Presentation is loading. Please wait.

Presentation is loading. Please wait.

Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view.

Published byRobert Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view."— Presentation transcript:

1 Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ The OWASP CLASP Project Pravir Chandra OWASP CLASP Project Lead Principal Consultant -- Cigital, Inc. chandra@cigital.com

2 6 th OWASP AppSec Conference – Milan – May 2007 2 Agenda  What is CLASP anyway?  The CLASP philosophy and contents  Comparison to other security processes  Details on the OWASP CLASP Project

3 6 th OWASP AppSec Conference – Milan – May 2007 3 CLASP 2007  Comprehensive, Lightweight Application Security Playbook  CLASP is a prescriptive guide for organizations to address software security iteratively  Cover the entire organization (not just development)  Adaptable to any type of organization or development process  New material to reflect software security’s inexorable tie to the specifics of a business

4 6 th OWASP AppSec Conference – Milan – May 2007 4 Origins of CLASP  Original version was developed by Secure Software (acquired by Fortify Software)  Collection of ‘stuff’ - vulns, roles, activities, etc.  Heavily modified for CLASP 2007  This is the version we’ll discuss today  To be released by June 2007

5 6 th OWASP AppSec Conference – Milan – May 2007 5 Top-level organization of CLASP 2007  Think  How to think about software security  Setting long-term goals and strategy based on your business  Plan  Setting near-term goals to execute against  Planning iterations and getting immediate value  Do  The nitty-gritty details of performing activities that provide assurance  Executing and measuring success

6 6 th OWASP AppSec Conference – Milan – May 2007 6 Think

7 6 th OWASP AppSec Conference – Milan – May 2007 7 Philosophical Stuff  It’s about balancing risk, not 100% secure  Even if you don’t have well-defined process, you can make an impact  Monitor and measure to make sure you’re on track for efficiency and efficacy  Use the CLASP Best Practices as a ‘north star’

8 6 th OWASP AppSec Conference – Milan – May 2007 8 The CLASP Best Practices 1.Institute awareness programs 2.Perform application assessments 3.Capture security requirements 4.Implement secure development practices 5.Build vulnerability remediation procedures 6.Define and monitor metrics 7.Publish operational security guidelines

9 6 th OWASP AppSec Conference – Milan – May 2007 9 Key decision points  What kind of business are you in?  Regulatory requirements  Rough cut at ‘risk appetite’  How does your business rely upon software?  Do you sell boxed applications? … platforms?  Do you build and operate your own software?  Do you outsource and consume?  What top-management support is available?  How much cost can you tolerate short-term? … long-term?

10 6 th OWASP AppSec Conference – Milan – May 2007 10 Plan

11 6 th OWASP AppSec Conference – Milan – May 2007 11 Creating an action plan  CLASP 2007 introduces the concept of ‘Competencies’  High-level areas of the SDLC  Each has pre-determined maturity levels (not quite CMM-style)  Based on your drivers, pick the next Competency (or maturity level) you’ll target  A Competency level has assigned Activities (more on this later)  Provides some ready-made milestones  Grow the organization’s skill and efficiency over time  A few example roadmaps for common types of businesses are provided to get started

12 6 th OWASP AppSec Conference – Milan – May 2007 12 The CLASP Competencies 1.Security Management & Governance 2.Hardened Requirements & Design 3.Secure Implementation 4.Software Assessment & Testing 5.Safe Deployment & Operations

13 6 th OWASP AppSec Conference – Milan – May 2007 13 Do

14 6 th OWASP AppSec Conference – Milan – May 2007 14 Putting rubber on the road  Based on target Competency level, implement assigned Activities  Plan appropriate resources for the activity  Ensure correct Roles are filled  Instrument with prescribed monitors for metrics  In total, there are ~24 Activities  They’re spread across the Competency levels for bite- size consumption  Some you may never need to implement

15 6 th OWASP AppSec Conference – Milan – May 2007 15 The CLASP Activities 1.Institute Security Awareness Program 2.Perform Security Analysis of System Requirements and Design (Threat Modeling) 3.Perform Source Level Security Review 4.Identify, Implement, and Perform Security Tests 5.Verify Security Attributes of Resources 6.Research and Assess Security Posture of Technology Solutions 7.Identify Global Security Policy 8.Identify Resources and Trust Boundaries 9.Identify User Roles and Resource Capabilities 10.Specify Operational Environment 11.Detail Misuse Cases 12.Identify Attack Surface 13.Document Security Relevant Requirements 14.Apply Security Principles to Design 15.Annotate Class Designs with Security Properties 16.Implement and Elaborate Resource Policies and Security Technologies 17.Implement Interface Contracts 18.Integrate Security Analysis into Source Management Process 19.Perform Code Signing 20.Manage Security Issue Disclosure Process 21.Address Reported Security Issues 22.Monitor Security Metrics 23.Specify Database Security Configuration 24.Build Operational Security Guide

16 6 th OWASP AppSec Conference – Milan – May 2007 16 Lots of details  Each Activity is well-specified  Roles involved  Applicability and Impacts  Frequency and appx. Level-of-effort  How-to steps for executing the activity  Measurement criteria  CLASP specifies Roles as well  High-level so one person may hold >1 Role  Skills requirements for filling the Role

17 6 th OWASP AppSec Conference – Milan – May 2007 17 The CLASP Roles 1.Architect 2.Designer 3.Implementer 4.Project Manager 5.Requirements Specifier 6.Security Auditor 7.Test Analyst

18 6 th OWASP AppSec Conference – Milan – May 2007 18 Summary of CLASP 2007  Think  Philosophy of software security  Best Practices to guide decisions  Key decision points that affect logistics  Plan  Competencies and maturity levels  Sample, goal-based roadmaps  Do  Activity definitions and details  Role definitions and supporting information

19 6 th OWASP AppSec Conference – Milan – May 2007 19 On SDLCs

20 6 th OWASP AppSec Conference – Milan – May 2007 20 CLASP and other SDLC models  There are two other secure SDLC models that you may have heard of  Microsoft’s SDL (The Security Development Lifecycle. Howard, Lipner)  The Security Touchpoints (Software Security. McGraw)  These both map to CLASP in a fairly straightforward way, with a few exceptions

21 6 th OWASP AppSec Conference – Milan – May 2007 21 The Stages of Microsoft’s SDL  0: Education & Awareness  1: Project Inception  2: Define and Follow Design Best Practices  3: Product Risk Assessment  4: Risk Analysis  5: Creating Security Documents, Tools, and Best Practices for Customers  6: Secure Coding Policies  7: Secure Testing Policies  8: The Security Push  9: The Final Security Review  10: Security Response Planning  11: Product Release  12: Security Response Execution Source: The Security Development Lifecycle, by Michael Howard and Steve Lipner

22 6 th OWASP AppSec Conference – Milan – May 2007 22 CLASP and SDL  Direct mapping is tricky since SDL isn’t specified the same way as CLASP  Some Stages of SDL are activities, some are artifacts, and some are processes  SDL contains lots more tactical advice from the MS trenches  CLASP is specified more prescriptively, with fewer open-ended ideas  Timelines or impacts for SDL stages aren’t clearly defined  Makes is harder to plan for cost-effectiveness (SDL is expensive)  Following the CLASP Competency roadmap for an ISV gives a roadmap that’s darn close to SDL

23 6 th OWASP AppSec Conference – Milan – May 2007 23 The Security Touchpoints Source: Software Security, by Gary McGraw

24 6 th OWASP AppSec Conference – Milan – May 2007 24 CLASP and the Touchpoints  The Touchpoints map almost exactly to CLASP  Several CLASP activities map to a single Touchpoint in some cases  Touchpoints focus on the core of software development  CLASP aims to be a bit broader across an organization (including things like policy and awareness training)  Touchpoints have a prescribed adoption order  CLASP varies this a bit in the Competency roadmaps according to the kind of business

25 6 th OWASP AppSec Conference – Milan – May 2007 25 The bottom line  Whether it’s SDL, the Touchpoints, or CLASP, it’s all good  There’s really nothing that the three fundamentally disagree on  The real question is what applies to your organization best and what you’re most comfortable with  CLASP 2007 will contain a more detailed analysis and mapping of each

26 6 th OWASP AppSec Conference – Milan – May 2007 26 Add’l Info

27 6 th OWASP AppSec Conference – Milan – May 2007 27 The OWASP CLASP Project  Mission  Reinforce application security through prescriptive guidance that enables iterative improvement to any development model.  Tactical Goals 1.Getting draft of CLASP 2007 out for review 2.Updating OWASP Wiki with latest information and downloads 3.Beefing up CLASP materials with more practical advice/suggestions

28 6 th OWASP AppSec Conference – Milan – May 2007 28 Get involved  We need volunteers for reviewers and contributors  Start by browsing the wiki pages for CLASP  The Roles and most of the Activities are the same  The Competency information will be up as soon as it’s ready for review  Mailing list for discussions  owasp-clasp@lists.owasp.org owasp-clasp@lists.owasp.org

29 6 th OWASP AppSec Conference – Milan – May 2007 29 Pravir Chandra chandra@cigital.com

Download ppt "Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Assurance Maturity Model

Software Assurance Maturity Model
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13

Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
RUP/UP Software Development Method Hoang Huu Hanh, Hue University hanh-at-hueuni.edu.vn.

RUP/UP Software Development Method Hoang Huu Hanh, Hue University hanh-at-hueuni.edu.vn.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
IMS Information Systems Development Practices

IMS Information Systems Development Practices
High-Level Assessment Month Year

High-Level Assessment Month Year
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.

RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.
December 3, 2010 SAIF Governance Framework A Brief Update on work to date.

December 3, 2010 SAIF Governance Framework A Brief Update on work to date.
Patch Management Strategy

Patch Management Strategy
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
® IBM Software Group © 2006 IBM Corporation PRJ480 Mastering the Management of Iterative Development v2 Module 3: Phase Management - Inception.

® IBM Software Group © 2006 IBM Corporation PRJ480 Mastering the Management of Iterative Development v2 Module 3: Phase Management - Inception.
Project Human Resource Management

Project Human Resource Management
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

Similar presentations

Ads by Google