OpenSAMMSoftware Assurance Maturity Model

Seba Deleersnyderseba@owasp.org

SAMM project co-leaders

Pravir Chandrachandra@list.org

AppSec USA 2014 Project Talk

Agenda

• Integrating software assurance• OpenSAMM• Quick Start• OWASP Projects / SAMM activities• Resources & Self-Assessment• Road Map• Forum

SAMM users

3

• Dell Inc• KBC• ING Insurance• Gotham Digital Science• HP Fortify• ISG ...

The web application security challenge

Firew

all

Hardened OS

Web Server

App Server

Firew

all

Dat

abas

es

Leg

acy

Sys

tem

s

Web

Ser

vice

s

Dir

ecto

ries

Hu

man

Res

rcs

Bil

lin

gCustom Developed Application Code

APPLICATIONATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Net

wo

rk L

ayer

Ap

pli

cati

on

Lay

er

Your security “perimeter” has huge holes at the application layer

“Build in” software assurance

5

Design Build Test Production

vulnerabilityscanning -

WAF

security testingdynamic test

tools

coding guidelines code reviews

static test tools

security requirements /

threat modeling

reactiveproactive

Secure Development Lifecycle(SAMM)

We need a Maturity ModelAn organization’s behavior changes slowly over time

Changes must be iterative while

working toward long-term goals

There is no single recipe that works

for all organizations

A solution must enable risk-based choices tailored to the organization

Guidance related to security

activities must be prescriptive

A solution must provide enough details for non-security-people

Overall, must be simple, well-defined, and measurable

OWASP Software Assurance

Maturity Model (SAMM)

SAMM Security Practices

• From each of the Business Functions, 3 Security Practices are defined

• The Security Practices cover all areas relevant to software security assurance

• Each one is a ‘silo’ for improvement

Under each Security Practice• Three successive Objectives under each Practice define how it can be

improved over time

• This establishes a notion of a Level at which an organization fulfills a given Practice

• The three Levels for a Practice generally correspond to:

• (0: Implicit starting point with the Practice unfulfilled)

• 1: Initial understanding and ad hoc provision of the Practice

• 2: Increase efficiency and/or effectiveness of the Practice

• 3: Comprehensive mastery of the Practice at scale

Per Level, SAMM defines...

• Objective• Activities• Results• Success Metrics• Costs• Personnel• Related Levels

Education & Guidance

10

Education & Guidance

•Resources: • OWASP Top 10• OWASP Education• WebGoat

Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.

Chinese proverb

A1: Injection A2: Cross-Site Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request Forgery

(CSRF)

A6: Security Misconfiguration

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport Layer

Protection

A10: Unvalidated Redirects and

Forwards

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Education_Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

OWASP Cheat Sheets

Developer Cheat Sheets (Builder)

Authentication Cheat SheetChoosing and Using Security Questions Cheat SheetCross-Site Request Forgery (CSRF) Prevention Cheat SheetCryptographic Storage Cheat SheetDOM based XSS Prevention Cheat SheetForgot Password Cheat SheetHTML5 Security Cheat SheetInput Validation Cheat SheetJAAS Cheat SheetLogging Cheat SheetOWASP Top Ten Cheat SheetQuery Parameterization Cheat SheetSession Management Cheat SheetSQL Injection Prevention Cheat SheetTransport Layer Protection Cheat SheetWeb Service Security Cheat SheetXSS (Cross Site Scripting) Prevention Cheat SheetUser Privacy Protection Cheat Sheet

Assessment Cheat Sheets (Breaker)

Attack Surface Analysis Cheat SheetXSS Filter Evasion Cheat Sheet

Mobile Cheat SheetsIOS Developer Cheat SheetMobile Jailbreaking Cheat Sheet

Draft Cheat SheetsAccess Control Cheat SheetApplication Security Architecture Cheat SheetClickjacking Cheat SheetPassword Storage Cheat SheetPHP Security Cheat SheetREST Security Cheat SheetSecure Coding Cheat SheetSecure SDLC Cheat SheetThreat Modeling Cheat SheetVirtual Patching Cheat SheetWeb Application Security Testing Cheat Sheet

https://www.owasp.org/index.php/Cheat_Sheets

SAMM Quick Start

ASSES

questionnaireGOAL

gap analysis

PLAN roadmap

IMPLEMENT

OWASP resources

Asses•SAMM includes assessment worksheets for each Security Practice

Goal

• Gap analysis

• Capturing scores from detailed assessments versus expected performance levels

• Demonstrating improvement

• Capturing scores from before and after an iteration of assurance program build-out

• Ongoing measurement

• Capturing scores over consistent time frames for an assurance program that is already in place

Plan

• Roadmaps: to make the “building blocks” usable.

• Roadmaps templates for typical kinds of organizations

• Independent Software Vendors

• Online Service Providers

• Financial Services Organizations

• Government Organizations

• Tune these to your own targets / speed

150+ OWASP resourcesPROTECT

Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project

Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide

DETECT

Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy

Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project

LIFE CYCLE

SAMM, WebGoat, Legal Project

Critical Success Factors

• Get initiative buy-in from all stakeholders• Adopt a risk-based approach• Awareness / education is the foundation• Integrate security in your development /

acquisition and deployment processes• Measure: Provide management visibility

18

SAMM Resourceswww.opensamm.org

• Presentations• Quick Start (to be released)• Assessment worksheets / templates• Roadmap templates• Translations (Spanish, Japanese, …)• SAMM mappings to ISO/EIC 27034 – BSIMM – PCI (to be

released)

19

NEW: Self-Assessment Online

https://ssa.asteriskinfosec.com.au20

Mapping Projects / SAMM

21

Project Type Level SAMM Practice RemarksBroken Web Applications Tools Labs EG1CSRFTester Tools Labs ST1EnDe Tools Labs ST1Fiddler Addons for Security Testing Tools Labs ST1Forward Exploit Tool Tools Labs ST1Hackademic Challenges Tools Labs EG1Hatkit Datafiddler Tools Labs ST1Hatkit Proxy Tools Labs ST1HTTP POST Tools Labs ST1Java XML Templates Tools Labs SA2JavaScript Sandboxes Tools Labs not applicableJoomla Vulnerability Scanner Tools Labs ST1LAPSE Tools Labs CR2Mantra Security Framework Tools Labs ST1Multilidea Tools Labs EG1O2 Tools Labs ST2Orizon Tools Labs CR2Srubbr Tools Labs ST1Security Assurance Testing of Virtual Worlds Tools Labs ST1Vicnum Tools Labs EG1Wapiti Tools Labs ST1Web Browser Testing System Tools Labs ST1WebScarab Tools Labs ST1Webslayer Tools Labs ST1WSFuzzer Tools Labs ST1Yasca Tools Labs CR2AppSec Tutorials Documentation Labs EG1AppSensor Documentation Labs EH3AppSensor Documentation Labs SA2Cloud 10 Documentation Labs EG1CTF Documentation Labs EG1Fuzzing Code Documentation Labs ST1Legal Documentation Labs SR3Podcast Documentation Labs EG1Virtual Patching Best Practices Documentation Labs EH3

Project Type Level SAMM Practice RemarksAntiSamy Code Flagship SA2Enterprise Security API Code Flagship SA3ModSecurity Core Rule Set Code Flagship EH3CSRFGuard Code Flagship SA2Web Testing Environment Tools Flagship ST2WebGoat Tools Flagship EG2Zed Attack Proxy Tools Flagship ST2Application Security Verification Standard Documentation Flagship DR2 ASVS-L4Application Security Verification Standard Documentation Flagship CR3 ASVS-L4Application Security Verification Standard Documentation Flagship ST3 ASVS-L4Code Review Guide Documentation Flagship CR1Codes of Conduct Documentation Flagship not applicableDevelopment Guide Documentation Flagship EG1Secure Coding Practices - Quick Reference Guide Documentation Flagship SR1Software Assurance Maturity Model Documentation Flagship SM1 Recursiveness :-)Testing Guide Documentation Flagship ST1Top Ten Documentation Flagship EG1

Flagship Projects Coverage

22

SM1 1 PC1 0 EG1 10SM2 0 PC2 0 EG2 1SM3 0 PC3 0 EG3 0

1 0 11 12

TA1 0 SR1 1 SA1 0TA2 0 SR2 0 SA2 4TA3 0 SR3 1 SA3 1

0 2 5 7

DR1 0 CR1 1 ST1 18DR2 1 CR2 3 ST2 3DR3 0 CR3 1 ST3 1

1 5 22 28

VM1 0 EH1 0 OE1 0VM2 0 EH2 0 OE2 0VM3 0 EH3 3 OE3 0

0 3 0 3

Governance

Construction

Verification

Deployment

Design Review Code Review Security Testing

Vulnerability Management Environment Hardening Operational Hardening

Strategy & Metrics Policy & Compliance Education & Guidance

Threat Assessment Security Requirements Security Architecture

SAMM RoadmapBuild the SAMM community:•Grow list of SAMM adopters•Workshops at conferences•Dedicated SAMM summit

V1.1:•Incorporate Quick Start / tools / guidance / OWASP projects•Revamp SAMM wikiV2.0:•Revise scoring model•Model revision necessary ? (12 practices, 3 levels, ...)•Application to agile•Roadmap planning: how to measure effort ?•Presentations & teaching material•…

23

SAMM Forum

24

Get involved

• SAMM “Work”-shop tomorrow 1PM-5PM 16th floor• Project mailing list / work packages• Use and donate (feed)back!• Donate resources• Sponsor SAMM

Measure & Improve!

OpenSAMM.org