Target Group: Anyone involved in software development
Focus: technical/organizational
Language: English
Abstract
**********
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, technology stacks, tools and processes, different stakeholders, competing priorities, etc. Implementing software assurance will have a significant, positive impact on an organization, yet trying to achieve this without a good framework often leads to marginal and unsustainable improvements.
About the Speaker:
*********************
Seba (https://twitter.com/Sebadele) is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more secure software. He adapts application security models to the evolving field of DevOps and brings Threat Modeling to a wider audience (including teaching Whiteboard Hacking at Black Hat).
3. What is SAMM?
"The prime maturity model for software assurance that provides
an effective and measurable way for all types of organizations
to analyze and improve their software security posture.”
4. “Build in” software assurance
4
Design Build Test Production
vulnerability
scanning -
WAF
security testing
dynamic test
tools
coding guidelines
code reviews
static test tools
security
requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle
(SAMM)
5. Why a maturity model?
Changes must be iterative while
working toward long-term goals
An organization’s
behavior changes
slowly over time
A solution must enable risk-based
choices tailored to the organization
There is no single recipe
that works for all
organizations
A solution must provide enough details
for non-security-people
Guidance related to
security activities must
be prescriptive
OWASP Software Assurance Maturity
Model (SAMM)
Overall, must be simple,
well-defined, and
measurable
Measurable
Actionable
Versatile
9. SAMM2 security practice structure
Requirements Testing
Maturity Activities
Streams
A: Control
Verification
B: Misuse
/Abuse Testing
Level 1 - Opportunistically find
basic vulnerabilities and other
security issues.
Test for standard
security controls
Perform security
fuzzing testing
Level 2 - Perform implementation
review to discover application-
specific risks against the security
requirements.
Derive test cases
from known
security
requirements
Create and test
abuse cases and
business logic flaw
test
Level 3 - Maintain the application
security level after bug fixes,
changes or during maintenance
Perform regression
testing (with
security unit tests)
Denial of service and
security stress
testing
20. Credits
Bart De Win – Project Co-Leader, Belgium
Sebastien (Seba) Deleersnyder – Project Co-Leader, Belgium
Brian Glass – United States
Daniel Kefer – Germany
Yan Kravchenko – United States
Chris Cooper – United Kingdom
John DiLeo – New Zealand
Nessim Kisserli – Belgium
Patricia Duarte - Uruguay
John Kennedy - Sweden
Hardik Parekh - United States
John Ellingsworth - United States
Sebastian Arriada - Argentina
Brett Crawley – United Kingdom
...