the owasp foundation opensamm software assurance maturity model seba deleersnyder [email protected]...

47
The OWASP Foundation http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected] OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project co-leader OWASP Europe Tour 2013 Geneva

Upload: halle-bowne

Post on 15-Dec-2015

235 views

Category:

Documents


0 download

TRANSCRIPT

The OWASP Foundationhttp://www.owasp.org

OpenSAMMSoftware Assurance Maturity Model

Seba [email protected]

OWASP Foundation Board MemberOWASP Belgium Chapter Leader

SAMM project co-leader

OWASP Europe Tour 2013

Geneva

The web application security challenge

Fire

wall

Hardened OS

Web Server

App Server

Fire

wall

Data

bases

Leg

acy

Syste

ms

Web

Serv

ices

Dir

ecto

ries

Hu

man

Resrc

s

Billin

g

Custom Developed Application Code

APPLICATIONATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Ne

two

rk L

aye

rA

pp

lica

tio

n L

aye

r

Your security “perimeter” has huge holes at the application layer

“Build in” software assurance

3

Design Build Test Production

vulnerabilityscanning -

WAF

security testingdynamic test

tools

coding guidelines code reviews

static test tools

security requirements /

threat modeling

reactiveproactive

Secure Development Lifecycle(SAMM)

D B T PSAMM

CLASP• Comprehensive, Lightweight Application Security

Process

• Centered around 7 AppSec Best Practices

• Cover the entire software lifecycle (not just development)

• Adaptable to any development process

• Defines roles across the SDLC

• 24 role-based process components

• Start small and dial-in to your needs

Touchpoints

• Gary McGraw’s and Cigital’s model

BSIMM• Gary McGraw’s and Cigital’s model

• Quantifies activities of software security initiatives of 51 firms

BSIMM Code

SAMM Code BSIMM Activity OpenSAMM Activity

SM 3.2 - run external marketing program 0T 3.3 - host external software security events 0CR 1.1 CR 1.A create top N bugs list (real data preferred) (T: training) Create review checklists from known security requirementsCR 1.2 CR 1.B have SSG perform ad hoc review Perform point-review of high-risk codeCR 1.4 CR 2.A use automated tools along with manual review Utilize automated code analysis toolsCR 3.1 CR 3.A use automated tools with tailored rules Customize code analysis for application-specific concernsCR 3.3 CR 3.A build capability for eradicating specific bugs from entire codebaseCustomize code analysis for application-specific concernsCR 2.3 CR 3.B make code review mandatory for all projects Establish release gates for code reviewAA 1.1 DR 1.B perform security feature review Analyze design against known security requirementsAA 2.1 DR 2.A define/use AA process Inspect for complete provision of security mechanismsAA 1.2 DR 2.B perform design review for high-risk applications Deploy design review service for project teamsAA 1.3 DR 2.B have SSG lead review efforts Deploy design review service for project teamsAA 2.2 DR 3.A standardize architectural descriptions (include data flow) Develop data-flow diagrams for sensitive resourcesSM 1.3 EG 1.A educate executives Conduct technical security awareness trainingT 1.1 EG 1.A provide awareness training Conduct technical security awareness trainingT 2.5 EG 1.A hold satellite training/events Conduct technical security awareness trainingSR 1.1 EG 1.B create security standards (T: sec features/design) Build and maintain technical guidelinesSR 1.2 EG 1.B create security portal Build and maintain technical guidelinesCP 2.5 EG 2.A promote executive awareness of compliance/privacy obligationsConduct role-specific application security trainingT 2.1 EG 2.A offer role-specific advanced curriculum (tools, technology stacks, bug parade) Conduct role-specific application security trainingT 2.2 EG 2.A create/use material specific to company history Conduct role-specific application security trainingT 2.4 EG 2.A offer on-demand individual training Conduct role-specific application security trainingT 3.2 EG 2.A provide training for vendors or outsource workers Conduct role-specific application security trainingT 3.4 EG 2.A require annual refresher Conduct role-specific application security trainingAA 2.3 EG 2.B make SSG available as AA resource/mentor Utilize security coaches to enhance project teamsAA 3.1 EG 2.B have software architects lead review efforts Utilize security coaches to enhance project teamsAM 2.4 EG 2.B build internal forum to discuss attacks (T: standards/req) Utilize security coaches to enhance project teamsCR 2.5 EG 2.B assign tool mentors Utilize security coaches to enhance project teamsSM 2.3 EG 2.B create or grow social network/satellite system Utilize security coaches to enhance project teamsT 1.3 EG 2.B establish SSG office hours Utilize security coaches to enhance project teams

BSIMM – Open SAMM Mapping

Derived from SAMM beta

Lessons Learned• Microsoft SDL

• Heavyweight, good for large ISVs

• Touchpoints

• High-level, not enough details to execute against

• BSIMM

• Stats, but what to do with them?

• CLASP

• Large collection of activities, but no priority ordering

• ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf

We need a Maturity ModelAn organization’s

behavior changes slowly

over time

Changes must be iterative while

working toward long-term goals

There is no single recipe that

works for all organizations

A solution must enable risk-

based choices tailored to the organization

Guidance related to security

activities must be prescriptive

A solution must provide enough details for non-security-people

Overall, must be simple, well-defined, and measurable

OWASP Software

Assurance Maturity Model

(SAMM)

D B T PSAMM

https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

SAMM Security Practices• From each of the Business Functions, 3 Security Practices are

defined

• The Security Practices cover all areas relevant to software security assurance

• Each one is a ‘silo’ for improvement

D B T PSAMM

Under each Security Practice

• Three successive Objectives under each Practice define how it can be improved over time

• This establishes a notion of a Level at which an organization fulfills a given Practice

• The three Levels for a Practice generally correspond to:

• (0: Implicit starting point with the Practice unfulfilled)

• 1: Initial understanding and ad hoc provision of the Practice

• 2: Increase efficiency and/or effectiveness of the Practice

• 3: Comprehensive mastery of the Practice at scale

D B T PSAMM

Per Level, SAMM defines...

• Objective• Activities• Results• Success Metrics• Costs• Personnel• Related Levels

D B T PSAMM

13

Strategy & MetricsD B T P

SAMM

14

Policy & ComplianceD B T P

SAMM

15

Education & Guidance

D B T PSAMM

Education & Guidance

Resources:

• OWASP Top 10

• OWASP Education

• WebGoat

Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.

Chinese proverb

D B T PSAMM

A1: Injection A2: Cross-Site Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request Forgery

(CSRF)

A6: Security Misconfiguration

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport Layer

Protection

A10: Unvalidated

Redirects and Forwards

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Education_Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

OWASP Cheat SheetsDeveloper Cheat Sheets (Builder)

Authentication Cheat SheetChoosing and Using Security Questions Cheat SheetCross-Site Request Forgery (CSRF) Prevention Cheat SheetCryptographic Storage Cheat SheetDOM based XSS Prevention Cheat SheetForgot Password Cheat SheetHTML5 Security Cheat SheetInput Validation Cheat SheetJAAS Cheat SheetLogging Cheat SheetOWASP Top Ten Cheat SheetQuery Parameterization Cheat SheetSession Management Cheat SheetSQL Injection Prevention Cheat SheetTransport Layer Protection Cheat SheetWeb Service Security Cheat SheetXSS (Cross Site Scripting) Prevention Cheat SheetUser Privacy Protection Cheat Sheet

Assessment Cheat Sheets (Breaker)

Attack Surface Analysis Cheat SheetXSS Filter Evasion Cheat Sheet

Mobile Cheat SheetsIOS Developer Cheat SheetMobile Jailbreaking Cheat Sheet

Draft Cheat SheetsAccess Control Cheat SheetApplication Security Architecture Cheat SheetClickjacking Cheat SheetPassword Storage Cheat SheetPHP Security Cheat SheetREST Security Cheat SheetSecure Coding Cheat SheetSecure SDLC Cheat SheetThreat Modeling Cheat SheetVirtual Patching Cheat SheetWeb Application Security Testing Cheat Sheet

D B T PSAMM

https://www.owasp.org/index.php/Cheat_Sheets

18

Threat AssessmentD B T P

SAMM

19

Security RequirementsD B T P

SAMM

Secure Coding Practices Quick Reference Guide

• Technology agnostic coding practices

• What to do, not how to do it

• Compact, but comprehensive checklist format

• Focuses on secure coding requirements, rather then on vulnerabilities and exploits

• Includes a cross referenced glossary to get developers and security folks talking the same language

D B T PSAMM

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

21

Secure ArchitectureD B T P

SAMM

The OWASP Enterprise Security API

Custom Enterprise Web Application

Enterprise Security API

Au

then

tica

tor

Use

r

Acc

essC

on

tro

ller

Acc

essR

efer

ence

Map

Val

idat

or

En

cod

er

HT

TP

Uti

litie

s

En

cryp

tor

En

cryp

ted

Pro

per

ties

Ran

do

miz

er

Exc

epti

on

Han

dlin

g

Lo

gg

er

Intr

usi

on

Det

ecto

r

Sec

uri

tyC

on

fig

ura

tio

n

Existing Enterprise Security Services/Libraries

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

24

Design ReviewD B T P

SAMM

25

Code ReviewD B T P

SAMM

Code Review

Resources:

• OWASP Code Review Guide

SDL Integration:• Multiple reviews defined as deliverables in your SDLC• Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

Code review toolingCode review tools:

• OWASP LAPSE (Security scanner for Java EE Applications)

• MS FxCop / CAT.NET (Code Analysis Tool for .NET)

• Agnitio (open source Manual source code review support tool)

D B T PSAMM

https://www.owasp.org/index.php/OWASP_LAPSE_Projecthttp://www.microsoft.com/security/sdl/discover/implementation.aspxhttp://agnitiotool.sourceforge.net/

28

Security TestingD B T P

SAMM

Security Testing

Resources:

• OWASP ASVS

• OWASP Testing Guide

SDL Integration:• Integrate dynamic security testing as part of you

test cycles• Derive test cases from the security requirements

that apply• Check business logic soundness as well as common

vulnerabilities• Review results with stakeholders prior to release

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Projecthttps://www.owasp.org/index.php/OWASP_Testing_Project

Security Testing• Zed Attack Proxy (ZAP) is an easy to use integrated

penetration testing tool for finding vulnerabilities in web applications

• Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually

Features:• Intercepting proxy• Automated scanner• Passive scanner• Brute force scanner• Spider• Fuzzer• Port scanner• Dynamic SSL Certificates• API• Beanshell integration

D B T PSAMM

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

31

Vulnerability ManagementD B T P

SAMM

32

Environment HardeningD B T P

SAMM

Web Application Firewalls

NetworkFirewall

Web Application

Firewall

WebServer

Web client(browser)

Malicious web trafficLegitimate web traffic

Port 80

ModSecurity: Worlds No 1 open source Web Application Firewallwww.modsecurity.org• HTTP Traffic Logging• Real-Time Monitoring and Attack Detection• Attack Prevention and Just-in-time Patching• Flexible Rule Engine• Embedded Deployment (Apache, IIS7 and Nginx)• Network-Based Deployment (reverse proxy)

OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

34

Operational EnablementD B T P

SAMM

150+ OWASP ProjectsPROTECT

Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project

Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide

DETECT

Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy

Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project

LIFE CYCLE

SAMM, WebGoat, Legal Project

36

Mapping Projects / SAMMProject Type Level SAMM Practice RemarksBroken Web Applications Tools Labs EG1CSRFTester Tools Labs ST1EnDe Tools Labs ST1Fiddler Addons for Security Testing Tools Labs ST1Forward Exploit Tool Tools Labs ST1Hackademic Challenges Tools Labs EG1Hatkit Datafiddler Tools Labs ST1Hatkit Proxy Tools Labs ST1HTTP POST Tools Labs ST1Java XML Templates Tools Labs SA2JavaScript Sandboxes Tools Labs not applicableJoomla Vulnerability Scanner Tools Labs ST1LAPSE Tools Labs CR2Mantra Security Framework Tools Labs ST1Multilidea Tools Labs EG1O2 Tools Labs ST2Orizon Tools Labs CR2Srubbr Tools Labs ST1Security Assurance Testing of Virtual Worlds Tools Labs ST1Vicnum Tools Labs EG1Wapiti Tools Labs ST1Web Browser Testing System Tools Labs ST1WebScarab Tools Labs ST1Webslayer Tools Labs ST1WSFuzzer Tools Labs ST1Yasca Tools Labs CR2AppSec Tutorials Documentation Labs EG1AppSensor Documentation Labs EH3AppSensor Documentation Labs SA2Cloud 10 Documentation Labs EG1CTF Documentation Labs EG1Fuzzing Code Documentation Labs ST1Legal Documentation Labs SR3Podcast Documentation Labs EG1Virtual Patching Best Practices Documentation Labs EH3

Project Type Level SAMM Practice RemarksAntiSamy Code Flagship SA2Enterprise Security API Code Flagship SA3ModSecurity Core Rule Set Code Flagship EH3CSRFGuard Code Flagship SA2Web Testing Environment Tools Flagship ST2WebGoat Tools Flagship EG2Zed Attack Proxy Tools Flagship ST2Application Security Verification Standard Documentation Flagship DR2 ASVS-L4Application Security Verification Standard Documentation Flagship CR3 ASVS-L4Application Security Verification Standard Documentation Flagship ST3 ASVS-L4Code Review Guide Documentation Flagship CR1Codes of Conduct Documentation Flagship not applicableDevelopment Guide Documentation Flagship EG1Secure Coding Practices - Quick Reference Guide Documentation Flagship SR1Software Assurance Maturity Model Documentation Flagship SM1 Recursiveness :-)Testing Guide Documentation Flagship ST1Top Ten Documentation Flagship EG1

37

Coverage

SM1 1 PC1 0 EG1 10SM2 0 PC2 0 EG2 1SM3 0 PC3 0 EG3 0

1 0 11 12

TA1 0 SR1 1 SA1 0TA2 0 SR2 0 SA2 4TA3 0 SR3 1 SA3 1

0 2 5 7

DR1 0 CR1 1 ST1 18DR2 1 CR2 3 ST2 3DR3 0 CR3 1 ST3 1

1 5 22 28

VM1 0 EH1 0 OE1 0VM2 0 EH2 0 OE2 0VM3 0 EH3 3 OE3 0

0 3 0 3

Governance

Construction

Verification

Deployment

Design Review Code Review Security Testing

Vulnerability Management Environment Hardening Operational Hardening

Strategy & Metrics Policy & Compliance Education & Guidance

Threat Assessment Security Requirements Security Architecture

Get started

Step 1: questionnaire

as-is

Step 2: define your maturity

goal

Step 3: define phased

roadmap

D B T PSAMM

Conducting assessments

SAMM includes assessment worksheets for each Security Practice

D B T PSAMM

Assessment processSupports both lightweight and detailed

assessments

D B T PSAMM

Creating Scorecards• Gap analysis

• Capturing scores from detailed assessments versus expected performance levels

• Demonstrating improvement

• Capturing scores from before and after an iteration of assurance program build-out

• Ongoing measurement

• Capturing scores over consistent time frames for an assurance program that is already in place

D B T PSAMM

Roadmap templates

• To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations

• Independent Software Vendors

• Online Service Providers

• Financial Services Organizations

• Government Organizations

• Tune these to your own targets / speed

D B T PSAMM

43

SAMM Resourceswww.opensamm.org

• Presentations

• Tools

• Assessment worksheets / templates

• Roadmap templates

• Scorecard chart generation

• Translations (Spanish / Japanese)

• SAMM mappings to ISO/EIC 27034 / BSIMM

44

Critical Success Factors

• Get initiative buy-in from all stakeholders

• Adopt a risk-based approach

• Awareness / education is the foundation

• Integrate security in your development / acquisition and deployment processes

• Provide management visibility

45

Project RoadmapBuild the SAMM community:• List of SAMM adopters• Workshops at AppSecEU and AppSecUSA

V1.1:• Incorporate tools / guidance / OWASP projects• Revamp SAMM wiki

V2.0:• Revise scoring model• Model revision necessary ? (12 practices, 3 levels, ...)• Application to agile• Roadmap planning: how to measure effort ?• Presentations & teaching material• …

Get involved

• Use and donate back!

• Attend OWASP chapter meetings and conferences

• Support OWASP becomepersonal/company memberhttps://www.owasp.org/index.php/Membership

Q&A

Thank you

• @sebadele

[email protected]

[email protected]

• www.linkedin.com/in/sebadele