Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko

"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

June 11, 2021
Tweet

Transcript

  1. Evolution of Application Security Programs through OWASP SAMM 2.0 OWASP

    Moscow Virtual Meetup 2021.1 June 11, 2021 Yan Kravchenko, CSSLP, CISSP, CISA, CISM
  2. What is SAMM? The mission of OWASP SAMM is to

    be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.
  3. SAMM project leaders Bart De Win Sebastien (Seba) Deleersnyder

  4. The SAMM core team Nessim Kisserli Brett Crawley Chris Cooper

    John DiLeo Patricia Duarte Sebastián Arriada Daniel Kefer John Kennedy Brian Glas Yan Kravchenko Hardik Parekh John Ellingsworth
  5. SAMM Sponsors owaspsamm.org/sponsors

  6. Why OWASP SAMM? ü Application development experience is rare among

    Information Security Professionals ü Improving security should be aligned with improving efficiency and productivity ü Facilitates roadmaps for implementation of new technologies and eliminating “technology debt” ü Global community-supported guidance
  7. A Little OWASP SAMM History… 2009 OpenSAMM 1.0 Funded by

    Fortify Security 2016 OWASP SAMM 1.1 Added implementation guides 2017 OWASP SAMM 1.5 Changed scoring model 2018 OWASP SAMM 2.0 The "DevOps Release" 2020 OWASP SAMM 2.1 Translations/Mapping
  8. OWASP SAMM 1.5

  9. Evolution of programming Languages Why do we need so many

    programming languages?
  10. Interpreted vs. Compiled Languages Compiled Hard to learn Requires Training

    Faster Stand-alone Commercial dependencies Interpreted Easy to learn Amateur Friendly Slower Dependencies Open-Source dependencies
  11. Evolution of Computing Architecture

  12. Infrastructure as Code Infrastructure is re-deployed with each build System

    hardening through build configurations Software Defined Networking by design Automated large-scale configuration management
  13. Evolution of Methodologies

  14. Requirements Analysis / Design Implementation Testing / Verification Deployment /

    Maintenance Constantly Changing Idea Design Code Test Deploy Idea Design Code Test Idea Design Code Test Idea Design Code Test Idea Design Code Test Build Deploy Cloud
  15. How Different Are They? Design Design Design Code Code Test

    Test Code Test Code Test Deploy Deploy Waterfall Agile DevOps
  16. SAMM 2.0 Structure Governance Design Implementation (New) Verification Operations

  17. Core structure

  18. SAMM 2.0 - Governance Governance Strategy & Metrics • Create

    and Promote • Measure and Improve Policy & Compliance • Policy and Standards • Compliance Management Education & Guidance • Training and Awareness • Organization and Culture
  19. SAMM 2.0 - Design Design Threat Assessment • Application Risk

    Profile • Threat Modeling Security Requirements • Software Requirements • Supplier Security Security Architecture • Architecture Design • Technology Management
  20. SAMM 2.0 - Implementation Implementation Secure Build • Build Process

    • Software Dependencies Secure Deployment • Deployment Process • Secret Management Defect Management • Defect Tracking • Metrics and Feedback
  21. SAMM 2.0 - Verification Verification Architecture Assessment • Architecture Assessment

    • Architecture Mitigation Requirements Driven Testing • Control Verification • Misuse / Abuse Testing Security Testing • Scalable Baseline • Deep Understanding
  22. SAMM 2.0 - Operations Operations Incident Management • Incident Detection

    • Incident Response Environment Management • Configuration Hardening • Patching and Updating Operational Management • Data Management • System Decommissioning / Legacy Management
  23. Visit our website owaspsamm.org github.com/OWASP/samm

  24. Community involvement Community driven Project driven Core structure Business functions,

    practices, streams Evaluation model Questions, quality criteria, measurement model Activity model Objective, activities, dependencies, metrics Supporting information & tools Guidance, references, supporting tools Community feedback
  25. SAMM “Suite” • New GitHub organization • Loosely coupled subprojects

  26. Translations Localization management crowdin.com/project/owasp-samm Spanish Juan Calderón Portuguese Hugo Fumero

    Brazilian Portuguese Raphael Hagi German Tanja Noll French Romuald Szkudlarek Turkish Ender Akbas Chinese Wang Ji Indonesian Ade Yoseman Japanese Riotaro Okada
  27. SAMM benchmarking • How do I compare? • What works

    for similar organizations? • Updating the data model for 1.5-2.x • Trending and population visualizations • Integration with online assessment • Work scheduled during this summer • Please donate SAMM data sets! • Have cycles? Join this track! owaspsamm.org/benchmarking brian.glas@owasp.org
  28. Our roadmap • Continuous: minor fixes • Wrap-up: PDF •

    v2.1 (ongoing): Translations, mappings • v2.2 (Fall 2021): Activity-specific guidance (references, agile, ...) • V2.3 (2022): online toolbox, open API • V3.0: tbd
  29. News / Become involved • Monthly community calls each 2dn

    Wednesday of the month • Website https://owaspsamm.org/ • Github https://github.com/OWASPsamm - New! • Slack #project-samm OWASP invitation https://owasp-slack.herokuapp.com • Newsletter (Mailchimp) http://eepurl.com/gl9fb9 • Twitter https://twitter.com/OwaspSAMM • LinkedIn https://www.linkedin.com/company/owasp-samm
  30. Вопросы / Ответы Ян Кравченко (@yanfosec) yan.Kravchenko@owasp.org https://www.linkedin.com/in/yankravchenko/

  31. Спасибо!