OWASP Europe Tour 2013 Geneva The OWASP Foundation http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security “perimeter” has huge holes at the application layer Databases Application Layer The web application security challenge Web Server Hardened OS Firewall Firewall Network Layer App Server You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks D B T SAMM “Build in” software assurance proactive reactive security requirements / threat modeling coding guidelines code reviews static test tools security testing dynamic test tools vulnerability scanning WAF Design Build Test Production Secure Development Lifecycle (SAMM) 3 P CLASP • Comprehensive, Lightweight Application Security Process • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • Defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs Microsoft SDL • Built internally for MS software • Extended and made public for others • MS-only versions since public release Touchpoints • Gary McGraw’s and Cigital’s model BSIMM • Gary McGraw’s and Cigital’s model • Quantifies activities of software security initiatives of 51 firms Derived from SAMM beta BSIMM Code SM 3.2 T 3.3 CR 1.1 CR 1.2 CR 1.4 CR 3.1 CR 3.3 CR 2.3 AA 1.1 AA 2.1 AA 1.2 AA 1.3 AA 2.2 SM 1.3 T 1.1 T 2.5 SR 1.1 SR 1.2 CP 2.5 T 2.1 T 2.2 T 2.4 T 3.2 T 3.4 AA 2.3 AA 3.1 AM 2.4 CR 2.5 SM 2.3 T 1.3 SAMM Code CR 1.A CR 1.B CR 2.A CR 3.A CR 3.A CR 3.B DR 1.B DR 2.A DR 2.B DR 2.B DR 3.A EG 1.A EG 1.A EG 1.A EG 1.B EG 1.B EG 2.A EG 2.A EG 2.A EG 2.A EG 2.A EG 2.A EG 2.B EG 2.B EG 2.B EG 2.B EG 2.B EG 2.B BSIMM Activity OpenSAMM Activity run external marketing program 0 host external software security events 0 create top N bugs list (real data preferred) (T: training) Create review checklists from known security requirements have SSG perform ad hoc review Perform point-review of high-risk code use automated tools along with manual review Utilize automated code analysis tools use automated tools with tailored rules Customize code analysis for application-specific concerns build capability for eradicating specific bugs from entire codebase Customize code analysis for application-specific concerns make code review mandatory for all projects Establish release gates for code review perform security feature review Analyze design against known security requirements define/use AA process Inspect for complete provision of security mechanisms perform design review for high-risk applications Deploy design review service for project teams have SSG lead review efforts Deploy design review service for project teams standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resources educate executives Conduct technical security awareness training provide awareness training Conduct technical security awareness training hold satellite training/events Conduct technical security awareness training create security standards (T: sec features/design) Build and maintain technical guidelines create security portal Build and maintain technical guidelines promote executive awareness of compliance/privacy obligations Conduct role-specific application security training offer role-specific advanced curriculum (tools, technology stacks, Conduct bug role-specific parade) application security training create/use material specific to company history Conduct role-specific application security training offer on-demand individual training Conduct role-specific application security training provide training for vendors or outsource workers Conduct role-specific application security training require annual refresher Conduct role-specific application security training make SSG available as AA resource/mentor Utilize security coaches to enhance project teams have software architects lead review efforts Utilize security coaches to enhance project teams build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teams assign tool mentors Utilize security coaches to enhance project teams create or grow social network/satellite system Utilize security coaches to enhance project teams establish SSG office hours Utilize security coaches to enhance project teams BSIMM – Open SAMM Mapping Lessons Learned • Microsoft SDL • Heavyweight, good for large ISVs • Touchpoints • High-level, not enough details to execute against • BSIMM • Stats, but what to do with them? • CLASP • Large collection of activities, but no priority ordering • ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf D B T P SAMM We need a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable riskbased choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for nonsecurity-people Overall, must be simple, welldefined, and measurable OWASP Software Assurance Maturity Model (SAMM) https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model D B T SAMM SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement P D B T SAMM Under each Security Practice • Three successive Objectives under each Practice define how it can be improved over time • • This establishes a notion of a Level at which an organization fulfills a given Practice The three Levels for a Practice generally correspond to: • (0: Implicit starting point with the Practice unfulfilled) • 1: Initial understanding and ad hoc provision of the Practice • 2: Increase efficiency and/or effectiveness of the Practice • 3: Comprehensive mastery of the Practice at scale P D B T SAMM Per Level, SAMM defines... • • • • • • • Objective Activities Results Success Metrics Costs Personnel Related Levels P D B T P SAMM Strategy & Metrics 1 D B T P SAMM Policy & Compliance 1 D B T P SAMM Education & Guidance 1 D B T SAMM Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb Resources: • OWASP Top 10 • OWASP Education • WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project P D B T P SAMM OWASP Cheat Sheets https://www.owasp.org/index.php/Cheat_Sheets D B T P SAMM Threat Assessment 1 D B T P SAMM Security Requirements 1 D B T P SAMM Secure Coding Practices Quick Reference Guide • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide D B T P SAMM Secure Architecture 2 D B T P SAMM The OWASP Enterprise Security API Custom Enterprise Web Application SecurityConfiguration IntrusionDetector Logger Exception Handling Randomizer EncryptedProperties Encryptor HTTPUtilities Encoder Validator AccessReferenceMap AccessController User Authenticator Enterprise Security API Existing Enterprise Security Services/Libraries https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API D B T P SAMM Design Review 2 D B T P SAMM Code Review 2 D B T P SAMM Code Review SDL Integration: • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Resources: • OWASP Code Review Guide https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project D B T SAMM Code review tooling Code review tools: • OWASP LAPSE (Security scanner for Java EE Applications) • MS FxCop / CAT.NET (Code Analysis Tool for .NET) • Agnitio (open source Manual source code review support tool) https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/ P D B T P SAMM Security Testing 2 D B T SAMM Security Testing SDL Integration: • Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common vulnerabilities • Review results with stakeholders prior to release Resources: • OWASP ASVS • OWASP Testing Guide https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project P D B T P SAMM Security Testing • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications • Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually Features: • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project D B T P SAMM Vulnerability Management 3 D B T P SAMM Environment Hardening 3 D B T P SAMM Web Application Firewalls Malicious web traffic Legitimate web traffic Port 80 Web client (browser) Network Firewall Web Application Firewall Web Server ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org • HTTP Traffic Logging • Real-Time Monitoring and Attack Detection • Attack Prevention and Just-in-time Patching • Flexible Rule Engine • Embedded Deployment (Apache, IIS7 and Nginx) • Network-Based Deployment (reverse proxy) OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project D B T P SAMM Operational Enablement 3 150+ OWASP Projects PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project Mapping Projects / SAMM Project AntiSamy Enterprise Security API ModSecurity Core Rule Set CSRFGuard Web Testing Environment WebGoat Zed Attack Proxy Application Security Verification Standard Application Security Verification Standard Application Security Verification Standard Code Review Guide Codes of Conduct Development Guide Secure Coding Practices - Quick Reference Guide Software Assurance Maturity Model Testing Guide Top Ten Type Code Code Code Code Tools Tools Tools Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Level Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship Flagship SAMM Practice Remarks SA2 Project SA3 Broken Web Applications EH3 CSRFTester EnDe SA2 Fiddler Addons for Security Testing ST2 Forward Exploit Tool EG2 Hackademic Challenges ST2 Hatkit Datafiddler Hatkit Proxy DR2 ASVS-L4 HTTP POSTASVS-L4 CR3 Java XML Templates ST3 ASVS-L4 JavaScript Sandboxes CR1 Joomla Vulnerability Scanner LAPSE not applicable Mantra Security Framework EG1 Multilidea SR1 O2 SM1 Orizon Recursiveness :-) Srubbr ST1 Security Assurance Testing of Virtual Worlds EG1 Vicnum Wapiti Web Browser Testing System WebScarab Webslayer WSFuzzer Yasca AppSec Tutorials AppSensor AppSensor Cloud 10 CTF Fuzzing Code Legal Podcast Virtual Patching Best Practices Type Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Documentation Level Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs Labs SAMM Practice Remarks EG1 ST1 ST1 ST1 ST1 EG1 ST1 ST1 ST1 SA2 not applicable ST1 CR2 ST1 EG1 ST2 CR2 ST1 ST1 EG1 ST1 ST1 ST1 ST1 ST1 CR2 EG1 EH3 SA2 EG1 EG1 ST1 SR3 EG1 EH3 3 Coverage Governance Policy & Compliance PC1 0 PC2 0 PC3 0 Strategy & Metrics SM1 1 SM2 0 SM3 0 1 Education & Guidance EG1 10 EG2 1 EG3 0 0 Construction Security Requirements SR1 1 SR2 0 SR3 1 Threat Assessment TA1 0 TA2 0 TA3 0 0 2 1 Vulnerability Management VM1 0 VM2 0 VM3 0 0 12 5 7 22 28 0 3 Security Architecture SA1 0 SA2 4 SA3 1 Verification Code Review CR1 1 CR2 3 CR3 1 Design Review DR1 0 DR2 1 DR3 0 11 Security Testing ST1 18 ST2 3 ST3 1 5 Deployment Environment Hardening EH1 0 EH2 0 EH3 3 Operational Hardening OE1 0 OE2 0 OE3 0 3 3 D B T SAMM Get started Step 1: questionnaire as-is Step 2: define your maturity goal Step 3: define phased roadmap P D B T SAMM Conducting assessments SAMM includes assessment worksheets for each Security Practice P D B T SAMM Assessment process Supports both lightweight and detailed assessments P D B T SAMM Creating Scorecards • Gap analysis • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • Capturing scores over consistent time frames for an assurance program that is already in place P D B T SAMM Roadmap templates • • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations • Independent Software Vendors • Online Service Providers • Financial Services Organizations • Government Organizations Tune these to your own targets / speed P SAMM Resources www.opensamm.org • Presentations • Tools • Assessment worksheets / templates • Roadmap templates • Scorecard chart generation • Translations (Spanish / Japanese) • SAMM mappings to ISO/EIC 27034 / BSIMM 4 Critical Success Factors • Get initiative buy-in from all stakeholders • Adopt a risk-based approach • Awareness / education is the foundation • Integrate security in your development / acquisition and deployment processes • Provide management visibility 4 Project Roadmap Build the SAMM community: • List of SAMM adopters • Workshops at AppSecEU and AppSecUSA V1.1: • Incorporate tools / guidance / OWASP projects • Revamp SAMM wiki V2.0: • Revise scoring model • Model revision necessary ? (12 practices, 3 levels, ...) • Application to agile • Roadmap planning: how to measure effort ? • Presentations & teaching material • … 4 Get involved • Use and donate back! • Attend OWASP chapter meetings and conferences • Support OWASP become personal/company member https://www.owasp.org/index.php/Membership Q&A Thank you • @sebadele • seba@owasp.org • seba@deleersnyder.eu • www.linkedin.com/in/sebadele