Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Published byScot Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013."— Presentation transcript:

1 Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013

2 Alan Jex: Chief Security Architect at HP PPS Organization alan.jex@hp.com Introductions

3 Security Concerns and Goals OpenSAMM Framework – Business Functions – Security Practices – Assessments – Scorecards – Roadmaps Outline

4 Security Concerns What is your biggest security risk? What compliance requirements drive your business? How do you handle security incidents? Does your development team produce secure code?

5 Security Goals Avoiding the “big one” (data breach) Protecting the company brand Managing real security risks Developing a secure software development lifecycle (SDLC) Enabling new business

6

7 SAMM is: – A Software Assurance Maturity Model – An open framework for Measuring security practices Finding vulnerabilities earlier – Lightweight, Flexible, Simple-to-understand, and Complete – An OWASP project Enter OpenSAMM

8 4 Business Functions

9 12 Security Practices

10 Policy and Compliance

11 Security Requirements

12 Security Testing

13 Vulnerability Management

14 SAMM Assessments SAMM assessment is lightweight or detailed according to your security process

15 SAMM Assessments SAMM provides assessment worksheets for every Security Practice

16 SAMM Scorecard Levels are from 0 to 3: 0 Starting point 1 Ad hoc (manual) 2 Increased effectiveness (automated) 3 Comprehensive mastery (audited)

17 SAMM Roadmap

18 Build your Security Program in phases Implement levels based on security risk

19 Roadmap Templates Government Online Service Provider

20 Summary SAMM allows you to: – Measure and improve security best practices – Focus on security risk to make effective use of security resources – Find vulnerabilities earlier in the development process – Prevent rather than react to security incidents

21 References https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Modelhttp://www.opensamm.org/http://bsimm.com/online/http://www.microsoft.com/security/sdl/discover/default.aspx Security Maturity Models

22

Download ppt "Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Assurance Maturity Model

Software Assurance Maturity Model
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.

Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Controls – What Works

Security Controls – What Works
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Creation of Policies, Part.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Creation of Policies, Part.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Creation of Policies, Part.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Creation of Policies, Part.
Software Process CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology December 17, 2002.

Software Process CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology December 17, 2002.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Project Management Methodology More about Quality Control.

Project Management Methodology More about Quality Control.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
The Evergreen, Background, Methodology and IT Service Management Model

The Evergreen, Background, Methodology and IT Service Management Model
Security and Privacy Services Cloud computing point of view October 2012.

Security and Privacy Services Cloud computing point of view October 2012.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.

(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.

Similar presentations

Ads by Google