OWASP SAMM

Thoughts & Experiences

d0kt0r @ 0xOPOSEC

~$ WHOAMI

0XOPOSEC - d0kt0r

Freelance Information Security Consultant

PhD Student @ FCUP

“We do what we must because we can.” – Aperture Science

Email: dm@dm-advisory.eu

Motivation

  • Awareness mostly (something you can use as a guide)
  • Proven it's value
  • Less trendy dimension of Infosec
  • Finding order in chaos

 

 

 

Disclaimer: This is not a Technical talk

Disclaimer2: Not reinventing the wheel here

Disclaimer3: not an OWASP pitch

Agenda

  1. The Problem
  2. The Model
  3. Implementation
  4. Experimentation
  5. Conclusions

 

The Problem

Information Security World

Information Security World

AppSec

Information Security World

AppSec

Security Architecture Teams

Security Assessments Teams

Development Teams

IR Teams

?

The Model

Objective

The Model

The Software Assurance Maturity Model  (SAMM) is an open framework that provides  an effective and measurable way for all  types of organizations to analyze and  improve their software security posture.

owaspsamm.org

2.0 Version

"Your first step towards improvement, is to measure where you are now."

Features

The Model

Measurable

 

Defined maturity levels  across business practices

Actionable

 

Clear pathways for  improving maturity levels

Versatile

 

Technology, process, and  organization agnostic

Structure

The Model

  • 5 business functions
  • 15 Security Practices
  • Higher the maturity higher the cost/effort
  • No order or priority on functions and practices (depends on risks or threats)

Business Functions

The Model

Core activities that any organization does to develop software.

Organizational Scope

Application Specific

Security Practices

The Model

Security Practices

The Model

Security Testing Practice

Assessment

The Model

One Question per Activity (total 90 questions)

Quality

Coverage

Assessment

The Model

OWASP SAMM Toolbox available online (SAMMY) or Excel:

Security Testing Maturity Score =

SUM(AVG(StreamALevel1,StreamBLevel1)+AVG(StreamALeve2,StreamBLevel2)+AVG(StreamALevel3,StreamBLevel3))

Assessment

The Model

DEMO

Outputs

The Model

Helpful metrics to "sell" the investment for security programme and/or guide the next iteration of the programme

Implementation

6 Step Programe

Implementation

PREPARE

ASSESS

SET THE TARGET

DEFINE THE PLAN

IMPLEMENT

ROLL OUT

6 Step Programe

Implementation

PREPARE

  • Ensure proper start of the project:
    • Define the scope 
    • Define the stakeholders
    • Spread the word.

*hint*: you may want to start gathering information about your environment and apps: typology, support model, status, location, criticality, data, etc.............

build a stakeholder maps and set comms channels (Steerco, newsletter,..)

6 Step Programe

Implementation

PREPARE

  • Start where you are
  • Identify and understand the maturity of your chosen scope in each of the 15 software security practices:
    • Evaluate current practices
    • Determine maturity level

ASSESS

6 Step Programe

Implementation

PREPARE

  • Define what score you want to achieve

 

Software development process maturity will impact your approach

ASSESS

SET THE TARGET

*hint*: be realistic - important to respect dev/op team bandwidth; consider constraints: budget, timing, resources, organizational limitations, etc.

6 Step Programe

Implementation

PREPARE

  • Develop a target roadmap that you use to guide the implementation.

ASSESS

SET THE TARGET

DEFINE THE PLAN

*hint*: OWASP has tons of open-source tools to support the implementation of all security practices with 0 cost

6 Step Programe

Implementation

PREPARE

...work

ASSESS

SET THE TARGET

DEFINE THE PLAN

IMPLEMENT

*hint*: really work;

you can measure progress!

6 Step Programe

Implementation

PREPARE

  • Ensure that improvements are available and effectively used within the organization
  • Reassess and check if objectives were accomplished

ASSESS

SET THE TARGET

DEFINE THE PLAN

IMPLEMENT

ROLL OUT

*hint*: build a service catalogue (AppSecaaService); do not scale if doesn't work; rethink and repeat

Experimentation

There is no magic framework, solution, recipe...

... customisation is always required.

(key advantage of SAMM)

Customizations

Experimentation

Problem #1: User Access is rarely mentioned in the model:

  • Secrets Management - Access Production
  • Education guidance - access before education

 

 

What about internal client user access?

Customizations

Experimentation

To be published soon on: https://github.com/DM-Advisory/

User Access Management

Customization

Experimentation

Problem #2: One of the main problem for Information Security teams is:

 

Bandwidth

 

Solution? Automate & Delegate

Model solution: Security Champions

 

but, in some realities SC does not solve all of our problems (outsourced, third parties,etc.)

Customization

Experimentation

Solution: Project Management Gamification

  • Give Project Managers a tool to follow the S-SDLC Process
  • Empowering PM over security requirements of their projects
  • Make it point-based to leverage competition and compliance
  • Are the technical teams aware of Security Policies? Is there a Point of contact for the project?
  • Are the asset management rules being followed?

Customization

Experimentation

Solution: Project Management Gamification

  • Give Project Managers a tool to follow the S-SDLC Process
  • Empowering PM over security requirements of their projects
  • Make it point-based to leverage competition and compliance
  • Is the documentation being delivered and Security Requirement included?
  • Is the vendor (if applicable) compliant with our policies?

Customization

Experimentation

Solution: Project Management Gamification

  • Give Project Managers a tool to follow the S-SDLC Process
  • Empowering PM over security requirements of their projects
  • Make it point-based to leverage competition and compliance
  • Internal Software Development practices are being followed?
  • Are the security controls being enforced?

Customization

Experimentation

Solution: Project Management Gamification

  • Give Project Managers a tool to follow the S-SDLC Process
  • Empowering PM over security requirements of their projects
  • Make it point-based to leverage competition and compliance
  • Is the application eligible for a security test?

Customization

Experimentation

Solution: Project Management Gamification

  • Give Project Managers a tool to follow the S-SDLC Process
  • Empowering PM over security requirements of their projects
  • Make it point-based to leverage competition and compliance

Customization

Experimentation

Solution: Project Management Gamification

Each control and activity from the model performed adds points -> If reaches a baseline the project is ready for go-live!

+20

+20

+20

+20

+20

Conclusions

Take aways

  • OWASP SAMM is a open framework to support and guide the implementation of security activities
  • Standards and models are a good way to make a valid business case
  • Customization and prioritization is possible and required
  • Have fun and be creative

Thank you!

Q&A

Credits to OWASP Foundation

 

Thanks to MG;FF;MT;CB for helping implementing the model

Copy of OWASP SAMM: Thoughts & Experiences

By Duarte Monteiro

Copy of OWASP SAMM: Thoughts & Experiences

  • 123