)

7 SAMM users Dell Inc KBC ING Insurance Gotham Digital Science
HP Fortify ISG ... Show of hands in the audience?

8 SAMM Security Practices
From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a ‘silo’ for improvement Define building blocks for an assurance program Delineate all functions within an organization that could be improved over time Define how building blocks should be combined Make creating change in iterations a no-brainer Define details for each building block clearly Clarify the security-relevant parts in a widely applicable way (for any org doing software development)

9 Under each Security Practice
Three successive Objectives under each Practice define how it can be improved over time This establishes a notion of a Level at which an organization fulfills a given Practice The three Levels for a Practice generally correspond to: (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice 3: Comprehensive mastery of the Practice at scale fixme: combine with previous slide?

10 Example: Education & Guidance

11 Per Level, SAMM defines... Objective Activities Results
Success Metrics Costs Personnel Related Levels do we need this level of detail?

12 Education & Guidance Resources: OWASP Top 10 OWASP Education WebGoat
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access A8: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb Resources: OWASP Top 10 OWASP Education WebGoat

13 OWASP Cheat Sheets Developer Cheat Sheets (Builder)
Authentication Cheat Sheet Choosing and Using Security Questions Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet OWASP Top Ten Cheat Sheet Query Parameterization Cheat Sheet Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet User Privacy Protection Cheat Sheet Assessment Cheat Sheets (Breaker) Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet Mobile Cheat Sheets IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet Draft Cheat Sheets Access Control Cheat Sheet Application Security Architecture Cheat Sheet Clickjacking Cheat Sheet Password Storage Cheat Sheet PHP Security Cheat Sheet REST Security Cheat Sheet Secure Coding Cheat Sheet Secure SDLC Cheat Sheet Threat Modeling Cheat Sheet Virtual Patching Cheat Sheet Web Application Security Testing Cheat Sheet

14 SAMM Quick Start Use 4 step improvement iterations:
questionnaire ASSES GOAL gap analysis PLAN roadmap OWASP resources IMPLEMENT Use 4 step improvement iterations: Measure levels => assessment QA Set goals => gap analysis Plan => Roadmap Implement => with other OWASP material And go back to 1)

15 Assess SAMM includes assessment worksheets for each Security Practice

16 Goal Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place

17 Plan Roadmaps: to make the “building blocks” usable.
Roadmaps templates for typical kinds of organizations Independent Software Vendors Online Service Providers Financial Services Organizations Government Organizations Tune these to your own targets / speed

18 Implement: 150+ OWASP resources
PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project fixme: update to reflect latest projects add/highlight Education& Guidance projects

19 Mapping Projects / SAMM
49 Flagship and Labs projects mapped on SAMM practices (copy ?) Mostly on one practice Sometimes covers several practices (e.g. ASVS) Sometimes no mapping possible

20 Lessons Learned What is the optimal OpenSAMM maturity level for your organisation? At which level to implement OpenSAMM in the organisation: at company, business unit or development team level? How to integrate OpenSAMM activities in agile development? How to apply OpenSAMM on suppliers or outsourced development? What metrics does OpenSAMM provide to manage your secure development life cycle? fixme: deze slides verder uitbreiden one slide per topic? practical lessons / use cases?

21 Critical Success Factors
Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes Measure: Provide management visibility

22 SAMM Resources www.opensamm.org
Presentations Quick Start (to be released) Assessment worksheets / templates Roadmap templates Translations (Spanish, Japanese, …) SAMM mappings to ISO/EIC – BSIMM – PCI (to be released)

23 NEW: Self-Assessment Online

24 SAMM Roadmap Build the SAMM community: Grow list of SAMM adopters
Workshops at conferences Dedicated SAMM summit V1.1: Incorporate Quick Start / tools / guidance / OWASP projects Revamp SAMM wiki V2.0: Revise scoring model Model revision necessary ? (12 practices, 3 levels, ...) Application to agile Roadmap planning: how to measure effort ? Presentations & teaching material

25 SAMM Forum

26 Get involved Project mailing list / work packages
Use and donate (feed)back! Donate resources Sponsor SAMM

27 Measure & Improve! OpenSAMM.org

28 Flagship Projects Coverage
Some areas need more love / projects!

Download ppt "OpenSAMM Best Practices, Lessons from the Trenches"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Software Assurance Maturity Model

Software Assurance Maturity Model
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.

The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Presentation Overview

Presentation Overview
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.
OWASP SAMM Best Practices, Lessons from the Trenches

OWASP SAMM Best Practices, Lessons from the Trenches
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Similar presentations

Ads by Google