Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP SAMM Ver.2 Introduction JP

Akitsugu Ito
February 08, 2020

OWASP SAMM Ver.2 Introduction JP

OWASP Sendai Day 2020 にて OWASP SAMM v2 に関してプレゼンしました。
日本語に関しては私個人の抄訳になります。

Akitsugu Ito

February 08, 2020
Tweet

More Decks by Akitsugu Ito

Other Decks in Technology

Transcript

  1. Agenda • What is OWASP SAMM? • Topics – Mapping

    SAMM 1.5 To 2.0 – Security Champion – Requirement Focus – Data & Lifecycle Management
  2. Requirement Design Develop Testing Implement Operation ① Requirement OWASP Top

    10 Project ② Design Development OWASP Cheat Sheet Series OWASP Application Security Verification Standard (ASVS) OWASP Security Shepherd OWASP Security Knowledge Framework ③ Testing OWASP Zed Attack Proxy OWASP Juice Shop OWASP Web Security Testing Guide OWASP Mobile Security Testing Guide ④ Implement Operation OWASP ModSecurity Core Rule Set OWASP APPSensor OWASP CSRFGuard OWASP Dependency Check OWASP Dependency Track
  3. Requirement Design Development Testing Implement Operation 開発・運用のライフサイクル全体をセキュアにする ① Requirement OWASP

    Top 10 Project ② Design Development OWASP Cheat Sheet Series OWASP Application Security Verification Standard (ASVS) OWASP Security Shepherd OWASP Security Knowledge Framework ③ Testing OWASP Zed Attack Proxy OWASP Juice Shop OWASP Web Security Testing Guide OWASP Mobile Security Testing Guide ④ Implement Operation OWASP ModSecurity Core Rule Set OWASP APPSensor OWASP CSRFGuard OWASP Dependency Check OWASP Dependency Track
  4. OWASP SAMM • OWASP Software Assurance Maturity Model • あらゆる種類の組織がソフトウェアセキュリ

    ティを分析および改善するためのアセスメント フレームワーク • 最新版は Version 2.0 (2020/1/31 リリース) https://owaspsamm.org/ 過去のプレゼンテーション
  5. 文書構造 ビジネス 機能 セキュリティ 対策 実施内容 A セキュリティ 目標 Lv1

    実施内容 B セキュリティ 目標 Lv2 セキュリティ 目標 Lv3
  6. ビジネス機能 – Business Function Governance Design Verification Operations 組織がソフトウェア開発活動全体を管理する方法 組織が開発プロジェクト内で目標を定義し、ソフト

    ウェアを開発する方法 組織がソフトウェアコンポーネントとその関連する欠 陥を管理し、構築およびデプロイする方法 組織がソフトウェア開発全体で生成されたアーティ ファクトを確認し、テストする方法 機密性、整合性、および可用性が、アプリケーション とそれに関連するデータの運用期間全体にわたって 維持されるようにする Implementation
  7. セキュリティ対策 – Governance Governance Strategy & Metrics Policy & Compliance

    Education & Guidance Create and Promote Measure and Improve Policy & Standards Compliance Management Training and Awareness Organization and Culture
  8. セキュリティ対策 – Design Threat Assessment Security Requirements Security Architecture Application

    Risk Profile Threat Modeling Software Requirements Supplier Security Architecture Design Technology Management Design
  9. セキュリティ対策 – Implementation Secure Build Secure Deployment Defect Management Build

    Process Software Dependencies Deployment Process Secret Management Defect Tracking Metrics and Feedback Implementation
  10. セキュリティ対策 – Verification Architecture Assessment Requirements-driven Testing Security Testing Architecture

    Validation Architecture Mitigation Control Verification Misuse/Abuse Testing Scalable Baseline Deep Understanding Verification
  11. セキュリティ対策 – Operations Incident Management Environment Management Operational Management Incident

    Detection Incident Response Configuration Hardening Patching and Updating Data Protection System Decommissioning / Legacy Management Operations
  12. セキュリティ目標 - Objectives Governance Strategy & Metrics SM1 セキュリティプログラムの有効性を測定する目的と手段を特定する SM2

    組織内のソフトウェアセキュリティに関する統一された戦略的 ロードマップを確立する SM3 セキュリティの取り組みを、関連する組織の指標と資産価値に併 せる
  13. 実施内容 (SM1) - Streams セキュリティプログラムの有効性を測定する目的と手段を特定する 組織の経営層のリスク選好度を把握する 組織の経営層が一連のリスクを承認する 資産とデータに対する主要なビジネスおよび技術上の脅威を特定する リスクを文書化し、アクセス可能な場所に保管する [実施内容

    A] 組織のリスク選好度を識別する [実施内容 B] 基礎的なセキュリティメトリクスを定義する ソースの説明、測定範囲、およびアプリケーションセキュリティの傾向を説明するための使 用方法に関するガイダンスなど、各メトリックを文書化する。 メトリックには、取り組みの測定値、結果、環境測定カテゴリが含まれる。 多くのメトリクスは頻繁に測定され、収集が簡単または安価であり、基数またはパーセン テージとして表される。 アプリケーションセキュリティおよび開発チームはメトリックを公開する
  14. アセスメント方法 Governance Strategy & Metrics (SM1) アプリケーションに対する組織全体のリスク選好度を理解していますか? - いいえ -

    はい、一般的なリスクはカバーされています。 - はい、組織特有のリスクもカバーされています。 - はい、リスクと機会がカバーされています。 [実施内容 A] 組織のリスク選好度を識別する [実施内容 B] 基礎的なセキュリティメトリクスを定義する 一連のメトリクスを使用して、アプリケーション全体のセキュリティプログラムの有効性と効 率を測定しますか? - いいえ - はい、1つのカテゴリについて測定しています。 - はい、2つのカテゴリについて測定しています。 - はい、3つ以上のカテゴリについて測定しています。
  15. 新しいビジネス機能 - Implementation Secure Build Secure Deployment Defect Management Build

    Process Software Dependencies Deployment Process Secret Management Defect Tracking Metrics and Feedback Implementation
  16. セキュリティ対策 (SD) Secure Deployment (SD) SD1 デプロイプロセスは完全に文書化されている。 SD2 デプロイプロセスには、セキュリティ検証のマイルストーンが含まれる。 SD3

    デプロイプロセスは完全に自動化されており、すべての重要なマ イルストーンの自動検証が組み込まれている。 Implementation
  17. セキュリティ対策 (DM) Defect Management (DM) DM1 すべての欠陥は各プロジェクト内で追跡される。 DM2 デプロイプロセスに影響を与える欠陥が追跡される DM3

    複数のコンポーネントをまたいで欠陥が追跡され、新しい欠陥を 減らすことに貢献する Implementation
  18. 欠陥管理 (DM2) デプロイプロセスに影響を与える欠陥が追跡される 単一の重大度スキームが組織全体のすべての欠陥に適用される スキームには、特定の重大度クラスを修正するためのSLAが含まれる SLA へのコンプライアンスを定期的に報告する [実施内容 A] セキュリティ欠陥の評価と追跡

    [実施内容 B] 高度な欠陥メトリクスを定義する 欠陥のカテゴリと分類のメトリクスを文書化し、それらを最新の状態に保つ 経営陣は、欠陥に関する情報を定期的に受け取り、年内に対処する セキュリティの欠陥に関する技術的な詳細をチーム間で定期的に共有する
  19. Requirement Focus (SR3) すべてのソフトウェアプロジェクトおよび サードパーティの依存関係に対するセキュリティ要件プロセスを義務付ける プロジェクトチームは、セキュリティ要件フレームワークを利用できる フレームワークは、共通の要件と標準ベースの要件に分類される フレームワークは、要件の品質とその説明方法に関する明確なガイダンスを提供する フレームワークは、特定のビジネス要件に適応できる [Stream

    A]セキュリティ要件フレームワークを開発する [Stream B]セキュリティ方法論をサプライヤーと整合させる 3rd Party ベンダーには、組織で使用されているものと整合するセキュアなビルド、セキュ アな展開、欠陥管理、インシデント管理を含むセキュアなSDLCがある。 すべてのメジャーリリースの前に、ソリューションが品質とセキュリティの目標を満たして いることを確認する 標準検証プロセスが利用できない場合は、ソフトウェア構成分析や独立した侵入テストな どの代替コントロールを使用する
  20. Requirement Focus (RT2) 基本的な脆弱性やその他のセキュリティ問題を日和見的に発見する 各アプリケーションに合わせてテストを調整し、予想されるセキュリティ機能を アサーションする テスト結果を合格条件または不合格条件としてキャプチャする テストでは、標準化されたフレームワークまたはDSLを使用する [実施内容 A]

    要件からセキュリティテストケースを定義して実行する [実施内容 B] 要件からセキュリティアブユースケースを定義して実行する 重要なビジネス機能には、対応するアブユースケースがあります 明確に定義された動機と特性を備えた関連するペルソナと、悪用ストーリーを構 築する 特定された弱点をセキュリティ要件として把握する
  21. Data & Lifecycle Management (OM2) 管理された応答プロセス データカタログはアクセス可能な場所に保存される。 特定の規制の対象となるデータ要素を認識している 存続期間を通じてデータを保護および保存するためのコントロールがある データの保持要件があり、関連する保持期間が終了した後、タイムリーにバックアップを

    破棄する [Stream A]データカタログを確立する [Stream B] 廃止措置プロセスの正式なものにする 製品のすべてのリリースバージョンのサポート状態を、アクセス可能な場所に文書化する このプロセスには、EoL に達したサードパーティ製アプリケーション、またはアプリケーショ ンの依存関係の置き換えまたは、アップグレードが含まれる 動作環境には、不明なアカウント、ファイアウォールルール、またはその他の構成アーティ ファクトが含まれていない
  22. SAMM Benchmarking https://owaspsamm.org/benchmarking/ アプリケーションまたはソフトウェアのセキュリティプログラムの 組織の成熟度に関連する最も包括的なデータセットを収集する Contributor Name (org or anon)

    Contributor Contact Email Date assessment conducted (MM/YYYY) Type of Assessment (Self or 3rd Party) Answers to the SAMM Assessment Questions Geographic Region (Global, North America, EU, Asia, other) Primary Industry (Multiple, Financial, Industrial, Software, ??) Approximate number of developers Approximate number of primary appsec (1-5, 6-10, 11-20, 20+) Approximate number of secondary appsec (0-20, 21-50, 51-100, 100+) Primary SDL Methodology (Waterfall, Agile, DevOps, Other)
  23. OWASP SAMM • Model Structure • Recommended Procedure Software Assurance

    Maturity Model • Security Champion • Requirement Focus / Data & Life Cycle Management • SAMM Benchmark Topics
  24. Security Activities (SM) Governance Strategy & Metrics (SM) SM1 Identify

    objectives and means of measuring effectiveness of the security program. SM2 Establish a unified strategic roadmap for software security within the organization. SM3 Align security efforts with the relevant organizational indicators and asset values.
  25. Strategy & Metrics (SM1) Identify objectives and means of measuring

    effectiveness of the security program. You capture the risk appetite of your organization’s executive leadership The organization’s leadership vet and approve the set of risks You identify the main business and technical threats to your assets and data You document risks and store them in an accessible location [Stream A] Identify the organization’s risk appetite [Stream B] Define basic security metrics You document each metric, including a description of the sources, measurement coverage, and guidance on how to use it to explain application security trends Metrics include measures of efforts, results, and the environment measurement categories Most of the metrics are frequently measured, easy or inexpensive to gather, and expressed as a cardinal number or a percentage Application security and development teams publish metrics
  26. Strategy & Metrics (SM2) Establish a unified strategic roadmap for

    software security within the organization. The plan reflects the organization’s business priorities and risk appetite The plan includes measurable milestones and a budget The plan is consistent with the organization’s business drivers and risks The plan lays out a roadmap for strategic and tactical initiatives You have buy-in from stakeholders, including development teams [Stream A] Define the security strategy [Stream B] Set strategic KPIs You defined KPIs after gathering enough information to establish realistic objectives You developed KPIs with the buy-in from the leadership and teams responsible for application security KPIs are available to the application teams and include acceptability thresholds and guidance in case teams need to take action Success of the application security program is clearly visible based on defined KPIs
  27. Strategy & Metrics (SM3) You review and update the plan

    in response to significant changes in the business environment, the organization, or its risk appetite Plan update steps include reviewing the plan with all the stakeholders and updating the business drivers and strategies You adjust the plan and roadmap based on lessons learned from completed roadmap activities You publish progress information on roadmap activities, making sure they are available to all stakeholders [Stream A] Align security and business strategies [Stream B] Drive the security program through metrics You review KPIs at least yearly for their efficiency and effectiveness KPIs and application security metrics trigger most of the changes to the application security strategy Align security efforts with the relevant organizational indicators and asset values.
  28. Security Activities (PC) Governance Policy & Compliance (PC) PC1 Identify

    and document governance and compliance drivers relevant to the organization. PC2 Establish application-specific security and compliance baseline. PC3 Measure adherence to policies, standards, and 3rd-party requirements.
  29. Policy & Compliance (PC1) Identify and document governance and compliance

    drivers relevant to the organization. You have adapted existing standards appropriate for the organization’s industry to account for domain specific considerations Your standards are aligned with your policies and incorporate technology- specific implementation guidance [Stream A] Define policies and standards [Stream B] Identify compliance requirements You have identified all sources of external compliance obligations You have captured and reconciled compliance obligations from all sources
  30. Policy & Compliance (PC2) Establish application-specific security and compliance baseline.

    You create verification checklists and test scripts where applicable, aligned with the policy’s requirements and the implementation guidance in the associated standards You create versions adapted to each development methodology and technology the organization uses [Stream A] Develop test procedures [Stream B] Standardize policy and compliance requirements You map each external compliance obligation to a well-defined set of application requirements You define verification procedures, including automated tests, to verify compliance with compliance related requirements
  31. Policy & Compliance (PC3) Measure adherence to policies, standards, and

    3rd-party requirements. You have procedures (automated, if possible) to regularly generate compliance reports You deliver compliance reports to all relevant stakeholders Stakeholders use the reported compliance status information to identify areas for improvement [Stream A] Measure compliance to policies and standards [Stream B] Measure compliance to external requirements You have established, well-defined compliance metrics You measure and report on applications’ compliance metrics regularly Stakeholders use the reported compliance status information to identify compliance gaps and prioritize gap remediation efforts
  32. Security Activities (EG) Governance Education & Guidance (EG) EG1 Offer

    staff access to resources around the topics of secure development and deployment. EG2 Educate all personnel in the software lifecycle with technology and role specific guidance on secure development. EG3 Develop in-house training programs facilitated by developers across different teams.
  33. Education & Guidance (EG1) Offer staff access to resources around

    the topics of secure development and deployment. Training is repeatable, consistent, and available to anyone involved with software development lifecycle Training includes the latest OWASP Top 10 if appropriate and includes concepts such as Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability Training requires a sign-off or an acknowledgement from attendees You have updated the training in the last 12 months Training is required during employees’ onboarding process [Stream A] Train all stakeholders for awareness [Stream B] Identify security champions Security Champions receive appropriate training Application Security and Development teams receive periodic briefings from Security Champions on the overall status of security initiatives and fixes The Security Champion reviews the results of external testing before adding to the application backlog
  34. Education & Guidance (EG2) Educate all personnel in the software

    lifecycle with technology and role specific guidance on secure development. Training includes all topics from maturity level 1, and adds more specific tools, techniques, and demonstrations Training is mandatory for all employees and contractors Training includes input from in-house SMEs and trainees Training includes demonstrations of tools and techniques developed in-house You use feedback to enhance and make future training more relevant [Stream A] Customize security training [Stream B] Implement centers of excellence The SSCE has a charter defining its role in the organization (SSCE: Secure Software Center of Excellence) Development teams review all significant architectural changes with the SSCE The SSCE publishes SDLC standards and guidelines related to Application Security Product Champions are responsible for promoting the use of specific security tools
  35. Education & Guidance (EG3) Develop in-house training programs facilitated by

    developers across different teams. A Learning Management System (LMS) is used to track trainings and certifications Training is based on internal standards, policies, and procedures You use certification programs or attendance records to determine access to development systems and resources [Stream A] Standardize security guidance [Stream B] Establish a security community The organization promotes use of a single portal across different teams and business units The portal is used for timely information such as notification of security incidents, tool updates, architectural standard changes, and other related announcements The portal is widely recognized by developers and architects as a centralized repository of the organization-specific application security information All content is considered persistent and searchable The portal provides access to application-specific security metrics
  36. Security Activities (TA) Threat Assessment (TA) TA1 Consider security explicitly

    during the software requirements process. TA2 Increase granularity of security requirements derived from business logic and known risks. TA3 Mandate security requirements process for all software projects and third-party dependencies. Design
  37. Threat Assessment (TA1) Consider security explicitly during the software requirements

    process. An agreed-upon risk classification exists The application team understands the risk classification The risk classification covers critical aspects of business risks the organization is facing The organization has an inventory for the applications in scope [Stream A] Perform application risk assessments [Stream B] Define basic security metrics You document each metric, including a description of the sources, measurement coverage, and guidance on how to use it to explain application security trends Metrics include measures of efforts, results, and the environment measurement categories Most of the metrics are frequently measured, easy or inexpensive to gather, and expressed as a cardinal number or a percentage Application security and development teams publish metrics
  38. Threat Assessment (TA2) Increase granularity of security requirements derived from

    business logic and known risks. The application risk profile is in line with the organizational risk standard The application risk profile covers impact to security and privacy You validate the quality of the risk profile manually and/or automatically The application risk profiles are stored in a central inventory [Stream A] Inventorize risk profiles [Stream B] Standardize and scale threat modeling You train your architects, security champions, and other stakeholders on how to do practical threat modeling Your threat modeling methodology includes at least diagramming, threat identification, design flaw mitigations, and how to validate your threat model artifacts Changes in the application or business context trigger a review of the relevant threat models You capture the threat modeling artifacts with tools that are used by your application teams
  39. Threat Assessment (TA3) Mandate security requirements process for all software

    projects and third-party dependencies. The organizational risk standard considers historical feedback to improve the evaluation method Significant changes in the application or business context trigger a review of the relevant risk profiles [Stream A] Periodic review of risk profiles [Stream B] Optimize threat modeling The threat model methodology considers historical feedback for improvement You regularly (e.g., yearly) review the existing threat models to verify that no new threats are relevant for your applications You automate parts of your threat modeling process with threat modeling tools
  40. Security Activities (SR) Security Requirements (SR) SR1 Consider security explicitly

    during the software requirements process. SR2 Increase granularity of security requirements derived from business logic and known risks. SR3 Mandate security requirements process for all software projects and third-party dependencies. Design
  41. Security Requirements (SR1) Consider security explicitly during the software requirements

    process. Teams derive security requirements from functional requirements and customer or organization concerns Security requirements are specific, measurable, and reasonable Security requirements are in line with the organizational baseline [Stream A] Identify security requirements [Stream B] Perform vendor assessments You consider including specific security requirements, activities, and processes when creating third-party agreements A vendor questionnaire is available and used to assess the strengths and weaknesses of your suppliers
  42. Security Requirements (SR2) Increase granularity of security requirements derived from

    business logic and known risks. The application risk profile is in line with the organizational risk standard The application risk profile covers impact to security and privacy You validate the quality of the risk profile manually and/or automatically The application risk profiles are stored in a central inventory [Stream A] Perform application risk assessments [Stream B] Standardize and scale threat modeling You train your architects, security champions, and other stakeholders on how to do practical threat modeling Your threat modeling methodology includes at least diagramming, threat identification, design flaw mitigations, and how to validate your threat model artifacts Changes in the application or business context trigger a review of the relevant threat models You capture the threat modeling artifacts with tools that are used by your application teams
  43. Security Requirements (SR3) Mandate security requirements process for all software

    projects and third-party dependencies. A security requirements framework is available for project teams The framework is categorized by common requirements and standards-based requirements The framework gives clear guidance on the quality of requirements and how to describe them The framework is adaptable to specific business requirements [Stream A] Develop a security requirements framework [Stream B] Align security methodology with suppliers The vendor has a secure SDLC that includes secure build, secure deployment, defect management, and incident management that align with those used in your organization You verify the solution meets quality and security objectives before every major release When standard verification processes are not available, you use compensating controls such as software composition analysis and independent penetration testing
  44. Security Activities (SA) Security Architecture (SA) SA1 Insert consideration of

    proactive security guidance into the software design process. SA2 Direct the software design process toward known secure services and secure-by-default designs. SA3 Formally control the software design process and validate utilization of secure components. Design
  45. Security Architecture (SA1) Insert consideration of proactive security guidance into

    the software design process. You have an agreed upon checklist of security principles You store your checklist in an accessible location Relevant stakeholders understand security principles [Stream A] Adhere to basic security principles [Stream B] Identify tools and technologies You have a list of the most important technologies used in or in support of each application You identify and track technological risks You ensure the risks to these technologies are in line with the organizational baseline
  46. Security Architecture (SA2) Direct the software design process toward known

    secure services and secure-by-default designs. You have a documented list of reusable security services, available to relevant stakeholders You have reviewed the baseline security posture for each selected service Your designers are trained to integrate each selected service following available guidance [Stream A] Provide preferred security solutions [Stream B] Promote preferred tools and technologies The list is based on technologies used in the software portfolio Lead architects and developers review and approve the list You share the list across the organization You review and update the list at least yearly
  47. Security Architecture (SA3) Formally control the software design process and

    validate utilization of secure components. You have one or more approved reference architectures documented and available to stakeholders You improve the reference architectures continuously based on insights and best practices You provide a set of components, libraries, and tools to implement each reference architecture [Stream A] Build reference architectures [Stream B] Enforce the use of recommended technologies You monitor applications regularly for the correct use of the recommended technologies You solve violations against the list according to organizational policies You take action if the number of violations falls outside the yearly objectives
  48. Security Activities (SB) Secure Build (SB) SB1 Build process is

    repeatable and consistent. SB2 Build process is optimized and fully integrated into the workflow. SB3 Build process helps prevent known defects from entering the production environment Implementation
  49. Secure Build (SB1) Build process is repeatable and consistent. You

    have enough information to recreate the build processes Your build documentation up to date Your build documentation is stored in an accessible location Produced artifact checksums are created during build to support later verification You harden the tools that are used within the build process [Stream A] Define a consistent build process [Stream B] Identify application dependencies You have a current bill of materials (BOM) for every application You can quickly find out which applications are affected by a particular CVE You have analyzed, addressed, and documented findings from dependencies at least once in the last three months
  50. Secure Build (SB2) Build process is optimized and fully integrated

    into the workflow. The build process itself doesn’t require any human interaction Your build tools are hardened as per best practice and vendor guidance You encrypt the secrets required by the build tools and control access based on the principle of least privilege [Stream A] Automate the build process [Stream B] Review application dependencies for security You keep a list of approved dependencies that meet predefined criteria You automatically evaluate dependencies for new CVEs and alert responsible staff You automatically detect and alert to license changes with possible impact on legal application usage You track and alert to usage of unmaintained dependencies You reliably detect and remove unnecessary dependencies from the software
  51. Secure Build (SB3) Build process helps prevent known defects from

    entering the production environment Builds fail if the application doesn’t meet a predefined security baseline You have a maximum accepted severity for vulnerabilities You log warnings and failures in a centralized system You select and configure tools to evaluate each application against its security requirements at least once a year [Stream A] Enforce a security baseline during build [Stream B] Test application dependencies Your build system is connected to a system for tracking 3rd party dependency risk, causing build to fail unless the vulnerability is evaluated to be a false positive or the risk is explicitly accepted You scan your dependencies using a static analysis tool You report findings back to dependency authors using an established responsible disclosure process Using a new dependency not evaluated for security risks causes the build to fail
  52. Security Activities (SD) Secure Deployment (SD) SD1 Deployment processes are

    fully documented. SD2 Deployment processes include security verification milestones. SD3 Deployment process is fully automated and incorporates automated verification of all critical milestones. Implementation
  53. Secure Deployment (SD1) Deployment processes are fully documented. You have

    enough information to run the deployment processes Your deployment documentation up to date Your deployment documentation is accessible to relevant stakeholders You ensure that only defined qualified personnel can trigger a deployment You harden the tools that are used within the deployment process [Stream A] Use a repeatable deployment process [Stream B] Protect application secrets in configuration and code You store production secrets protected in a secured location Developers do not have access to production secrets Production secrets are not available in non-production environments
  54. Secure Deployment (SD2) Deployment processes include security verification milestones. Deployment

    processes are automated on all stages Deployment includes automated security testing procedures You alert responsible staff to identified vulnerabilities You have logs available for your past deployments for a defined period of time [Stream A] Automate deployment and integrate security checks [Stream B] Include application secrets during deployment Source code files no longer contain active application secrets Under normal circumstances, no humans access secrets during deployment procedures You log and alert to any abnormal access to secrets
  55. Secure Deployment (SD3) Deployment process is fully automated and incorporates

    automated verification of all critical milestones. You prevent or roll back deployment if you detect an integrity breach The verification is done against signatures created during the build time If checking of signatures is not possible (e.g. externally build software), you introduce compensating measures [Stream A] Verify the integrity of deployment artifacts [Stream B] Enforce lifecycle management of application secrets You generate and synchronize secrets using a vetted solution Secrets are different between different application instances Secrets are regularly updated
  56. Security Activities (DM) Defect Management (DM) DM1 All defects are

    tracked within each project. DM2 Defect tracking used to influence the deployment process. DM3 Defect tracking across multiple components is used to help reduce the number of new defects. Implementation
  57. Defect Management (DM1) All defects are tracked within each project.

    You can easily get an overview of all security defects impacting one application You have at least a rudimentary classification scheme in place The process includes a strategy for handling false positives and duplicate entries The defect management system covers defects from various sources and activities [Stream A] Track security defects centrally [Stream B] Define basic defect metrics You analyzed your recorded metrics at least once in the last year At least basic information about this initiative is recorded and available You have identified and carried out at least one quick win activity based on the data
  58. Defect Management (DM2) Defect tracking used to influence the deployment

    process. A single severity scheme is applied to all defects across the organization The scheme includes SLAs for fixing particular severity classes You regularly report compliance to SLAs [Stream A] Rate and track security defects [Stream B] Define advanced defect metrics You document metrics for defect classification and categorization and keep them up to date Executive management regularly receives information about defects and has acted upon it in the last year You regularly share technical details about security defects among teams
  59. Defect Management (DM3) Defect tracking across multiple components is used

    to help reduce the number of new defects. You automatically alert of SLA breaches and transfer respective defects to the risk management process You integrate relevant tooling (e.g. monitoring, build, deployment) with the defect management system [Stream A] Enforce an SLA for defect management [Stream B] Use metrics to improve the security strategy You have analyzed the effectiveness of the security metrics at least once in the last year Where possible, you verify the correctness of the data automatically The metrics is aggregated with other sources like threat intelligence or incident management You derived at least one strategic activity from the metrics in the last year
  60. Security Activities (AA) Architecture Assessment (AA) AA1 Review the architecture

    to ensure baseline mitigations are in place for typical risks. AA2 Review the complete provision of security mechanisms in the architecture. AA3 Review the architecture effectiveness and feedback results to improve the security architecture. Verification
  61. Architecture Assessment (AA1) Review the architecture to ensure baseline mitigations

    are in place for typical risks. You have an agreed upon model of the overall software architecture You include components, interfaces, and integrations in the architecture model You verify the correct provision of general security mechanisms You log missing security controls as defects [Stream A] Assess application architecture [Stream B] Evaluate architecture for typical threats You have an agreed upon model of the overall software architecture Security savvy staff conduct the review You consider different types of threats, including insider and data-related one
  62. Architecture Assessment (AA2) Review the complete provision of security mechanisms

    in the architecture. You review compliance with internal and external requirements You systematically review each interface in the system You use a formalized review method and structured validation You log missing security mechanisms as defects [Stream A] Verify the application architecture for security methodically [Stream B] Structurally verify the architecture for identified threats You systematically review each threat identified in the Threat Assessment Trained or experienced people lead review exercise You identify mitigating design-level features for each identified threat You log unhandled threats as defects
  63. Architecture Assessment (AA3) Review the architecture effectiveness and feedback results

    to improve the security architecture. You evaluate the preventive, detective, and response capabilities of security controls You evaluate the strategy alignment, appropriate support, and scalability of security controls You evaluate the effectiveness at least yearly You log identified shortcomings as defects [Stream A] Verify the effectiveness of security components [Stream B] Feed review results back to improve reference architectures You assess your architectures in a standardized, documented manner You use recurring findings to trigger a review of reference architectures You independently review the quality of the architecture assessments on an ad-hoc basis You use reference architecture updates to trigger reviews of relevant shared solutions, in a risk-based manner
  64. Security Activities (RT) Requirements-driven Testing (RT) RT1 Opportunistically find basic

    vulnerabilities and other security issues. RT2 Perform implementation review to discover application-specific risks against the security requirements. RT3 Maintain the application security level after bug fixes, changes or during maintenance. Verification
  65. Requirements-driven Testing (RT1) Opportunistically find basic vulnerabilities and other security

    issues. Security testing at least verifies the implementation of authentication, access control, input validation, encoding and escaping data, and encryption controls Security testing executes whenever the application changes its use of the controls [Stream A] Test the effectiveness of security controls [Stream B] Perform fuzz testing Testing covers most or all of the application’s main input parameters You record and inspect all application crashes for security impact on a best-effort basis
  66. Requirements-driven Testing (RT2) Opportunistically find basic vulnerabilities and other security

    issues. You tailor tests to each application and assert expected security functionality You capture test results as a pass or fail condition Tests use a standardized framework or DSL [Stream A] Define and run security test cases from requirements [Stream B] Define and run security abuse cases from requirements Important business functionality has corresponding abuse cases You build abuse stories around relevant personas with well-defined motivations and characteristics You capture identified weaknesses as security requirements
  67. Requirements-driven Testing (RT3) Maintain the application security level after bug

    fixes, changes or during maintenance. You consistently write tests for all identified bugs (possibly exceeding a pre- defined severity threshold) You collect security tests in a test suite that is part of the existing unit testing framework [Stream A] Automate security requirements testing [Stream B] Perform security stress testing Stress tests target specific application resources (e.g. memory exhaustion by saving large amounts of data to a user session) You design tests around relevant personas with well-defined capabilities (knowledge, resources) You feed the results back to the Design practices
  68. Security Activities (ST) Security Testing (ST) RT1 Perform security testing

    (both manual and tool based) to discover security defects. RT2 Make security testing during development more complete and efficient through automation complemented with regular manual security penetration tests. RT3 Embed security testing as part of the development and deployment processes. Verification
  69. Security Testing (ST1) Perform security testing (both manual and tool

    based) to discover security defects. You dynamically generate inputs for security tests using automated tools You choose the security testing tools to fit the organization’s architecture and technology stack, and balance depth and accuracy of inspection with usability of findings to the organization [Stream A] Perform automated security testing [Stream B] Test high risk application components manually Criteria exist to help the reviewer focus on high-risk components Qualified personnel conduct reviews following documented guidelines You address findings in accordance with the organization’s defect management policy
  70. Security Testing (ST2) Make security testing during development more complete

    and efficient through automation complemented with regular manual security penetration tests. You tune and select tool features which match your application or technology stack You minimize false positives by silencing or automatically filter irrelevant warnings or low probability findings You minimize false negatives by leverage tool extensions or DSLs to customize tools for your application or organizational standards [Stream A] Develop application-specific security test cases [Stream B] Establish a penetration testing process Penetration testing uses application-specific security test cases to evaluate security Penetration testing looks for both technical and logical issues in the application Stakeholders review the test results and handle them in accordance with the organization’s risk management Qualified personnel performs penetration testing
  71. Security Testing (ST3) Embed security testing as part of the

    development and deployment processes. Management and business stakeholders track and review test results throughout the development cycle You merge test results into a central dashboard and feed them into defect management [Stream A] Integrate security testing tools in the delivery pipeline [Stream B] Establish continuous, scalable security verification You use results from other security activities to improve integrated security testing during development You review test results and incorporate them into security awareness training and security testing playbooks Stakeholders review the test results and handle them in accordance with the organization’s risk management
  72. Security Activities (IM) Operations Incident Management (IM) IM1 Best-effort incident

    detection and handling. IM2 Formal incident management process in place. IM3 Mature incident management
  73. Incident Management (IM1) Best-effort incident detection and handling. You have

    a contact point for the creation of security incidents You analyze data in accordance with the log data retention periods The frequency of this analysis is aligned with the criticality of your applications [Stream A] Use best-effort incident detection [Stream B] Create an incident response plan You have a defined person or role for incident handling You document security incidents
  74. Incident Management (IM2) Formal incident management process in place. The

    process has a dedicated owner You store process documentation in an accessible location The process considers an escalation path for further analysis You train employees responsible for incident detection in this process You have a checklist of potential attacks to simplify incident detection [Stream A] Define an incident detection process [Stream B] Define and incident response process You have an agreed upon incident classification The process considers Root Case Analysis for high severity incidents Employees responsible for incident response are trained in this process Forensic analysis tooling is available
  75. Incident Management (IM3) Mature incident management You perform reviews at

    least annually You update the checklist of potential attacks with external and internal data [Stream A] Improve the incident detection process [Stream B] Establish an incident response team The team performs Root Cause Analysis for all security incidents unless there is a specific reason not to do so You review and update the response process at least annually
  76. Security Activities (EM) Operations Environment Management (EM) EM1 Best-effort patching

    and hardening EM2 Formal process with baselines in place EM3 Conformity with continuously improving process enforced
  77. Environment Management (EM1) Best-effort patching and hardening You have identified

    the key components in each technology stack used You have an established configuration standard for each key component [Stream A] Use best-effort hardening [Stream B] Practice best-effort patching You have an up-to-date list of components, including version information You regularly review public sources for vulnerabilities related to your components
  78. Environment Management (EM2) Formal process with baselines in place You

    have assigned an owner for each baseline The owner keeps their assigned baselines up to date You store baselines in an accessible location You train employees responsible for configurations in these baselines [Stream A] Establish hardening baselines [Stream B] Formalize patch management The process includes vendor information for third-party patches The process considers external sources to gather information about zero day attacks, and includes appropriate risk mitigation steps The process includes guidance for prioritizing component updates
  79. Environment Management (EM3) Conformity with continuously improving process enforced You

    perform conformity checks regularly, preferably using automation You store conformity check results in an accessible location You follow an established process to address reported non-conformities You review each baseline at least annually, and update it when required [Stream A] Perform continuous configuration monitoring [Stream B] Enforce timely patch management You update the list with components and versions You identify and update missing updates according to existing SLA You review and update the process based on feedback from the people who perform patching
  80. Security Activities (OM) Operations Operational Management (OM) OM1 Foundational Practices

    OM2 Managed, Responsive Processes OM3 Active Monitoring and Response
  81. Operational Management (OM1) Foundational Practices You know the data elements

    processed and stored by each application You know the type and sensitivity level of each identified data element You have controls to prevent propagation of unsanitized sensitive data from production to lower environments [Stream A] Organize basic data protections [Stream B] Identify unused applications You do not use unsupported applications or dependencies You manage customer/user migration from older versions for each product and customer/user group
  82. Operational Management (OM2) Managed, Responsive Processes The data catalog is

    stored in an accessible location You know which data elements are subject to specific regulation You have controls for protecting and preserving data throughout its lifetime You have retention requirements for data, and you destroy backups in a timely manner after the relevant retention period ends [Stream A] Establish a data catalog [Stream B] Formalize decommissioning process You document the status of support for all released versions of your products, in an accessible location The process includes replacement or upgrade of third-party applications, or application dependencies, that have reached end of life Operating environments do not contain orphaned accounts, firewall rules, or other configuration artifacts
  83. Operational Management (OM3) Active Monitoring and Response You have automated

    monitoring to detect attempted or actual violations of the Data Protection Policy You have tools for data loss prevention, access control and tracking, or anomalous behavior detection You periodically audit the operation of automated mechanisms, including backups and record deletions [Stream A] Respond to data breaches [Stream B] Review application lifecycle state regularly Your end of life management process is agreed upon You inform customers and user groups of product timelines to prevent disruption of service or support You review the process at least annually