SBA Live Academy - OWASP SAMM 2.0: Your Dynamic Software Security Journey by Sebastien Deleersnyder

•

0 gefällt mir•174 views

Target Group: Anyone involved in software development Focus: technical/organizational Language: English Abstract ********** Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, technology stacks, tools and processes, different stakeholders, competing priorities, etc. Implementing software assurance will have a significant, positive impact on an organization, yet trying to achieve this without a good framework often leads to marginal and unsustainable improvements. About the Speaker: ********************* Seba (https://twitter.com/Sebadele) is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more secure software. He adapts application security models to the evolving field of DevOps and brings Threat Modeling to a wider audience (including teaching Whiteboard Hacking at Black Hat).

Technologie

OWASP SAMM2 –
Your Dynamic Software
Security Journey
SBA Live Academy
Thursday, 14 May, 2020

Sebastien Deleersnyder
CEO Toreon
Belgian OWASP chapter founder
SAMM project co-leader

What is SAMM?
"The prime maturity model for software assurance that provides
an effective and measurable way for all types of organizations
to analyze and improve their software security posture.”

“Build in” software assurance
4
Design Build Test Production
vulnerability
scanning -
WAF
security testing
dynamic test
tools
coding guidelines
code reviews
static test tools
security
requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle
(SAMM)

Why a maturity model?
Changes must be iterative while
working toward long-term goals
An organization’s
behavior changes
slowly over time
A solution must enable risk-based
choices tailored to the organization
There is no single recipe
that works for all
organizations
A solution must provide enough details
for non-security-people
Guidance related to
security activities must
be prescriptive
OWASP Software Assurance Maturity
Model (SAMM)
Overall, must be simple,
well-defined, and
measurable
Measurable
Actionable
Versatile

Per Level, SAMM defines...
• Objective
• Activities
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels

SAMM2 security practice structure
Requirements Testing
Maturity Activities
Streams
A: Control
Verification
B: Misuse
/Abuse Testing
Level 1 - Opportunistically find
basic vulnerabilities and other
security issues.
Test for standard
security controls
Perform security
fuzzing testing
Level 2 - Perform implementation
review to discover application-
specific risks against the security
requirements.
Derive test cases
from known
security
requirements
Create and test
abuse cases and
business logic flaw
test
Level 3 - Maintain the application
security level after bug fixes,
changes or during maintenance
Perform regression
testing (with
security unit tests)
Denial of service and
security stress
testing

SAMM2 assessments
SAMM2 Toolbox:
https://github.com/OWASP/samm/tree/master/Supporting%20Resources/v2.0/toolbox

Project: SAMM CI/CD
•Single source of the truth (Github)
•Used to generate everything automatically
–Document, website
–Toolbox
–Applications

Current roadmap
V2.0: Jan 2020
2020:
•v2.1, 2.2, ...: iterative releases
•Agile/devops guidance
•Roadshows/trainings
•Benchmark

Questions? Feedback? Input?
#project-samm github.com/OWASP/samm
Join through
https://owasp-slack.herokuapp.com/

Credits
Bart De Win – Project Co-Leader, Belgium
Sebastien (Seba) Deleersnyder – Project Co-Leader, Belgium
Brian Glass – United States
Daniel Kefer – Germany
Yan Kravchenko – United States
Chris Cooper – United Kingdom
John DiLeo – New Zealand
Nessim Kisserli – Belgium
Patricia Duarte - Uruguay
John Kennedy - Sweden
Hardik Parekh - United States
John Ellingsworth - United States
Sebastian Arriada - Argentina
Brett Crawley – United Kingdom
...

SUPPORT OWASP SAMM
Software powers the world,
but insecure software threatens safety, trust,
and economic growth.

Thank you
info@owaspsamm.org
seba@owasp.org
seba@toreon.com

Weitere ähnliche Inhalte

Mehr von SBA Research

"Rechtliche Risiken mit externen Mitarbeitern" Externe MitarbeiterInnen, die IT-mäßig eingebunden werden (müssen) sind kein neues Phänomen. Das Thema ist jedoch gerade jetzt besonders aktuell: Unternehmen, die keine Erfahrungen mit externer IT-Anbindung haben, mussten von einem Tag auf den anderen MitarbeiterInnen ins Home Office schicken; selbst Organisationen, die bereits Erfahrungswerte haben, stehen vor der Herausforderung, aus einer breiten Palette von Anwendungen die passendste und sicherste zu wählen. Der Vortrag informiert über die rechtlichen Risiken in Bezug auf Geheimhaltung, Systemintegrität und Datenschutz in Zeiten von Home Office. Speaker: Dr. Stefan Eder, Benn-Ibler Rechtsanwälte GmbH Talk language: German About the Speaker: ********************* Dr. Stefan Eder ist Rechtsanwalt und Partner in der Wirtschaftskanzlei Benn-Ibler Rechtsanwälte GmbH. Er hat zusätzlich Betriebsinformatik studiert und ist in diverse IT-Projekte involviert. Er trägt regelmäßig zu Themen der IT-Sicherheit vor und engagiert sich als Gründer des Österreich-Chapters der Legal Hackers für die Erforschung und Entwicklung kreativer Lösungen an der Schnittstelle zwischen IT und Recht. Er organisiert darüber hinaus die REMEP, eine Plattform für Rechtsinformatik.

SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern

SBA Research

"What the heck is secure computing?" What is “secure computing”? Why should it be important to me? Now that it is important to me, how can I use secure computing for my work? This presentation will give an overview of the two main types of secure computing. We explain the fundamental ideas behind the technology and point out important details. We also present ideas on how this technology can be used for new applications, and last but not least, we answer your questions. Speaker: Matthias Gusenbauer, Talk language: English About the Speaker: ********************* I am a researcher at SBA Research in Vienna, Austria. My research focuses on bridging people and technology to solve issues in security and privacy. In order to accomplish this I focus on usable security and privacy with an interest in applied cryptography. I have been a research fellow at the National Institute of Informatics (NII) in Tokyo to work on visualizing network traces. During a second stay with the NII as part of Echizen Laboratory I worked on visualizing the Bitcoin blockchain. Now I continue to work in the domain of usable security, cryptography and privacy.

SBA Live Academy, What the heck is secure computing

SBA Research

"Tools & Techniques from building a DevSecOps culture at Mozilla" For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey. Speaker: Julien Vehent, Firefox Operations Security Talk language: English About the Speaker: ********************* Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

Tools & techniques, building a dev secops culture at mozilla sba live a...

SBA Research

Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. For the first time, the 2020 Symposium took part as a full virtual conference. Our group of researchers are very greatful for the opportunity to present their work on HydRand, a distributed protocol for the secure provisioning of distributed randomness, at this prestigious event. In his talk, Philipp Schindler outlines the fundamental concepts of distributed randomness as well as the details of HydRand’s design.

HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...

SBA Research

Target Group: SysAdmins, Developer, DevOps Focus: technical Talk language: English Abstract ********** What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

SBA Research

Abstract ********* SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …). What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain? About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...

SBA Research

Managing passwords is a critical developer task. Developers tasked with building or augmenting legacy authentication systems have a daunting task when facing modern adversaries. This talk will review some of the changes suggested in NIST SP800-63b the “Digital Identity Guideline on Authentication and Lifecycle Management regarding password policy”. We’ll discuss topics such as credential stuffing and the importance of managing common passwords found in public breaches. We’ll also discuss various strategies around storing passwords using modern algorithms and methods. * Importance of Password Storage * Credential Stuffing * Password Policy Updates from NIST[masked]b * Password Topologies * Offline Password Attacks * Password Cracking * Password Hashing Strategies * Password Keyed Protections * Hard-Coded Passwords and Backdoors Speaker: Jim Manico, Manicode Security Talk language: English About the Speaker: ********************* Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...

SBA Research

Zielgruppe: Architekten, Entwickler, Tester, DevOps Schwerpunkt: technisch Abstract ********** Dieser Vortrag gibt eine kurze Einführung in die Welt des Threat Modeling. Es wird erklärt was Threat Modeling eigentlich ist, welche Methoden zur Verfügung stehen und wie man es ganz pragmatisch selbst anwenden kann. About the Speaker: ********************* Daniel Schwarz ist Senior Security Analyst bei der condignum GmbH in Wien. Nach seinem Abschluss an der FH St. Pölten im Bereich IT- und Information Security startete er beruflich als Penetration Tester und fokussierte sich als Security Consultant im Laufe der letzten sieben Jahren immer stärker auf die Themen sichere Softwareentwicklung, Secure Design, Threat Modeling und Security Requirements Engineering. In seiner Rolle bei der condignum GmbH beschäftigt er sich aktuell mit der Frage, wie genau diese Themen für Organisationen jeder Größe effizient und angemessen realisierbar gemacht werden können.

SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...

SBA Research

Zielgruppe: Alle Interessierten, kein elektrotechnisches Vorwissen notwendig Schwerpunkt: strategisch Abstract ********** In diesem Vortrag gibt es einen Einblick wie man das Stromnetz durch Cyber-Angriffe lahmlegt, ganz ohne Smart-Grid-Funktionalität. Wir sprechen über das Management von Stromnetzen, optimale Strategien für den Angriff, warum Bitcoin und Ethereum nützlich sind oder auch schon einmal die Uhren um sieben Minuten nachgehen. About the Speaker: ********************* Johanna Ullrich is key researcher at SBA Research and leads the Networks and Critical Infrastructures Security Research Group. Johanna received an BSc in Electrical Engineering and Information Technology, an MSc in Automation Engineering, and an PhD sub auspiciis praesidentis in Computer Science being among the top students of Austria. In addition, she was awarded the Research Prize of the Dr. Maria Schaumayer Foundation and was nominated for the Hedy Lamarr Prize 2019 by the Austrian Research Promotion Agency (FFG). Johanna teaches graduate courses at University of Applied Sciences Wiener Neustadt, FH Technikum Wien as well as FH Campus Wien.

SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...

SBA Research

Zielgruppe: Personen die an Angriffsszenarien gegen IoT-Geräte und eingebettete Systeme interessiert sind Schwerpunkt: technisch Sprache: Deutsch Abstract: ********** Dieser Vortrag gibt einen Einblick in physische Angriffe gegen IoT-Geräte und eingebettete Systeme. Mögliche Angriffe sowie Gegenmaßnahmen werden im Überblick präsentiert. About the Speaker: ********************* Christian Kudera is researcher and security analyst at SBA Research. Christian received an MSc in Hardware & Software Security from TU Wien. Currently he is working towards his PhD degree with the focus on Internet of Things and embedded systems security. He has more than six years of experience as security analyst in the areas of hardware and software security. He teaches multiple courses at TU Wien (Internet Security, Advanced Internet Security) and at Universities of Applied Sciences (Rosenheim Technical University of Applied Sciences, FH Campus Wien, FH St. Pölten).

SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...

SBA Research

Target Group: Anyone interested in resilience and cyber security Focus: organizational Talk language: English Abstract ********* "Cyber Resilience – Failure is not an option" This lecture is dedicated to the topic of cyber-resilience and presents the basics and the differentiation from cyber-security as well as current standards and best practices. About the Speaker: ********************* Simon Tjoa is professor at St. Pölten University of Applied Sciences and has worked for 15 years in the information security domain. He is the academic director of the master programs Information Security and Applied Research and Innovation in Computer Science. Before joining St. Pölten University of Applied Sciences, he worked as security consultant and research at various organizations. He received his doctoral degree in informatics from University of Vienna. His research interests include critical infrastructure protection, digital forensics, cyber resilience and business process security. He is program committee and organizing committee member of several security related international workshops and conferences. Furthermore, he currently serves as secretary of IEEE SMC Austria Chapter and holds professional security certifications such as AMBCI, CISA or CISM.

SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa

SBA Research

Zielgruppe: “Neigungsgruppe Datenschutz”, Datenschutzverantwortliche etc, “Alle” Schwerpunkt: Grundlagen/Hintergrund/Awareness Sprache: Deutsch Abstract: ********* Wer hätte gedacht, dass Oracle einer der weltgrößten Datenhändler ist und etwa 2 Millionen Personenprofile mit tausenden personenbezogenen Attributen verwaltet? Wem ist bewusst, wie sich die Anwendung eines Personenprofils auswirken könnte? Wir alle kennen die DSGVO. Nicht jeder findet sie gut. Das Wissen darüber, warum es dennoch wichtig war, eine verbindliche und in Europa weitgehend einheitliche Rechtsgrundlage für die kommerzielle Vewendung von Daten zu erlassen, ist – abgesehen von Buzzwords wie Facebook und Cambridge Analytica – wenig verbreitet. About the Speaker: ********************* Gerald Sendera is Data Protection Supervisor and Legal Counsel for SBA Research. His consulting activities are focused on data protection management and GDPR-compliance, in which he combines legal knowledge with hands-on experience in information technology. Gerald graduated in law at the University of Vienna (Mag.iur) in 2001 and has been working in IT since 2004 in different functions. During his career he completed technical certification trainings for vendor solutions such as Avaya, Cisco or Oracle. He is CIS-certified “Data Protection Officer” and was awarded the “Privacy Professional” certification at Sigmund Freud University Vienna’s Training Academy.

SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera

SBA Research

Target Audience: Everyone involved in software development (developers and team leaders in software-oriented companies) Focus: technical Talk language: English Abstract ********** Single Page Application frameworks have brought us a boost in clean application architecture and also security, mainly because of a better separation of concerns. But using an SPA framework alone does not automatically get you bullet-proof security. There is still a lot to look out for, and, for example, XSS is not a fully solved problem yet. In this talk, we’ll explore the most important security pitfalls SPA frameworks and how to solve them. We’ll also compare some of the security features of the most common SPA frameworks Angular, React and Vue.js. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad

SBA Research

Target Audience: Everyone involved in software development (developers, team leaders, CISOs in software-oriented companies) Focus: technical Talk language: English Abstract ********* Let’s face it: There is no such thing as a big-bang launch any more. We all want to be agile and react quickly to the wishes and demands of our customers in software development. The downside of this approach is that security has a hard time keeping pace, thereby often being completely neglected. That’s why we need to bridge the gap between security and agility. In this talk, we’ll have a look at how security can become an integral part of the development process, and more than just a penetration test at the end. We’ll see how we can overcome immediate pain and get strategic focus in software security. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...

SBA Research

Zielgruppe: Admins, CISOs Schwerpunkt: organisatorisch & technisch Sprache: Deutsch Abstract: ********** An Hand von typischen Audit-Findings diskutieren wir entlang der „Dreifaltigkeit“ People – Processes – Technology die wichtigsten Sicherheitsaspekte zum Thema Remote Access und Telearbeit. Nachdem wir im ersten Termin bereits die Bereiche People und Processes behandelt haben, werden wir in diesem Talk auf den Bereich Technoloy eingehen und auch einen kurzen Ausblick auf einige fortgeschrittenere Ideen wie Zero Trust Architekturen geben. About the Speaker: ********************* Philipp Reisinger is consultant in the Information Security Management team. He received his master’s degree in “Information Security” at the St. Pölten University of Applied Sciences and is CISSP and CISA certified. His consulting activities are focused on the organizational aspects of information security such as: Information security management systems (ISMS), ISO27001 gap and business impact analyses, IT/IS audit, Information risk management and Security Awareness Günther Roat is consultant and team lead of the Information Security Management team at SBA Research. He is a Microsoft Certified Technology Specialist and received his degree in Business Informatics at the University of Applied Sciences Technikum Vienna. His consulting activities are focused on the organizational aspects of information security.

SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...

SBA Research

Target Group: SysAdmins, anyone interested in PKI Focus: technical Language: English Abstract: ********** Revocation of TLS certificates used by web browsers has been broken for years. Why is that, and can the newly proposed CRLite technology solve the problem? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...

SBA Research

Zielgruppe: CEOs, CIOs, CTOs, CISOs, Supply Chain Manager Schwerpunkt: organisatorisch Sprache: Deutsch Abstract ********** Können Sie diese Frage mit „gut“ beantworten? Digitale und Cyber-Risiken werden mittlerweile als Top-Risiken für Unternehmen betrachtet. Aktuelle Entwicklungen wie Industrie 4.0, Digitalisierung, Internet of Things oder Smart Home werden diesen Trend weiter verstärken. Aber verstehen wir diese Risiken auch entlang unserer Wertschöpfungskette? Weltweit gibt es vermehrt Angriffe auf Unternehmen und deren Supply-Chain-Partner, bei denen entweder heikle (Kunden-) Daten gestohlen oder die Produktionsabläufe beeinträchtigt werden – in manchen Fällen bis hin zum Produktionsstopp. About the Speaker: *********************** Stefan Jakoubi ist Geschäftsleiter für den Bereich „Professional Services“ bei SBA Research. Er ist seit über 13 Jahren im Großraum der Informationssicherheit tätig und "Sicherheits-Architekt" für Kunden und Forschungspartner. Hierbei liegt sein spezieller Fokus auf dem balancierten Zusammenspiel geschäftlicher Anforderungen und erforderlicher Sicherheitsmaßnahmen, um Entscheidungsträger in der Erfüllung ihrer Sorgfaltspflichten entsprechend zu unterstützen. Am liebsten hält er allerdings Security Awareness Vorträge, um komplexe Themengebiete zielgruppengerecht "zu übersetzen".

SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...

SBA Research

Zielgruppe: Admins, CIO Schwerpunkt: technisch Sprache: Deutsch Abstract ********** In Unternehmen werden Vertrauensbeziehungen zwischen Active Directory Forests angelegt. Ist damit die eigene Domäne in Gefahr? Der Talk zeigt exotischere Angriffe innerhalb von Active Directory und über Forest-Grenzen hinweg. Und warum wir durch Drucker dem Untergang geweiht sind. About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...

SBA Research

Abstract: Remote Access – Top Security Challenges An Hand von typischen Audit-Findings diskutieren wir entlang der „Dreifaltigkeit“ People – Processes – Technology die wichtigsten Sicherheitsaspekte zum Thema Remote Access und Telearbeit. Speaker: Günther Roat, SBA Research Philipp Reisinger, SBA Research Talk language: German About the Speaker: ********************* Günther Roat is consultant and team lead of the Information Security Management team at SBA Research. He is a Microsoft Certified Technology Specialist and received his degree in Business Informatics at the University of Applied Sciences Technikum Vienna. His consulting activities are focused on the organizational aspects of information security. Philipp Reisinger is consultant in the Information Security Management team. He received his master’s degree in “Information Security” at the St. Pölten University of Applied Sciences and is CISSP and CISA certified. His consulting activities are focused on the organizational aspects of information security such as: Information security management systems (ISMS), ISO27001 gap and business impact analyses, IT/IS audit, Information risk management and Security Awareness

SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...

SBA Research

Mehr von SBA Research (19)