Pavel Radchuk - SAMM: Understanding Agile in Security

28e7d7d55dc88f37db36bfb2f24c6310?s=47 OWASP Kyiv
December 03, 2017

Pavel Radchuk - SAMM: Understanding Agile in Security

Video: https://youtu.be/nOrlK4p7QA8
OWASP Kyiv Winter 2017 Meetup, Dec 2, 2017
https://www.owasp.org/index.php/Kyiv

28e7d7d55dc88f37db36bfb2f24c6310?s=128

OWASP Kyiv

December 03, 2017
Tweet

Transcript

  1. OWASP SAMM: Understanding Agile in Security

  2. Software development is…

  3. Agile

  4. Security methodologies for Agile

  5. MS SDL for Agile MS Security Development Lifecycle (SDL) is

    a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost
  6. MS SDL for Agile

  7. MS SDL for Agile

  8. MS SDL for Agile

  9. MS SDL is it THAT Agile? • Needs to be

    fully implemented • All functions are necessary • Doesn’t deal with business restrictions
  10. OWASP SAMM The Software Assurance Maturity Model (SAMM) is an

    open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization
  11. OWASP SAMM Framework

  12. SAMM. Business function

  13. SAMM. Business function • Objective • Activities • Assessment •

    Results • Success Metrics • Costs • Personnel • Related Levels
  14. SAMM. Business function assessment

  15. SAMM. Assessment via toolbox

  16. SAMM. Defining goals

  17. SAMM. Defining goals

  18. SAMM. Reaching global goals

  19. OWASP SAMM: What is next?

  20. None
  21. Agile to devops toolbox

  22. SAMM 2.0. Adjusting to devops SAMM Overview Business Function Security

    Practices Software Assurance Lifecycle Governance Construction Build & Deploy Verification Operations Threat Assessment Security Requirements Secure Architecture Strategy & Metrics Policy & Compliance Education & Guidance Issue Management Environment Hardening Operational Enablement Design Analysis Implementation Review Security Testing Secure Build Secure Deployment Defect Management
  23. SAMM 2.0 SAMM 2.0 is planned to be presented on

    OWASP 2018 Summer Summit OWASP SAMM repository: https://github.com/OWASP/samm/tree/master/v2.0
  24. SAMM. Get involved Special thanks to Yan Kravchenko – one

    of the SAMM developers If you want to contribute to the project or you just have some interesting opinions – contact OWASP members
  25. Q&A