Evolution of Application Security Programs through OWASP SAMM 2.0 OWASP Moscow Virtual Meetup 2021.1 June 11, 2021 Yan Kravchenko, CSSLP, CISSP, CISA, CISM

What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

SAMM project leaders Bart De Win Sebastien (Seba) Deleersnyder

The SAMM core team Nessim Kisserli Brett Crawley Chris Cooper John DiLeo Patricia Duarte Sebastián Arriada Daniel Kefer John Kennedy Brian Glas Yan Kravchenko Hardik Parekh John Ellingsworth

SAMM Sponsors owaspsamm.org/sponsors

Why OWASP SAMM? ü Application development experience is rare among Information Security Professionals ü Improving security should be aligned with improving efficiency and productivity ü Facilitates roadmaps for implementation of new technologies and eliminating “technology debt” ü Global community-supported guidance

A Little OWASP SAMM History… 2009 OpenSAMM 1.0 Funded by Fortify Security 2016 OWASP SAMM 1.1 Added implementation guides 2017 OWASP SAMM 1.5 Changed scoring model 2018 OWASP SAMM 2.0 The "DevOps Release" 2020 OWASP SAMM 2.1 Translations/Mapping

OWASP SAMM 1.5

Evolution of programming Languages Why do we need so many programming languages?

Interpreted vs. Compiled Languages Compiled Hard to learn Requires Training Faster Stand-alone Commercial dependencies Interpreted Easy to learn Amateur Friendly Slower Dependencies Open-Source dependencies

Evolution of Computing Architecture

Infrastructure as Code Infrastructure is re-deployed with each build System hardening through build configurations Software Defined Networking by design Automated large-scale configuration management

Evolution of Methodologies

Requirements Analysis / Design Implementation Testing / Verification Deployment / Maintenance Constantly Changing Idea Design Code Test Deploy Idea Design Code Test Idea Design Code Test Idea Design Code Test Idea Design Code Test Build Deploy Cloud

How Different Are They? Design Design Design Code Code Test Test Code Test Code Test Deploy Deploy Waterfall Agile DevOps

SAMM 2.0 Structure Governance Design Implementation (New) Verification Operations

Core structure

SAMM 2.0 - Governance Governance Strategy & Metrics • Create and Promote • Measure and Improve Policy & Compliance • Policy and Standards • Compliance Management Education & Guidance • Training and Awareness • Organization and Culture

SAMM 2.0 - Design Design Threat Assessment • Application Risk Profile • Threat Modeling Security Requirements • Software Requirements • Supplier Security Security Architecture • Architecture Design • Technology Management

SAMM 2.0 - Implementation Implementation Secure Build • Build Process • Software Dependencies Secure Deployment • Deployment Process • Secret Management Defect Management • Defect Tracking • Metrics and Feedback

SAMM 2.0 - Verification Verification Architecture Assessment • Architecture Assessment • Architecture Mitigation Requirements Driven Testing • Control Verification • Misuse / Abuse Testing Security Testing • Scalable Baseline • Deep Understanding

SAMM 2.0 - Operations Operations Incident Management • Incident Detection • Incident Response Environment Management • Configuration Hardening • Patching and Updating Operational Management • Data Management • System Decommissioning / Legacy Management

Visit our website owaspsamm.org github.com/OWASP/samm

Community involvement Community driven Project driven Core structure Business functions, practices, streams Evaluation model Questions, quality criteria, measurement model Activity model Objective, activities, dependencies, metrics Supporting information & tools Guidance, references, supporting tools Community feedback

SAMM “Suite” ● New GitHub organization ● Loosely coupled subprojects

Translations Localization management crowdin.com/project/owasp-samm Spanish Juan Calderón Portuguese Hugo Fumero Brazilian Portuguese Raphael Hagi German Tanja Noll French Romuald Szkudlarek Turkish Ender Akbas Chinese Wang Ji Indonesian Ade Yoseman Japanese Riotaro Okada

SAMM benchmarking ● How do I compare? ● What works for similar organizations? ● Updating the data model for 1.5-2.x ● Trending and population visualizations ● Integration with online assessment ● Work scheduled during this summer ● Please donate SAMM data sets! ● Have cycles? Join this track! owaspsamm.org/benchmarking brian.glas@owasp.org

Our roadmap ● Continuous: minor fixes ● Wrap-up: PDF ● v2.1 (ongoing): Translations, mappings ● v2.2 (Fall 2021): Activity-specific guidance (references, agile, ...) ● V2.3 (2022): online toolbox, open API ● V3.0: tbd

News / Become involved ● Monthly community calls each 2dn Wednesday of the month ● Website https://owaspsamm.org/ ● Github https://github.com/OWASPsamm - New! ● Slack #project-samm OWASP invitation https://owasp-slack.herokuapp.com ● Newsletter (Mailchimp) http://eepurl.com/gl9fb9 ● Twitter https://twitter.com/OwaspSAMM ● LinkedIn https://www.linkedin.com/company/owasp-samm

Вопросы / Ответы Ян Кравченко (@yanfosec) yan.Kravchenko@owasp.org https://www.linkedin.com/in/yankravchenko/

Спасибо!