Slide 1

Slide 1 text

Evolution of Application Security Programs through OWASP SAMM 2.0 OWASP Moscow Virtual Meetup 2021.1 June 11, 2021 Yan Kravchenko, CSSLP, CISSP, CISA, CISM

Slide 2

Slide 2 text

What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

Slide 3

Slide 3 text

SAMM project leaders Bart De Win Sebastien (Seba) Deleersnyder

Slide 4

Slide 4 text

The SAMM core team Nessim Kisserli Brett Crawley Chris Cooper John DiLeo Patricia Duarte Sebastián Arriada Daniel Kefer John Kennedy Brian Glas Yan Kravchenko Hardik Parekh John Ellingsworth

Slide 5

Slide 5 text

SAMM Sponsors owaspsamm.org/sponsors

Slide 6

Slide 6 text

Why OWASP SAMM? ü Application development experience is rare among Information Security Professionals ü Improving security should be aligned with improving efficiency and productivity ü Facilitates roadmaps for implementation of new technologies and eliminating “technology debt” ü Global community-supported guidance

Slide 7

Slide 7 text

A Little OWASP SAMM History… 2009 OpenSAMM 1.0 Funded by Fortify Security 2016 OWASP SAMM 1.1 Added implementation guides 2017 OWASP SAMM 1.5 Changed scoring model 2018 OWASP SAMM 2.0 The "DevOps Release" 2020 OWASP SAMM 2.1 Translations/Mapping

Slide 8

Slide 8 text

OWASP SAMM 1.5

Slide 9

Slide 9 text

Evolution of programming Languages Why do we need so many programming languages?

Slide 10

Slide 10 text

Interpreted vs. Compiled Languages Compiled Hard to learn Requires Training Faster Stand-alone Commercial dependencies Interpreted Easy to learn Amateur Friendly Slower Dependencies Open-Source dependencies

Slide 11

Slide 11 text

Evolution of Computing Architecture

Slide 12

Slide 12 text

Infrastructure as Code Infrastructure is re-deployed with each build System hardening through build configurations Software Defined Networking by design Automated large-scale configuration management

Slide 13

Slide 13 text

Evolution of Methodologies

Slide 14

Slide 14 text

Requirements Analysis / Design Implementation Testing / Verification Deployment / Maintenance Constantly Changing Idea Design Code Test Deploy Idea Design Code Test Idea Design Code Test Idea Design Code Test Idea Design Code Test Build Deploy Cloud

Slide 15

Slide 15 text

How Different Are They? Design Design Design Code Code Test Test Code Test Code Test Deploy Deploy Waterfall Agile DevOps

Slide 16

Slide 16 text

SAMM 2.0 Structure Governance Design Implementation (New) Verification Operations

Slide 17

Slide 17 text

Core structure

Slide 18

Slide 18 text

SAMM 2.0 - Governance Governance Strategy & Metrics • Create and Promote • Measure and Improve Policy & Compliance • Policy and Standards • Compliance Management Education & Guidance • Training and Awareness • Organization and Culture

Slide 19

Slide 19 text

SAMM 2.0 - Design Design Threat Assessment • Application Risk Profile • Threat Modeling Security Requirements • Software Requirements • Supplier Security Security Architecture • Architecture Design • Technology Management

Slide 20

Slide 20 text

SAMM 2.0 - Implementation Implementation Secure Build • Build Process • Software Dependencies Secure Deployment • Deployment Process • Secret Management Defect Management • Defect Tracking • Metrics and Feedback

Slide 21

Slide 21 text

SAMM 2.0 - Verification Verification Architecture Assessment • Architecture Assessment • Architecture Mitigation Requirements Driven Testing • Control Verification • Misuse / Abuse Testing Security Testing • Scalable Baseline • Deep Understanding

Slide 22

Slide 22 text

SAMM 2.0 - Operations Operations Incident Management • Incident Detection • Incident Response Environment Management • Configuration Hardening • Patching and Updating Operational Management • Data Management • System Decommissioning / Legacy Management

Slide 23

Slide 23 text

Visit our website owaspsamm.org github.com/OWASP/samm

Slide 24

Slide 24 text

Community involvement Community driven Project driven Core structure Business functions, practices, streams Evaluation model Questions, quality criteria, measurement model Activity model Objective, activities, dependencies, metrics Supporting information & tools Guidance, references, supporting tools Community feedback

Slide 25

Slide 25 text

SAMM “Suite” ● New GitHub organization ● Loosely coupled subprojects

Slide 26

Slide 26 text

Translations Localization management crowdin.com/project/owasp-samm Spanish Juan Calderón Portuguese Hugo Fumero Brazilian Portuguese Raphael Hagi German Tanja Noll French Romuald Szkudlarek Turkish Ender Akbas Chinese Wang Ji Indonesian Ade Yoseman Japanese Riotaro Okada

Slide 27

Slide 27 text

SAMM benchmarking ● How do I compare? ● What works for similar organizations? ● Updating the data model for 1.5-2.x ● Trending and population visualizations ● Integration with online assessment ● Work scheduled during this summer ● Please donate SAMM data sets! ● Have cycles? Join this track! owaspsamm.org/benchmarking [email protected]

Slide 28

Slide 28 text

Our roadmap ● Continuous: minor fixes ● Wrap-up: PDF ● v2.1 (ongoing): Translations, mappings ● v2.2 (Fall 2021): Activity-specific guidance (references, agile, ...) ● V2.3 (2022): online toolbox, open API ● V3.0: tbd

Slide 29

Slide 29 text

News / Become involved ● Monthly community calls each 2dn Wednesday of the month ● Website https://owaspsamm.org/ ● Github https://github.com/OWASPsamm - New! ● Slack #project-samm OWASP invitation https://owasp-slack.herokuapp.com ● Newsletter (Mailchimp) http://eepurl.com/gl9fb9 ● Twitter https://twitter.com/OwaspSAMM ● LinkedIn https://www.linkedin.com/company/owasp-samm

Slide 30

Slide 30 text

Вопросы / Ответы Ян Кравченко (@yanfosec) [email protected] https://www.linkedin.com/in/yankravchenko/

Slide 31

Slide 31 text

Спасибо!