OpenSAMM Software Assurance Maturity Model The OWASP Foundation Seba Deleersnyder

OWASP
Europe Tour 2013
Geneva
The OWASP Foundation
http://www.owasp.org
OpenSAMM
Software Assurance Maturity Model
Seba Deleersnyder
[email protected]
OWASP Foundation Board Member
OWASP Belgium Chapter Leader
SAMM project co-leader
Billing
Human Resrcs
Directories
APPLICATION
ATTACK
Web Services
Custom Developed
Application Code
Legacy Systems
Your security “perimeter” has huge holes at the
application layer
Databases
Application Layer
The web application security challenge
Web Server
Hardened OS
Firewall
Firewall
Network Layer
App Server
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
D B
T
SAMM
“Build in” software assurance
proactive
reactive
security
requirements /
threat modeling
coding guidelines
code reviews
static test tools
security testing
dynamic test
tools
vulnerability
scanning WAF
Design
Build
Test
Production
Secure Development Lifecycle
(SAMM)
3
P
CLASP
• Comprehensive, Lightweight Application Security
Process
• Centered around 7 AppSec Best Practices
• Cover the entire software lifecycle (not just
development)
• Adaptable to any development process
• Defines roles across the SDLC
• 24 role-based process components
• Start small and dial-in to your needs
Microsoft SDL
• Built internally for MS software
• Extended and made public for others
• MS-only versions since public release
Touchpoints
• Gary McGraw’s and Cigital’s model
BSIMM
• Gary McGraw’s and Cigital’s model
• Quantifies activities of software security
initiatives of 51 firms
Derived from SAMM beta
BSIMM
Code
SM 3.2
T 3.3
CR 1.1
CR 1.2
CR 1.4
CR 3.1
CR 3.3
CR 2.3
AA 1.1
AA 2.1
AA 1.2
AA 1.3
AA 2.2
SM 1.3
T 1.1
T 2.5
SR 1.1
SR 1.2
CP 2.5
T 2.1
T 2.2
T 2.4
T 3.2
T 3.4
AA 2.3
AA 3.1
AM 2.4
CR 2.5
SM 2.3
T 1.3
SAMM
Code
CR 1.A
CR 1.B
CR 2.A
CR 3.A
CR 3.A
CR 3.B
DR 1.B
DR 2.A
DR 2.B
DR 2.B
DR 3.A
EG 1.A
EG 1.A
EG 1.A
EG 1.B
EG 1.B
EG 2.A
EG 2.A
EG 2.A
EG 2.A
EG 2.A
EG 2.A
EG 2.B
EG 2.B
EG 2.B
EG 2.B
EG 2.B
EG 2.B
BSIMM Activity
OpenSAMM Activity
run external marketing program
0
host external software security events
0
create top N bugs list (real data preferred) (T: training)
Create review checklists from known security requirements
have SSG perform ad hoc review
Perform point-review of high-risk code
use automated tools along with manual review
Utilize automated code analysis tools
use automated tools with tailored rules
Customize code analysis for application-specific concerns
build capability for eradicating specific bugs from entire codebase
Customize code analysis for application-specific concerns
make code review mandatory for all projects
Establish release gates for code review
perform security feature review
Analyze design against known security requirements
define/use AA process
Inspect for complete provision of security mechanisms
perform design review for high-risk applications
Deploy design review service for project teams
have SSG lead review efforts
Deploy design review service for project teams
standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resources
educate executives
Conduct technical security awareness training
provide awareness training
Conduct technical security awareness training
hold satellite training/events
Conduct technical security awareness training
create security standards (T: sec features/design)
Build and maintain technical guidelines
create security portal
Build and maintain technical guidelines
promote executive awareness of compliance/privacy obligations
Conduct role-specific application security training
offer role-specific advanced curriculum (tools, technology stacks,
Conduct
bug
role-specific
parade) application security training
create/use material specific to company history
Conduct role-specific application security training
offer on-demand individual training
Conduct role-specific application security training
provide training for vendors or outsource workers
Conduct role-specific application security training
require annual refresher
Conduct role-specific application security training
make SSG available as AA resource/mentor
Utilize security coaches to enhance project teams
have software architects lead review efforts
Utilize security coaches to enhance project teams
build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teams
assign tool mentors
Utilize security coaches to enhance project teams
create or grow social network/satellite system
Utilize security coaches to enhance project teams
establish SSG office hours
Utilize security coaches to enhance project teams
BSIMM – Open SAMM Mapping
Lessons Learned
• Microsoft SDL
• Heavyweight, good for large ISVs
• Touchpoints
• High-level, not enough details to execute against
• BSIMM
• Stats, but what to do with them?
• CLASP
• Large collection of activities, but no priority
ordering
• ALL: Good for experts to use as a guide, but hard
for non-security folks to use off the shelf
D B
T
P
SAMM
We need a Maturity Model
An organization’s
behavior
changes slowly
over time
Changes must
be iterative while
working toward
long-term goals
There is no
single recipe that
works for all
organizations
A solution must
enable riskbased choices
tailored to the
organization
Guidance related
to security
activities must be
prescriptive
A solution must
provide enough
details for nonsecurity-people
Overall, must be
simple, welldefined, and
measurable
OWASP
Software
Assurance
Maturity Model
(SAMM)
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
D B
T
SAMM
SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are
defined
• The Security Practices cover all areas relevant to software security
assurance
• Each one is a ‘silo’ for improvement
P
D B
T
SAMM
Under each Security
Practice
•
Three successive Objectives under each Practice define how it
can be improved over time
•
•
This establishes a notion of a Level at which an organization
fulfills a given Practice
The three Levels for a Practice generally correspond to:
•
(0: Implicit starting point with the Practice unfulfilled)
•
1: Initial understanding and ad hoc provision of the Practice
•
2: Increase efficiency and/or effectiveness of the Practice
•
3: Comprehensive mastery of the Practice at scale
P
D B
T
SAMM
Per Level, SAMM defines...
•
•
•
•
•
•
•
Objective
Activities
Results
Success Metrics
Costs
Personnel
Related Levels
P
D B
T
P
SAMM
Strategy & Metrics
1
D B
T
P
SAMM
Policy & Compliance
1
D B
T
P
SAMM
Education & Guidance
1
D B
T
SAMM
Education & Guidance
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime.
Chinese proverb
Resources:
•
OWASP Top 10
•
OWASP Education
•
WebGoat
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://www.owasp.org/index.php/Category:OWASP_Education_Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
P
D B
T
P
SAMM
OWASP Cheat Sheets
https://www.owasp.org/index.php/Cheat_Sheets
D B
T
P
SAMM
Threat Assessment
1
D B
T
P
SAMM
Security Requirements
1
D B
T
P
SAMM
Secure Coding Practices Quick
Reference Guide
•
Technology agnostic coding practices
•
What to do, not how to do it
•
Compact, but comprehensive checklist
format
•
Focuses on secure coding requirements,
rather then on vulnerabilities and exploits
•
Includes a cross referenced glossary to get
developers and security folks talking the
same language
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
D B
T
P
SAMM
Secure Architecture
2
D B
T
P
SAMM
The OWASP Enterprise Security API
Custom Enterprise Web Application
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
Enterprise Security API
Existing Enterprise Security Services/Libraries
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
D B
T
P
SAMM
Design Review
2
D B
T
P
SAMM
Code Review
2
D B
T
P
SAMM
Code Review
SDL Integration:
• Multiple reviews defined as deliverables in your SDLC
• Structured, repeatable process with management support
• Reviews are exit criteria for the development and test phases
Resources:
•
OWASP Code Review Guide
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
D B
T
SAMM
Code review tooling
Code review tools:
• OWASP LAPSE (Security scanner for Java EE
Applications)
• MS FxCop / CAT.NET (Code Analysis Tool for
.NET)
• Agnitio (open source Manual source code review
support tool)
https://www.owasp.org/index.php/OWASP_LAPSE_Project
http://www.microsoft.com/security/sdl/discover/implementation.aspx
http://agnitiotool.sourceforge.net/
P
D B
T
P
SAMM
Security Testing
2
D B
T
SAMM
Security Testing
SDL Integration:
• Integrate dynamic security testing as part of you test cycles
• Derive test cases from the security requirements that apply
• Check business logic soundness as well as common
vulnerabilities
• Review results with stakeholders prior to release
Resources:
•
OWASP ASVS
•
OWASP Testing Guide
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
https://www.owasp.org/index.php/OWASP_Testing_Project
P
D B
T
P
SAMM
Security Testing
• Zed Attack Proxy (ZAP) is an easy to use integrated
penetration testing tool for finding vulnerabilities in
web applications
• Provides automated scanners as well as a set of
tools that allow you to find security vulnerabilities
manually
Features:
• Intercepting proxy
• Automated scanner
• Passive scanner
• Brute force scanner
• Spider
• Fuzzer
• Port scanner
• Dynamic SSL Certificates
• API
• Beanshell integration
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
D B
T
P
SAMM
Vulnerability Management
3
D B
T
P
SAMM
Environment Hardening
3
D B
T
P
SAMM
Web Application Firewalls
Malicious web traffic
Legitimate web traffic
Port 80
Web client
(browser)
Network
Firewall
Web
Application
Firewall
Web
Server
ModSecurity: Worlds No 1 open source Web Application Firewall
www.modsecurity.org
• HTTP Traffic Logging
• Real-Time Monitoring and Attack Detection
• Attack Prevention and Just-in-time Patching
• Flexible Rule Engine
• Embedded Deployment (Apache, IIS7 and Nginx)
• Network-Based Deployment (reverse proxy)
OWASP ModSecurity Core Rule Set Project, generic, plug-n-play
set of WAF rules
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
D B
T
P
SAMM
Operational Enablement
3
150+ OWASP Projects
PROTECT
Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity
Core Rule Set Project
Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure
Coding Practices - Quick Reference Guide
DETECT
Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy
Docs: Application Security Verification Standard, Code Review Guide,
Testing Guide, Top Ten Project
LIFE CYCLE
SAMM, WebGoat, Legal Project
Mapping Projects / SAMM
Project
AntiSamy
Enterprise Security API
ModSecurity Core Rule Set
CSRFGuard
Web Testing Environment
WebGoat
Zed Attack Proxy
Application Security Verification Standard
Application Security Verification Standard
Application Security Verification Standard
Code Review Guide
Codes of Conduct
Development Guide
Secure Coding Practices - Quick Reference Guide
Software Assurance Maturity Model
Testing Guide
Top Ten
Type
Code
Code
Code
Code
Tools
Tools
Tools
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Level
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
Flagship
SAMM Practice Remarks
SA2
Project
SA3
Broken Web Applications
EH3
CSRFTester
EnDe
SA2
Fiddler Addons for Security Testing
ST2
Forward Exploit Tool
EG2
Hackademic Challenges
ST2
Hatkit Datafiddler
Hatkit Proxy
DR2
ASVS-L4
HTTP POSTASVS-L4
CR3
Java XML Templates
ST3
ASVS-L4
JavaScript Sandboxes
CR1
Joomla Vulnerability Scanner
LAPSE
not applicable
Mantra Security Framework
EG1
Multilidea
SR1
O2
SM1
Orizon Recursiveness :-)
Srubbr
ST1
Security Assurance Testing of Virtual Worlds
EG1
Vicnum
Wapiti
Web Browser Testing System
WebScarab
Webslayer
WSFuzzer
Yasca
AppSec Tutorials
AppSensor
AppSensor
Cloud 10
CTF
Fuzzing Code
Legal
Podcast
Virtual Patching Best Practices
Type
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Tools
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Documentation
Level
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
Labs
SAMM Practice Remarks
EG1
ST1
ST1
ST1
ST1
EG1
ST1
ST1
ST1
SA2
not applicable
ST1
CR2
ST1
EG1
ST2
CR2
ST1
ST1
EG1
ST1
ST1
ST1
ST1
ST1
CR2
EG1
EH3
SA2
EG1
EG1
ST1
SR3
EG1
EH3
3
Coverage
Governance
Policy & Compliance
PC1
0
PC2
0
PC3
0
Strategy & Metrics
SM1
1
SM2
0
SM3
0
1
Education & Guidance
EG1
10
EG2
1
EG3
0
0
Construction
Security Requirements
SR1
1
SR2
0
SR3
1
Threat Assessment
TA1
0
TA2
0
TA3
0
0
2
1
Vulnerability Management
VM1
0
VM2
0
VM3
0
0
12
5
7
22
28
0
3
Security Architecture
SA1
0
SA2
4
SA3
1
Verification
Code Review
CR1
1
CR2
3
CR3
1
Design Review
DR1
0
DR2
1
DR3
0
11
Security Testing
ST1
18
ST2
3
ST3
1
5
Deployment
Environment Hardening
EH1
0
EH2
0
EH3
3
Operational Hardening
OE1
0
OE2
0
OE3
0
3
3
D B
T
SAMM
Get started
Step 1:
questionnaire
as-is
Step 2: define
your maturity
goal
Step 3: define
phased
roadmap
P
D B
T
SAMM
Conducting assessments
SAMM includes assessment worksheets
for each Security Practice
P
D B
T
SAMM
Assessment process
Supports both lightweight and detailed
assessments
P
D B
T
SAMM
Creating Scorecards
• Gap analysis
• Capturing scores from detailed
assessments versus expected
performance levels
• Demonstrating improvement
• Capturing scores from before and
after an iteration of assurance
program build-out
• Ongoing measurement
• Capturing scores over consistent time
frames for an assurance program that
is already in place
P
D B
T
SAMM
Roadmap templates
•
•
To make the “building blocks” usable, SAMM
defines Roadmaps templates for typical kinds
of organizations
•
Independent Software Vendors
•
Online Service Providers
•
Financial Services Organizations
•
Government Organizations
Tune these to your own targets / speed
P
SAMM Resources
www.opensamm.org
• Presentations
• Tools
• Assessment worksheets / templates
• Roadmap templates
• Scorecard chart generation
• Translations (Spanish / Japanese)
• SAMM mappings to ISO/EIC 27034 / BSIMM
4
Critical Success Factors
• Get initiative buy-in from all stakeholders
• Adopt a risk-based approach
• Awareness / education is the foundation
• Integrate security in your development /
acquisition and deployment processes
• Provide management visibility
4
Project Roadmap
Build the SAMM community:
• List of SAMM adopters
• Workshops at AppSecEU and AppSecUSA
V1.1:
• Incorporate tools / guidance / OWASP projects
• Revamp SAMM wiki
V2.0:
• Revise scoring model
• Model revision necessary ? (12 practices, 3 levels, ...)
• Application to agile
• Roadmap planning: how to measure effort ?
• Presentations & teaching material
• …
4
Get involved
• Use and donate back!
• Attend OWASP chapter meetings and
conferences
• Support OWASP become
personal/company member
https://www.owasp.org/index.php/Membership
Q&A
Thank you
• @sebadele
• [email protected][email protected]
• www.linkedin.com/in/sebadele