Download - SAMM and DSOMM Strategic Usage of the OWASP
![Page 1: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/1.jpg)
Timo Pagel
Strategic Usage of the OWASP SAMM and DSOMM
![Page 2: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/2.jpg)
Timo Pagel
Agenda
● Introduction/Motivation● High Level Approaches● Detailed Usage● Conclusion
![Page 3: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/3.jpg)
Timo Pagel
Agenda
● Introduction/Motivation● High Level Approaches● Detailed Usage● Conclusion
![Page 4: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/4.jpg)
Timo Pagel
About Me
● DevSecOps Consultant● Lecturer for Security in Web Applications at
different Universities● Open Source / Open Knowledge Enthusiast
OWASP DevSecOps Maturity Model● OWASP Juice Shop● OWASP Security Pins● OWASP DefectDojo● OWASP Software Assurance Maturity Model
![Page 5: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/5.jpg)
Timo Pagel
About Me
● DevSecOps Consultant● Lecturer for Security in Web Applications at
different Universities● Open Source / Open Knowledge Enthusiast
OWASP DevSecOps Maturity Model● OWASP Juice Shop● OWASP Security Pins● OWASP DefectDojo● OWASP Software Assurance Maturity Model
![Page 6: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/6.jpg)
Timo Pagel
Target Audience
● Security People (Information- and Technical Security)
● Technical Upper Management (CTO)● Enthusiastic Developers, Operator, C-Level
![Page 7: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/7.jpg)
Timo Pagel
DevOps encourages a cultural change
![Page 8: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/8.jpg)
Timo Pagel
DevOps encourages a cultural change to overcome the friction created by silos.
![Page 9: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/9.jpg)
Speed / Fast ReleasesIndependent TeamsDifferent SkillsAutomation
![Page 10: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/10.jpg)
Timo Pagel
Problem Statement
Security
● How to enhance security?● In DevOps-Strategies● Through DevOps-Strategies
● How to prioritize?
![Page 11: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/11.jpg)
Timo Pagel
DevOps Dimensions
● Build and Deployment
● Culture and Organisation
![Page 12: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/12.jpg)
Timo Pagel
DevOps Dimensions
● Build and Deployment
● Culture and Organisation
● Information Gathering
● Hardening
● Test and Verification
![Page 13: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/13.jpg)
Timo Pagel
Target of Security Maturity Models
Analyse current software security practices, build a security program in defined iterations,show progressive improvements in secure practices,and define and measure security-related activities.
Based on Brian Glas, https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/
![Page 14: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/14.jpg)
Timo Pagel
Agenda
● Introduction/Motivation● High Level Approaches● Usage● Conclusion
![Page 15: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/15.jpg)
Timo Pagel
Simplified view on ISO 27001 | OWASP SAMM | OWASP DSOMM
Doing
High Level
![Page 16: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/16.jpg)
Timo Pagel
ISMS
Doing
High Level
Simplified view on ISO 27001 | OWASP SAMM | OWASP DSOMM
![Page 17: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/17.jpg)
Timo Pagel
ISMS
OWASP SAMM
Governance VerificationImplementation ...SAMM Practices
...
Doing
High Level
Simplified view on ISO 27001 | OWASP SAMM | OWASP DSOMM
![Page 18: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/18.jpg)
Timo Pagel
ISMS
OWASP SAMM
Governance VerificationImplementation
DSOMMDimensions
Build & Deployment
Culture and Org.
Test and Verification
...
...
SAMM Practices
...
Doing
High Level
Simplified view on ISO 27001 | OWASP SAMM | OWASP DSOMM
![Page 19: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/19.jpg)
Timo Pagel
ISMS
OWASP SAMM
Governance VerificationImplementation
Build & Deployment
Culture and Org.
Test and Verification
DSOMMDynamic Depth Activities
...
...
Simple Scan Usage of different roles JavaScript ...
...
Doing
High Level
DSOMMDimensions
SAMM Practices
Simplified view on ISO 27001 | OWASP SAMM | OWASP DSOMM
![Page 20: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/20.jpg)
Timo Pagel
Target Groups
● SAMM 2.0:● Security: Assessment● Engineers/CTO: Spider web● C-Level Management: Spider web and definition of
targets
![Page 21: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/21.jpg)
Timo Pagel
ISMS
DSOMMDynamic Depth Activities Simple Scan Usage of
different roles JavaScript ...
Doing
High Level
Audit / Compliance View
![Page 22: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/22.jpg)
Timo Pagel
SAMM and DSOMM● “Standard”
-> High level overview● Management topics like compliance and governance● Planning of high level targets● Mapping to ISO in the future
● Emerging-> Low level overview
● Only DevSecOps topics● Planning of concrete targets● Mapping to ISO/SAMM● ISMS: documentation in DSOMM
![Page 23: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/23.jpg)
Timo Pagel
Mapping to and ISO 27001
![Page 24: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/24.jpg)
Timo Pagel
Sample Target Groups
● Security: Assessment● Engineers/CTO: Spider web● C-Level: Spider web and definition of targets
● Security: Assessment & Pre-Selection of targets● Engineers/CTO: Discussion of how to implement● All: Heatmap/number of planned/implemented activities
![Page 25: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/25.jpg)
Timo Pagel
Strategic Approaches
● Top-to-Bottom● Team Independency by Maturity● Interactive with Teams
![Page 26: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/26.jpg)
Timo Pagel
Approach: Top-to-Bottom
● Management Support● to define targets with the management
for the next 3-24 month● to define activities
![Page 27: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/27.jpg)
Timo Pagel
● Pre-Requirement: C-Level is convinced● Definition of maturity levels for teams and their
“independency”● Is a team allowed to roll out software on their own● Is a pentest required for each rollout
● Show maturity: Belts
Approach: Team Independency by Maturity
![Page 28: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/28.jpg)
Timo Pagel
Approach: Interactive with Teams
● Definition of targets with the team● What is your plan for the next 6 monthHint: Developers/Operations are not security people -> explanation of each activity is time consuming-> reduction of activities needed
![Page 29: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/29.jpg)
Timo Pagel
DSOMM Adoption
● needs to be customized● Remove/Add planned activities and present the
targets to the teams from the data/<dimension>yaml’s
![Page 30: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/30.jpg)
Timo Pagel
Spider Web Diagram with Heatmap
Start a container with customized on selectedData.csv (ro)
DSOMM Communication ACTUAL/TARGET
![Page 31: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/31.jpg)
Timo Pagel
Requirements / Level 0
● Onboard Product Owner, Manager in Security● Get to Know Security Policies● Continuously Improve your Security Belt Rank● Review Security Belt Activities● Utilize Pairing when Starting an Activity
Based On: AppSecure-nrw White Belt, https://github.com/AppSecure-nrw/security-belts/tree/master/white
![Page 32: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/32.jpg)
Timo Pagel
Agenda
● Introduction/Motivation● High Level Approaches● Usage● Conclusion
![Page 33: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/33.jpg)
Timo Pagel
Structure
Business Function
Category of activities
![Page 34: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/34.jpg)
Timo Pagel
Business Function
Security Practice
Sub categories
Structure
![Page 35: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/35.jpg)
Timo Pagel
Business Function
Security Practice
Stream A
Stream B
Logical flows and divided into two streams
Structure
![Page 36: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/36.jpg)
Timo Pagel
Business Function
Security Practice Maturity Level 1 Activity
Stream A
Stream B Higher is better
Structure
![Page 37: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/37.jpg)
Timo Pagel
Structure
Business Function
Security Practice
Maturity Level 3 Activity
Maturity Level 2 Activity
Maturity Level 1 Activity
Stream A
Stream B Higher is better
Structure
![Page 38: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/38.jpg)
Timo Pagel
Structure
DevOps Dimension
Category
![Page 39: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/39.jpg)
Timo Pagel
DevOps Dimension
Sub-Dimension
Sub category
Structure
![Page 40: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/40.jpg)
Timo Pagel
DevOps Dimension
Sub-Dimension
Maturity Level 1 Activity
Higher is better
Structure
![Page 41: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/41.jpg)
Timo Pagel
DSOMM Structure
DevOps Dimension
Sub-Dimension
Maturity Level 4 Activity
Maturity Level 3 Activity
Maturity Level 2 Activity
Maturity Level 1 Activity
Higher is better
![Page 42: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/42.jpg)
Timo Pagel
![Page 43: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/43.jpg)
Timo Pagel
DevSecOps Dimensions
● Build and Deployment
● Culture and Organisation
● Information Gathering
● Hardening
● Test and Verification
![Page 44: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/44.jpg)
Timo Pagel
Build and Deployment: Example Reduction of the attack surface
Dimension
![Page 45: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/45.jpg)
Timo Pagel
Build and Deployment: Example Reduction of the attack surface
Dimension Sub-Dimension
![Page 46: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/46.jpg)
Timo Pagel
Build and Deployment: Example Reduction of the attack surface
Dimension Sub-Dimension Activity
![Page 47: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/47.jpg)
Timo Pagel
Build and Deployment: Example Reduction of the attack surface
![Page 48: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/48.jpg)
Timo Pagel
Build and Deployment: Example Reduction of the attack surface
![Page 49: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/49.jpg)
Timo Pagel
Maturity Levels
![Page 50: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/50.jpg)
Timo Pagel
Maturity Levels
Level 1: Basic understanding of security practices
![Page 51: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/51.jpg)
Timo Pagel
Maturity Levels
Level 1: Basic understanding of security practices
Level 2: Adoption of basic security practices
![Page 52: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/52.jpg)
Timo Pagel
Maturity Levels
Level 1: Basic understanding of security practices
Level 2: Adoption of basic security practices
Level 3: High adoption of security practices
![Page 53: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/53.jpg)
Timo Pagel
Maturity Levels
Level 1: Basic understanding of security practices
Level 2: Adoption of basic security practices
Level 3: High adoption of security practices
Level 4: Advanced deployment of security practices at scale
![Page 54: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/54.jpg)
Timo Pagel
White Spots
Activities where important
-> No Activity
![Page 55: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/55.jpg)
Timo Pagel
Implementation | Secure Build | Build ProcessLevel 1:Determine a value for each generated artifact that can be later used to verify its integrity [...]Level 2:The automated process [...] code signing certificate or access to repositories.
![Page 56: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/56.jpg)
Timo Pagel
Made for management, very schematicAlways follows the schemeNo empty levels
Verification | Security TestingImplementation | Defect Management
and Structure in Detail
![Page 57: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/57.jpg)
Timo Pagel
and Structure in Detail
![Page 58: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/58.jpg)
Timo Pagel
Missing In DSOMM+-------+----------+--------------+-----------------------------+----------+-------------------------------------------+
| index | id | function | practice | maturity | stream |
+-------+----------+--------------+-----------------------------+----------+-------------------------------------------+
| 36 | G-PC-1-A | Governance | Policy & Compliance | 1 | Policy & Standards |
| 44 | G-PC-1-B | Governance | Policy & Compliance | 1 | Compliance Management |
| 31 | G-PC-2-A | Governance | Policy & Compliance | 2 | Policy & Standards |
| 33 | G-PC-2-B | Governance | Policy & Compliance | 2 | Compliance Management |
| 24 | G-PC-3-A | Governance | Policy & Compliance | 3 | Policy & Standards |
| 67 | G-PC-3-B | Governance | Policy & Compliance | 3 | Compliance Management |
| 9 | O-OM-1-A | Operations | Operational Management | 1 | Data Protection |
| 2 | O-OM-1-B | Operations | Operational Management | 1 | System Decomissioning / Legacy Management |
| 63 | O-OM-2-A | Operations | Operational Management | 2 | Data Protection |
| 19 | O-OM-2-B | Operations | Operational Management | 2 | System Decomissioning / Legacy Management |
| 41 | O-OM-3-A | Operations | Operational Management | 3 | Data Protection |
| 68 | O-OM-3-B | Operations | Operational Management | 3 | System Decomissioning / Legacy Management |
[...]
Based on dsomm-orm https://github.com/ioggstream/dsomm-orm/blob/main/mysql-queries.yaml from Roberto Polli
![Page 59: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/59.jpg)
Timo Pagel
Comparison of Models
Count in DSOMM
SAMMGovernance
SAMMDesign
SAMMImplementa
tion
SAMMVerification
SAMMOperations
SAMM 1 0 3 8 12 32
SAMM 2 0 0 12 24 11
SAMM 3 0 0 1 5 1
Based on dsomm-orm https://github.com/ioggstream/dsomm-orm/blob/main/mysql-queries.yaml from Roberto Polli
![Page 60: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/60.jpg)
Timo Pagel
Comparison of Models
Count/Level
D-TA* I-DM* I-SB* I-SD* O-EM* O-IM* O-SR* V-ST* G*
1 3 3 2 3 23 8 1 12 0
2 0 7 2 3 0 10 1 24 0
3 0 0 1 0 0 0 1 5 0
Based on dsomm-orm https://github.com/ioggstream/dsomm-orm/blob/main/mysql-queries.yaml from Roberto Polli
![Page 61: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/61.jpg)
Timo Pagel
Analysis of Models
Count in DSOMM
SAMMGovernance
SAMMDesign
SAMMImplementa
tion
SAMMVerification
SAMMOperations
SAMM 1 0 3 8 12 32
SAMM 2 0 0 12 24 11
SAMM 3 0 0 1 5 1
Based on dsomm-orm https://github.com/ioggstream/dsomm-orm/blob/main/mysql-queries.yaml from Roberto Polli
![Page 62: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/62.jpg)
Timo Pagel
Analysis Operations | Environment Management | Patching and Updating
● DSOMM needs to align level 1/2● SAMM Level 3:Develop and use management dashboards/reports to track compliance with patching processes and SLAs [...] -> DSOMM Information Gathering
![Page 63: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/63.jpg)
Timo Pagel
How Deep?
● SAMM: Perform best-effort hardening of configurations, based on readily available information.
● Removal of not needed components dependencies or files.Implementation hint: Distroless
● Usage of distroless images
![Page 64: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/64.jpg)
Timo Pagel
How Deep?
● SAMM: Perform best-effort hardening of configurations, based on readily available information.
● Removal of not needed components, dependencies, files or file access rights.Implementation hint: Distroless, Fedora CoreOS
● Usage of distroless images
![Page 65: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/65.jpg)
Timo Pagel
How Deep?
● SAMM: Perform best-effort hardening ofconfigurations, based on readily available information.
● Removal of not needed components, dependencies, files or file access rights.Implementation hint: Distroless, Fedora CoreOS
● Usage of distroless images and a small operating system
![Page 66: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/66.jpg)
Timo Pagel
How Deep?
● SAMM: Perform best-effort hardening ofconfigurations, based on readily available information.
● Removal of not needed components, dependencies, files or file access rights.Implementation hint: Distroless, Fedora CoreOS
● Usage of distroless images and a small operating system
![Page 67: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/67.jpg)
Timo Pagel
Agenda
● Introduction/Motivation● High Level Approaches● Detailed Usage● Conclusion and Outlook
![Page 68: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/68.jpg)
Timo Pagel
Conclusion
● Assess and plan security strategy (with SAMM)● Adapt DSOMM● DSOMM might be 80% of your secure DevOps
strategy
![Page 69: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/69.jpg)
Timo Pagel
Next Steps, be involved!
● Better OWASP SAMM mapping visualization● More and optimized activities● DevSecOps Toolchain Categorization
Pull Requests with suggestions are welcome
![Page 70: SAMM and DSOMM Strategic Usage of the OWASP](https://reader036.vdocuments.us/reader036/viewer/2022062222/62a43bc11832881dcf37c85e/html5/thumbnails/70.jpg)
Thank youQuestions?
https://owaspsamm.org
https://dsomm.timo-pagel.de