OpenSAMM_-_OWASP_USA_2014_-_Seba
advertisement
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org SAMM project co-leaders AppSec USA 2014 Project Talk Pravir Chandra chandra@list.org Agenda • • • • • • • Integrating software assurance OpenSAMM Quick Start OWASP Projects / SAMM activities Resources & Self-Assessment Road Map Forum SAMM users • • • • • • Dell Inc KBC ING Insurance Gotham Digital Science HP Fortify ISG ... 3 Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security “perimeter” has huge holes at the application layer Databases Application Layer The web application security challenge Web Server Hardened OS Firewall Firewall Network Layer App Server You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks “Build in” software assurance proactive reactive security requirements / threat modeling coding guidelines code reviews static test tools security testing dynamic test tools vulnerability scanning WAF Design Build Test Production Secure Development Lifecycle (SAMM) 5 We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for nonsecurity-people Overall, must be simple, welldefined, and measurable OWASP Software Assurance Maturity Model (SAMM) SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • • This establishes a notion of a Level at which an organization fulfills a given Practice The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale Per Level, SAMM defines... • • • • • • • Objective Activities Results Success Metrics Costs Personnel Related Levels Education & Guidance 1 Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb •Resources: • • OWASP Top 10 OWASP Education • WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP Cheat Sheets https://www.owasp.org/index.php/Cheat_She SAMM Quick Start ASSES questionnaire GOAL gap analysis IMPLEMENT OWASP resources PLAN roadmap Asses •SAMM includes assessment worksheets for each Security Practice Goal • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place Plan • Roadmaps: to make the “building blocks” usable. • Roadmaps templates for typical kinds of organizations • • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations Tune these to your own targets / speed 150+ OWASP resources PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project Critical Success Factors • • • • Get initiative buy-in from all stakeholders Adopt a risk-based approach Awareness / education is the foundation Integrate security in your development / acquisition and deployment processes • Measure: Provide management visibility 1 SAMM Resources www.opensamm.org • • • • • • Presentations Quick Start (to be released) Assessment worksheets / templates Roadmap templates Translations (Spanish, Japanese, …) SAMM mappings to ISO/EIC 27034 – BSIMM – PCI (to be released) 1 NEW: Self-Assessment Online https://ssa.asteriskinfosec.com.au 2 Mapping Projects / SAMM Project AntiSamy Enterprise Security API ModSecurity Core Rule Set CSRFGuard Web Testing Environment WebGoat Zed Attack Proxy Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Code Review Guide Codes of Conduct Development Guide Secure Coding Practices - Quick Reference Guide Software Assurance Maturity Model Testing Guide Top Ten Type Code Code Code Code Tools Tools Tools Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Level Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship SAMM Practice Remarks SA2 Project SA3 Broken Web Applications EH3 CSRFTester EnDe SA2 Fiddler Addons for Security Testing ST2 Forward Exploit Tool EG2 Hackademic Challenges ST2 Hatkit Datafiddler Hatkit Proxy DR2 ASVS-L4 HTTP POSTASVS-L4 CR3 Java XML Templates ST3 ASVS-L4 JavaScript Sandboxes CR1 Joomla Vulnerability Scanner LAPSE not applicable Mantra Security Framework EG1 Multilidea SR1 O2 SM1 Orizon Recursiveness :-) Srubbr ST1 Security Assurance Testing of Virtual Worlds EG1 Vicnum Wapiti Web Browser Testing System WebScarab Webslayer WSFuzzer Yasca AppSec Tutorials AppSensor AppSensor Cloud 10 CTF Fuzzing Code Legal Podcast Virtual Patching Best Practices Type Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Level Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs SAMM Practice Remarks EG1 ST1 ST1 ST1 ST1 EG1 ST1 ST1 ST1 SA2 not applicable ST1 CR2 ST1 EG1 ST2 CR2 ST1 ST1 EG1 ST1 ST1 ST1 ST1 ST1 CR2 EG1 EH3 SA2 EG1 EG1 ST1 SR3 EG1 EH3 2 Flagship Projects Coverage Governance Policy & Compliance PC1 0 PC2 0 PC3 0 Strategy & Metrics SM1 1 SM2 0 SM3 0 1 Education & Guidance EG1 10 EG2 1 EG3 0 0 Construction Security Requirements SR1 1 SR2 0 SR3 1 Threat Assessment TA1 0 TA2 0 TA3 0 0 2 1 Vulnerability Management VM1 0 VM2 0 VM3 0 0 12 5 7 22 28 0 3 Security Architecture SA1 0 SA2 4 SA3 1 Verification Code Review CR1 1 CR2 3 CR3 1 Design Review DR1 0 DR2 1 DR3 0 11 Security Testing ST1 18 ST2 3 ST3 1 5 Deployment Environment Hardening EH1 0 EH2 0 EH3 3 Operational Hardening OE1 0 OE2 0 OE3 0 3 2 SAMM Roadmap Build the SAMM community: •Grow list of SAMM adopters •Workshops at conferences •Dedicated SAMM summit V1.1: •Incorporate Quick Start / tools / guidance / OWASP projects •Revamp SAMM wiki V2.0: •Revise scoring model •Model revision necessary ? (12 practices, 3 levels, ...) •Application to agile •Roadmap planning: how to measure effort ? •Presentations & teaching material •… 2 SAMM Forum 2 Get involved • • • • • SAMM “Work”-shop tomorrow 1PM-5PM 16th floor Project mailing list / work packages Use and donate (feed)back! Donate resources Sponsor SAMM Measure & Improve! OpenSAMM.org
