How is Your AppSec Program Doing Compared to Others

Post on 19-Oct-2014

82 views 3 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Organizations that build software and worry about security continually are asking, "How do we stack up to others?" If you are starting or inheriting an application security program that is underway, you're probably curious how your organization stacks up against others. Are you doing the right set of application testing activities? Are you training your developers to write more secure code in the most efficient manner? Does your SDLC need a review to determine whether security activities need to be included throughout? A popular framework for benchmarking an organization’s software security activities is called the Open Software Assurance Maturity Model (OpenSAMM) developed and published by the Open Web Application Security Project (OWASP). To hear the full webinar, hit this link - http://denimgroup.com/webinar_How-is-Your-AppSec-Program-Doing-Compared-to-Others.html

Transcript of How is Your AppSec Program Doing Compared to Others

© Copyright 2014 Denim Group - All Rights Reserved

How is Your AppSec Program Doing Compared to Others?

John B. Dickson, CISSP @johnbdickson#appseccheck

© Copyright 2014 Denim Group - All Rights Reserved

Denim Group Overview• Professional services firm that builds & secures

enterprise applications• External application assessments• Web, mobile, and cloud• Software development lifecycle development (SDLC) consulting• Network and information security assessments

• Secure development services:• Secure .NET and Java application development• Post-assessment remediation

• Classroom and e-Learning for PCI compliance

2

© Copyright 2014 Denim Group - All Rights Reserved

• Application Security Enthusiast

• Helps CSO’s and CISO’s with

Application Security Programs

• ISSA Distinguished Fellow

• Experience Delivering Application

Security Maturity Assessments

3

© Copyright 2014 Denim Group - All Rights Reserved

• Many, if not most organizations, equate application security to dynamic scanning

• Most companies still use compliance reasons to justify application security resources (e.g., PCI)

• Wildly divergent strategies exist across industries and companies

4

Current State of Affairs

in Application Security

© Copyright 2014 Denim Group - All Rights Reserved 5

Results: Breaches Occur Where Applications are the Attack Vector

© Copyright 2014 Denim Group - All Rights Reserved

• Application security resources largely focused on two technologies – dynamic scanning & WAF’s

• Sophisticated CISO’s and AppSec managers want to know how they are doing relative to their peers, also CEO’s, CFO’s and Boards due to high visibility breaches

• Is AppSec “spend” in line with that of industry peers?

6

The Business Case for Benchmarking

© Copyright 2014 Denim Group - All Rights Reserved

• Open Software Assurance Maturity Model• Open framework to enable organizations to implement

a software security • One of two popular competing models

• Authored by an Industry Group from the Open Web Application Security Project (OWASP)

• So comprehensive at least one Big 4 audit firm uses it to audit software security programs

7

Background on OpenSAMM

© Copyright 2014 Denim Group - All Rights Reserved

• Four areas of Business Functions• Governance• Construction• Verification• Deployment

• Twelve Security Practices• Example: Governance

• Strategy and Metrics• Education and Guidance• Policy and Compliance

8

Background on OpenSAMM

© Copyright 2014 Denim Group - All Rights Reserved

• How can one infer results across the entire organization?

• Development groups within organizations may differ radically in practices, tools, etc.

• Different assessors might produce different results

• Still heavily reliant on interviews• How long should an interview be?• Security technologies and practices might exist in

some groups, not others.

9

Challenges of any Maturity Assessment

© Copyright 2014 Denim Group - All Rights Reserved

• OpenSAMM has different levels of maturity, only a small number of organizations can aspire to meeting Level 3 maturity. 

• You may wish to stick to Level 1 which is a basic measurable level of capabilities. 

• If your organization is global or widely dispersed, start with one business unit or development group to learn the methodology and assess results.

10

How you Can Put OpenSAMM to work

© Copyright 2014 Denim Group - All Rights Reserved 11

OpenSAMM Valid Maturity Levels

• 0 - Implicit starting point representing the activities in the Practice being unfulfilled

• 1 - Initial understanding and ad hoc provision of Security Practice

• 2 - Increase efficiency and/or effectiveness of the Security Practice

• 3 - Comprehensive mastery of the Security Practice at scale

© Copyright 2014 Denim Group - All Rights Reserved 12

How You Can Put OpenSAMM to Work

# Level 1 Objective Activities

1Establish a unified strategic roadmap for software security within the organization.

A Estimate overall business risk profile

BBuild and maintain assurance program roadmap

2Understand relevant governance and compliance drivers to the organization.

AIdentify and monitor external compliance drivers

BBuild and maintain compliance guidelines

3Offer development staff access to resources around the topics of secure programming and deployment.

AConduct technical security awareness training

B Build and maintain technical guidelines

© Copyright 2014 Denim Group - All Rights Reserved 13

Conclusions

• OpenSAMM is an effective mechanism to identify how your software security program is doing compared to others

• Data collection and analysis are key to any benchmarking activity

• Sophisticated companies are conducting assessments to identify software risk and secure resources

© Copyright 2014 Denim Group - All Rights Reserved

Questions?

John B. Dickson

@johnbdickson

john@denimgroup.com

14

Top related

The Cost of Doing Business in ASEAN Compared with China- Preview
 Documents
Understanding and Improving Your School Grade. How is my school doing? ٭ Compared to STANDARDS ٭ Compared to SELF ٭ Compared to OTHERS.
 Documents
20141104 appsec surveillance
 Technology
World Bank Documentdocuments.worldbank.org/curated/pt/264531468311443404/...Economy Rankings - Ease of Doing Business Tanzania's ranking in Doing Business 2011 Tanzania - Compared
 Documents
Appsec XSS Case Study
 Technology
Operation emmental appsec
 Technology
Why appsec tools suck | tssci-security · • Interest in appsec tools • Write for tssci-security.com • Involved with OWASP. ... R.Barnett BlackHat DC 09. Title: Why appsec tools
 Documents
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 Technology
AppSec is Eating Security
 Internet
The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013.
 Documents
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 Software
AppSec 101 - Eivind Arvesen
 Documents
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 Technology
Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com Israel Chorzevski CTO, AppSec
 Documents
Fyler AppSec 2011
 Technology
APPSEC VULNERABILITY MANAGEMENT PIPELINES
 Documents
Flyer AppSec Forum 2011
 Technology
Appsec usa2013 js_libinsecurity_stefanodipaola
 Technology
AppSec Consulting Inc
 Documents
Appsec rump reverse-i_os_machook
 Technology

Copyright © 2022 FDOCUMENTS