Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pavel Radchuk - SAMM: Understanding Agile in Security

OWASP Kyiv
December 03, 2017
Technology
0
230

Pavel Radchuk - SAMM: Understanding Agile in Security

Video: https://youtu.be/nOrlK4p7QA8
OWASP Kyiv Winter 2017 Meetup, Dec 2, 2017
https://www.owasp.org/index.php/Kyiv

OWASP Kyiv

December 03, 2017
Tweet

More Decks by OWASP Kyiv

See All by OWASP Kyiv
Vlad Styran - OWASP Kyiv 2017 Report
owaspkyiv
0
47
Vlada Kulish - Why So Serial?
owaspkyiv
1
47
Roman Borodin - ISC2 & ISACA certification programs first-hand experience
owaspkyiv
0
58
Yevhen Teleshyk - OAuth Phishing
owaspkyiv
0
56
Ihor Blum - WebSockets
owaspkyiv
0
28
Vlad Styran - Cyber Security Economics 101
owaspkyiv
2
120
Anastasiia Vixentael - Don’t Waste Time on Learning Cryptography: Better Use It Properly
owaspkyiv
0
76
Dima Kovalenko - Modern SSL Pinning
owaspkyiv
0
60
Ivan Vyshnevskyi - Not So Quiet git push
owaspkyiv
0
110

Other Decks in Technology

See All in Technology
CyberAgent AI事業本部MLOps研修応用編
nsakki55
36
18k
エンジニアからの情報発信の意義に関して、さまざまな方々が私に教えてくださったことのまとめ
m3hiro3
0
110
C# の async/await は実際にどうやって動いているか
nenonaninu
3
10k
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
2
430
Mirror mirror... what am I typing next?
spinscale
0
150
Search Evolution - Keeping up with the hype?
spinscale
0
120
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
250
カーネルコードの歩き方
sat
PRO
3
2.5k
CloudWatch複合アラームでELBの5XXをいい感じに検知しようとしたらうまくいかなかった話 / cloudwatch alarm elb 5xx
gotok365
0
370
社内でChatGPTを利用するためのガイドラインを整備した話
yoshikieguchi
0
950
高速な深層学習モデルアーキテクチャ2023
yu4u
0
340
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
26k

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
In The Pink: A Labor of Love
frogandcode
133
21k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.4k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
Code Reviewing Like a Champion
maltzj
508
38k
The Invisible Side of Design
smashingmag
292
49k
Designing with Data
zakiwarfel
91
4.3k
Become a Pro
speakerdeck
PRO
7
3.4k
Reflections from 52 weeks, 52 projects
jeffersonlam
341
18k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
KATA
mclloyd
13
10k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
55k

Transcript

  1. OWASP SAMM:
    Understanding Agile in Security

    View Slide

  2. Software development is…

    View Slide

  3. Agile

    View Slide

  4. Security methodologies for Agile

    View Slide

  5. MS SDL for Agile
    MS Security Development Lifecycle (SDL) is a software
    development process that helps developers build more
    secure software and address security compliance
    requirements while reducing development cost

    View Slide

  6. MS SDL for Agile

    View Slide

  7. MS SDL for Agile

    View Slide

  8. MS SDL for Agile

    View Slide

  9. MS SDL is it THAT Agile?
    • Needs to be fully implemented
    • All functions are necessary
    • Doesn’t deal with business restrictions

    View Slide

  10. OWASP SAMM
    The Software Assurance
    Maturity Model (SAMM) is
    an open framework to help
    organizations formulate and
    implement a strategy for
    software security that is
    tailored to the specific risks
    facing the organization

    View Slide

  11. OWASP SAMM Framework

    View Slide

  12. SAMM. Business function

    View Slide

  13. SAMM. Business function
    • Objective
    • Activities
    • Assessment
    • Results
    • Success Metrics
    • Costs
    • Personnel
    • Related Levels

    View Slide

  14. SAMM. Business function assessment

    View Slide

  15. SAMM. Assessment via toolbox

    View Slide

  16. SAMM. Defining goals

    View Slide

  17. SAMM. Defining goals

    View Slide

  18. SAMM. Reaching global goals

    View Slide

  19. OWASP SAMM:
    What is next?

    View Slide

  20. View Slide

  21. Agile to devops toolbox

    View Slide

  22. SAMM 2.0. Adjusting to devops
    SAMM
    Overview
    Business
    Function
    Security
    Practices
    Software Assurance
    Lifecycle
    Governance Construction Build & Deploy Verification Operations
    Threat
    Assessment
    Security
    Requirements
    Secure
    Architecture
    Strategy
    & Metrics
    Policy &
    Compliance
    Education &
    Guidance
    Issue
    Management
    Environment
    Hardening
    Operational
    Enablement
    Design
    Analysis
    Implementation
    Review
    Security
    Testing
    Secure
    Build
    Secure
    Deployment
    Defect
    Management

    View Slide

  23. SAMM 2.0
    SAMM 2.0 is planned to be presented on OWASP 2018
    Summer Summit
    OWASP SAMM repository:
    https://github.com/OWASP/samm/tree/master/v2.0

    View Slide

  24. SAMM. Get involved
    Special thanks to Yan Kravchenko – one of the SAMM
    developers
    If you want to contribute to the project or you just have
    some interesting opinions – contact OWASP members

    View Slide

  25. Q&A

    View Slide