"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko

Transcript

1. Evolution of Application Security Programs through OWASP SAMM 2.0 OWASP

   Moscow Virtual Meetup 2021.1 June 11, 2021 Yan Kravchenko, CSSLP, CISSP, CISA, CISM

2. What is SAMM? The mission of OWASP SAMM is to

   be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

3. SAMM project leaders Bart De Win Sebastien (Seba) Deleersnyder

4. The SAMM core team Nessim Kisserli Brett Crawley Chris Cooper

   John DiLeo Patricia Duarte Sebastián Arriada Daniel Kefer John Kennedy Brian Glas Yan Kravchenko Hardik Parekh John Ellingsworth

5. SAMM Sponsors owaspsamm.org/sponsors

6. Why OWASP SAMM? ü Application development experience is rare among

   Information Security Professionals ü Improving security should be aligned with improving efficiency and productivity ü Facilitates roadmaps for implementation of new technologies and eliminating “technology debt” ü Global community-supported guidance

7. A Little OWASP SAMM History… 2009 OpenSAMM 1.0 Funded by

   Fortify Security 2016 OWASP SAMM 1.1 Added implementation guides 2017 OWASP SAMM 1.5 Changed scoring model 2018 OWASP SAMM 2.0 The "DevOps Release" 2020 OWASP SAMM 2.1 Translations/Mapping

8. OWASP SAMM 1.5

9. Evolution of programming Languages Why do we need so many

   programming languages?

10. Interpreted vs. Compiled Languages Compiled Hard to learn Requires Training

    Faster Stand-alone Commercial dependencies Interpreted Easy to learn Amateur Friendly Slower Dependencies Open-Source dependencies

11. Evolution of Computing Architecture

12. Infrastructure as Code Infrastructure is re-deployed with each build System

    hardening through build configurations Software Defined Networking by design Automated large-scale configuration management

13. Evolution of Methodologies

14. Requirements Analysis / Design Implementation Testing / Verification Deployment /

    Maintenance Constantly Changing Idea Design Code Test Deploy Idea Design Code Test Idea Design Code Test Idea Design Code Test Idea Design Code Test Build Deploy Cloud

15. How Different Are They? Design Design Design Code Code Test

    Test Code Test Code Test Deploy Deploy Waterfall Agile DevOps

16. SAMM 2.0 Structure Governance Design Implementation (New) Verification Operations

17. Core structure

18. SAMM 2.0 - Governance Governance Strategy & Metrics • Create

    and Promote • Measure and Improve Policy & Compliance • Policy and Standards • Compliance Management Education & Guidance • Training and Awareness • Organization and Culture

19. SAMM 2.0 - Design Design Threat Assessment • Application Risk

    Profile • Threat Modeling Security Requirements • Software Requirements • Supplier Security Security Architecture • Architecture Design • Technology Management

20. SAMM 2.0 - Implementation Implementation Secure Build • Build Process

    • Software Dependencies Secure Deployment • Deployment Process • Secret Management Defect Management • Defect Tracking • Metrics and Feedback

21. SAMM 2.0 - Verification Verification Architecture Assessment • Architecture Assessment

    • Architecture Mitigation Requirements Driven Testing • Control Verification • Misuse / Abuse Testing Security Testing • Scalable Baseline • Deep Understanding

22. SAMM 2.0 - Operations Operations Incident Management • Incident Detection

    • Incident Response Environment Management • Configuration Hardening • Patching and Updating Operational Management • Data Management • System Decommissioning / Legacy Management

23. Visit our website owaspsamm.org github.com/OWASP/samm

24. Community involvement Community driven Project driven Core structure Business functions,

    practices, streams Evaluation model Questions, quality criteria, measurement model Activity model Objective, activities, dependencies, metrics Supporting information & tools Guidance, references, supporting tools Community feedback

25. SAMM “Suite” • New GitHub organization • Loosely coupled subprojects

26. Translations Localization management crowdin.com/project/owasp-samm Spanish Juan Calderón Portuguese Hugo Fumero

    Brazilian Portuguese Raphael Hagi German Tanja Noll French Romuald Szkudlarek Turkish Ender Akbas Chinese Wang Ji Indonesian Ade Yoseman Japanese Riotaro Okada

27. SAMM benchmarking • How do I compare? • What works

    for similar organizations? • Updating the data model for 1.5-2.x • Trending and population visualizations • Integration with online assessment • Work scheduled during this summer • Please donate SAMM data sets! • Have cycles? Join this track! owaspsamm.org/benchmarking [email protected]

28. Our roadmap • Continuous: minor fixes • Wrap-up: PDF •

    v2.1 (ongoing): Translations, mappings • v2.2 (Fall 2021): Activity-specific guidance (references, agile, ...) • V2.3 (2022): online toolbox, open API • V3.0: tbd

29. News / Become involved • Monthly community calls each 2dn

    Wednesday of the month • Website https://owaspsamm.org/ • Github https://github.com/OWASPsamm - New! • Slack #project-samm OWASP invitation https://owasp-slack.herokuapp.com • Newsletter (Mailchimp) http://eepurl.com/gl9fb9 • Twitter https://twitter.com/OwaspSAMM • LinkedIn https://www.linkedin.com/company/owasp-samm

30. Вопросы / Ответы Ян Кравченко (@yanfosec) [email protected] https://www.linkedin.com/in/yankravchenko/

31. Спасибо!