Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model...
Transcript of Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model...
![Page 1: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/1.jpg)
OWASP SAMM UpdateSAMM User DayJune 16th, 2020Bart De Win, Seba Deleersnyder
![Page 2: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/2.jpg)
What is SAMM?
The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.
![Page 3: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/3.jpg)
Visit our websiteowaspsamm.org
github.com/OWASP/samm
![Page 4: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/4.jpg)
Goals of SAMM version 2
● Align with recent development practices● Revise all activities (no “orphans”)● Method agnostic● Improve assessments● Improve production process
Backwards compatibility was not a goal
![Page 5: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/5.jpg)
Core structure
![Page 6: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/6.jpg)
Stream A Stream B
Strategy & Metrics
Governance Design
Architecture Assessment
Verification
Environment Management
Operations
Security Requirements
Education & Guidance
Secure DeploymentPolicy & Compliance
Implementation
Threat Assessment
Requirements-driven Testing
Defect Management Security Testing
Incident Management
Operational Management
Secure Build
Create & promote
Measure & improve
Application risk profile
Threat modeling
Architecture validation
Architecture compliance
Incident detection
Incident response
Build process Software dependencies
Policy & standards
Compliance management
Control verification
Misuse/abuse testing
Configuration hardening
Patch & update
Deployment process
Secret management
Training & awareness
Organization & culture
Defect tracking
Metrics & feedback
Scalable baseline
Deep understanding
Data protection
Legacy management
Secure Architecture
Stream A Stream B Stream A Stream B Stream A Stream BStream A Stream B
Architecture design
Technology management
Software requirements
Supplier security
![Page 7: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/7.jpg)
SAMM v2 security practice structure
A: Control Verification B: Misuse /Abuse Testing
Level 1 - Opportunistically find basic vulnerabilities and other security issues.
Test for standard security controls
Perform security fuzzing testing
Level 2 - Perform implementation review to discover application-specific risks against the security requirements.
Derive test cases from known security requirements
Create and test abuse cases and business logic flaw test
Level 3 - Maintain the application security level after bug fixes, changes or during maintenance
Perform regression testing (with security unit tests)
Denial of service and security stress testing
![Page 8: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/8.jpg)
SAMM v2 security practice structure
A: Control Verification B: Misuse /Abuse Testing
Level 1 - Opportunistically find basic vulnerabilities and other security issues.
Test for standard security controls
Perform security fuzzing testing
Level 2 - Perform implementation review to discover application-specific risks against the security requirements.
Derive test cases from known security requirements
Create and test abuse cases and business logic flaw test
Level 3 - Maintain the application security level after bug fixes, changes or during maintenance
Perform regression testing (with security unit tests)
Denial of service and security stress testing
MATURITY
![Page 9: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/9.jpg)
SAMM v2 security practice structure
A: Control Verification B: Misuse /Abuse Testing
Level 1 - Opportunistically find basic vulnerabilities and other security issues.
Test for standard security controls
Perform security fuzzing testing
Level 2 - Perform implementation review to discover application-specific risks against the security requirements.
Derive test cases from known security requirements
Create and test abuse cases and business logic flaw test
Level 3 - Maintain the application security level after bug fixes, changes or during maintenance
Perform regression testing (with security unit tests)
Denial of service and security stress testing
STREAMS
![Page 10: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/10.jpg)
SAMM v2 assessment toolbox
https://github.com/OWASP/samm/tree/master/Supporting%20Resources/v2.0/toolbox
GOVERNANCE
Stream Level Strategy and metrics
Create and promote
1 Has the organization defined a set of risks to prioritize applications by?
● You have captured the risk appetite of your organization’s executive leadership● The organization’s leadership have vetted and approved risks● You have identified the main business and technical threats to your
organization’s assets and data● Risks are documented and accessible to relevant stakeholders
![Page 11: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/11.jpg)
SAMM roadmaps
![Page 12: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/12.jpg)
Project: SAMM CI/CD
● Single source of the truth (Github)
● Used to generate everything automatically○ Document, website○ Toolbox○ Applications
![Page 13: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/13.jpg)
Community involvement
Community driven
Project driven
Core structureBusiness functions, practices, streams
Evaluation modelQuestions, quality criteria, measurement model
Activity modelObjective, activities, dependencies, metrics
Supporting information & toolsGuidance, references, supporting tools
Community feedback
![Page 14: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/14.jpg)
Translations
https://crowdin.com/project/owasp-samm
![Page 15: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/15.jpg)
How do I compare?
![Page 16: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/16.jpg)
Our roadmap
● Continuous: minor fixes● Wrap-up: PDF● v2.1 (Oct 2020): Translations, mappings● v2.2 (Jan 2021): Activity-specific guidance (references, agile, ...)● V2.3 (June 2021): online toolbox, open API● V3.0: tbd
![Page 17: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/17.jpg)
Let’s do this together
![Page 18: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/18.jpg)
Who is SAMM?Bart De WinProject Co-Leader, Belgium
Sebastien (Seba) DeleersnyderProject Co-Leader, Belgium
Brian Glass – United States Daniel Kefer – Germany
Yan Kravchenko – United States Chris Cooper – United Kingdom
John DiLeo – New Zealand Nessim Kisserli – Belgium
Patricia Duarte – Uruguay John Kennedy – Sweden
Hardik Parekh – United States John Ellingsworth – United States
Sebastián Arriada – Argentina Brett Crawley – United Kingdom
![Page 19: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/19.jpg)
SAMM Sponsors
owaspsamm.org/sponsors
![Page 20: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/20.jpg)
Enjoy the User Day !
![Page 21: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/21.jpg)
![Page 22: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/22.jpg)
OWASP SAMM outreach 2020
Using our social media, sponsor and subscriber networks:
● Twitter - 900 followers● LinkedIn - 120 followers● Newsletter - 600+ subscribers● OWASP SAMM - 8 Sponsors● SAMM Slack channel - 400+ members
![Page 23: Update OWASP SAMM€¦ · What is SAMM? The mission of OWASP SAMM is to be the prime maturity model for software assurance that provides an effective and measurable way for all types](https://reader033.fdocuments.net/reader033/viewer/2022053012/5f0f39607e708231d4431a30/html5/thumbnails/23.jpg)
Thank you!