Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byGwenda Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe May 2006 http://www.owasp.org/ OWASP CLASP Project Pravir Chandra OWASP CLASP Project Lead Chief Security Architect Secure Software chandra@owasp.org

2 OWASP AppSec Europe 2006 2 Agenda  What is CLASP anyway?  The CLASP Best practices  Resources that CLASP provides  Details on the OWASP CLASP Project

3 OWASP AppSec Europe 2006 3 CLASP  Comprehensive, Lightweight Application Security Process  Prescriptive and Proactive  Centered around 7 AppSec Best Practices  Cover the entire software lifecycle (not just development)  Adaptable to any development process  CLASP defines roles across the SDLC  24 role-based process components  Start small and dial-in to your needs

4 OWASP AppSec Europe 2006 4 Origins of CLASP  Developed by Secure Software  Always publicly available and free to use  Released under the Creative Commons-SA-Attr 2.5  Based on several years of field experience  Basis of the OWASP Process project

5 OWASP AppSec Europe 2006 5 Resources that CLASP provides  We already know of some  Role definitions  7 Best practices  24 Activities to bolt-on to dev process  Summaries for the core security services  Authz, Authn, Confidentiality, Integrity, etc.  Design principles for building secure software  Defense in depth, least privilege, etc.  A large lexicon of vulnerabilities found in code  Some use-cases for CLASP, process engineering & roadmap information

6 OWASP AppSec Europe 2006 6 Roles in the SDLC  High-level and abstract  Can map one real person to more than one role  Architect  Designer  Implementer  Project Manager  Requirements Specifier  Security Auditor  Test Analyst

7 OWASP AppSec Europe 2006 7 The CLASP Best Practices 1.Institute awareness programs 2.Perform application assessments 3.Capture security requirements 4.Implement secure development practices 5.Build vulnerability remediation procedures 6.Define and monitor metrics 7.Publish operational security guidelines

8 OWASP AppSec Europe 2006 8 1. Institute awareness programs  Need organizational buy-in for success  Don’t just educate the developers!  PMs must understand high-level security goals  Testers should be prepared to test for security  Only one activity, but it’s broad  Activities:  Institute Security Awareness Program

9 OWASP AppSec Europe 2006 9 2. Perform application assessments  Probably the most well-known best practice  Clearly important, but not the only thing  Covers both ‘high-level’ and ‘low-level’ views  Activities:  Perform Security Analysis of System Requirements and Design (Threat Modeling)  Perform Source Level Security Review  Identify, Implement, and Perform Security Tests  Verify Security Attributes of Resources  Research and Assess Security Posture of Technology Solutions

10 OWASP AppSec Europe 2006 10 3. Capture security requirements  Product conception to downstream releases  Get setup for success (or vector toward it)  Activities:  Identify Global Security Policy  Identify Resources and Trust Boundaries  Identify User Roles and Resource Capabilities  Specify Operational Environment  Detail Misuse Cases  Identify Attack Surface  Document Security Relevant Requirements

11 OWASP AppSec Europe 2006 11 4. Implement secure development practices  Preaching to the choir  Activities:  Apply Security Principles to Design  Annotate Class Designs with Security Properties  Implement and Elaborate Resource Policies and Security Technologies  Implement Interface Contracts  Integrate Security Analysis into Source Management Process  Perform Code Signing

12 OWASP AppSec Europe 2006 12 5. Build vulnerability remediation procedures  Fed by software assessments  Also by 3 rd party vuln reports  Otherwise, important items may get dropped  Or, lots of chaos when they occur (wasted resources)  Control information when disclosure must occur  Activities:  Manage Security Issue Disclosure Process  Address Reported Security Issues

13 OWASP AppSec Europe 2006 13 6. Define and monitor metrics  Crucial despite only one associated activity  Any good process must have metrics  Measuring security directly can be hard  Measure adherence to process as an indirect indicator  Metrics are easy, interpretation is trickier  Activities:  Monitor Security Metrics

14 OWASP AppSec Europe 2006 14 7. Publish operational security guidelines  Crucial that operators know how to operate securely  Lots of information gets lost from dev to ops  Environment assumptions made by dev  Ways to debug and interpret logs  Definition of what is ‘normal’  Activities:  Specify Database Security Configuration  Build Operational Security Guide

15 OWASP AppSec Europe 2006 15 Lexicon of Vulnerabilities  ‘Top-down’ approach to creating a catalog of coding flaws  Perhaps vulnerability is a misnomer  Arranged into 5 high-level categories  Range and Type Errors  Environmental Problems  Synchronization and Timing Errors  Protocol Errors  General Logic Errors

16 OWASP AppSec Europe 2006 16 On vulnerability taxonomies  Work in progress by NIST/DHS in the US  PLOVER  Seven Kingdoms  CLASP too  The word taxonomy implies a single top-level ordering  I personally don’t think that is possible and the rigidity makes it less applicable  The folksonomy approach is more useful

17 OWASP AppSec Europe 2006 17 The OWASP CLASP Project  Mission  Reinforce application security through a set of prescriptive and proactive process components that are adaptable to any development model.  Tactical Goals 1.Porting all of the CLASP v1.2 materials to the OWASP wiki 2.Generating more introductory materials to help users get started with CLASP 3.Enhancing the vulnerability catalog with more information (descriptions, examples, etc.)

18 OWASP AppSec Europe 2006 18 Get involved  We need volunteers and ideas  Start by browsing the wiki pages for CLASP  Project Roadmap page on the wiki  Has the up-to-date goals  Open and assigned tasks are listed  Mailing list for discussions  owasp-clasp@lists.sourceforge.net owasp-clasp@lists.sourceforge.net

19 OWASP AppSec Europe 2006 19 Pravir Chandra chandra@owasp.org

Download ppt "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
Software Assurance Maturity Model

Software Assurance Maturity Model
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.

Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.

Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Vulnerability Assessments

Vulnerability Assessments
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view.

Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google