OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts...

_

Never

sett

le.

ww

w.i

nti

ve.c

om

Welcome

OWASP Open SAMM

Szczecin, 01-03-2017

PapryQArz - We test with taste. www.papryqarz.org

Why should I care?

1. 2014 Tesco Bank: more than 2,000 accounts was

posted on the Internet, ICO investigation followed

2. 2015 Ashley Madison: full client database leaked

3. 2015 Juniper NetScreen Firewalls: backdoor

installed into the code

4. 2015 CIA Director John Brennan: social hack on his

AOL account lead to leaking CIA creds

Am I secure?

„We host at cloud, they keep us ok!”

„We have security scanners!”

„Our devs know OWASP top 10!”

„We do penetration tests!”

Anything else?

1. Are there any other holes in my system?

2. What about next release?

3. Is my code secure?

4. Is my backup secure? My back office?

5. What about hosting…. ?

You need Strategy

1. OWASP – non profit org for cyber security

2. SAMM – Software Assurance Maturity Model

3. OpenSAMM – free SAMM by OWASP

4. OpenSAMM v 1.5 released Feb 28 ‚2017

OPEN SAMM

CONFIDENTIAL

Governance

General management of development activities.

_Strategy & metrics

_Policy & Compliance

_Education & Guidance

Construction

Definition of goals and software creation from

requirements gathering to detailed implementation.

_Security requirements

_Threat assessment

_Secure architecture

Verification

Checking and testing artifacts produced.

_Design review

_Implementation review

_Security testing

Operations

Managing software that has been created: deployment,

configuration and runing.

_Environment hardening

_Issue Management

_Operational Enablement

Objectives example - governance

Objectives example - construction

Getting started

Assess yourself

_OpenSAMM Assessment Toolbox (xls)

_36 questions: quick assessment

_Detailed assessment: verify your activities

_Gap analysis

Assesment

_ Clear representation of the maturity level

_ Each Practice rated on the scale below

_ Can capture progress over time

Your Score Card

_ Clear representation of the maturity level

_ Each Practice rated on the scale below

_ Can capture progress over time

Define your roadmap

_ Select template from OpenSAMM HowTo

_ Adjust to your needs

_ Start!

SAMM road map template

SAMM Templates

_ Independent Software Vendors

_ Online Service Providers

_ Financial Services Organizations

_ Government Organizations

Costs?

_Deployment time

_Release and process overhead

_Licenses & training

_Light assessment: 1-5 man-days

Costs - Virtualware

_Software House: between 300 devs, 12 teams

_Platform developed over 8 years

_Mixed technologies

Phase 1 - goals

Training

Phase 1 - costs

Training

:

External

:

52

37 + n

Up to:

389 d

Call in for backup

_How can we help:

_External consulting

_Penetration tests

_Training

Contact us_Never

settle.Krzysztof Machelski

Director, Security & Automation

+48 506 539 817

Krzysztof.Machelski@intive.com