Embed Size (px)
Citation preview
_
Never
sett
le.
ww
w.i
nti
ve.c
om
Welcome
OWASP Open SAMM
Szczecin, 01-03-2017
PapryQArz - We test with taste. www.papryqarz.org
Why should I care?
1. 2014 Tesco Bank: more than 2,000 accounts was
posted on the Internet, ICO investigation followed
2. 2015 Ashley Madison: full client database leaked
3. 2015 Juniper NetScreen Firewalls: backdoor
installed into the code
4. 2015 CIA Director John Brennan: social hack on his
AOL account lead to leaking CIA creds
Am I secure?
„We host at cloud, they keep us ok!”
„We have security scanners!”
„Our devs know OWASP top 10!”
„We do penetration tests!”
Anything else?
1. Are there any other holes in my system?
2. What about next release?
3. Is my code secure?
4. Is my backup secure? My back office?
5. What about hosting…. ?
You need Strategy
1. OWASP – non profit org for cyber security
2. SAMM – Software Assurance Maturity Model
3. OpenSAMM – free SAMM by OWASP
4. OpenSAMM v 1.5 released Feb 28 ‚2017
OPEN SAMM
CONFIDENTIAL
Governance
General management of development activities.
_Strategy & metrics
_Policy & Compliance
_Education & Guidance
Construction
Definition of goals and software creation from
requirements gathering to detailed implementation.
_Security requirements
_Threat assessment
_Secure architecture
Verification
Checking and testing artifacts produced.
_Design review
_Implementation review
_Security testing
Operations
Managing software that has been created: deployment,
configuration and runing.
_Environment hardening
_Issue Management
_Operational Enablement
Objectives example - governance
Objectives example - construction
Getting started
Assess yourself
_OpenSAMM Assessment Toolbox (xls)
_36 questions: quick assessment
_Detailed assessment: verify your activities
_Gap analysis
Assesment
_ Clear representation of the maturity level
_ Each Practice rated on the scale below
_ Can capture progress over time
Your Score Card
_ Clear representation of the maturity level
_ Each Practice rated on the scale below
_ Can capture progress over time
Define your roadmap
_ Select template from OpenSAMM HowTo
_ Adjust to your needs
_ Start!
SAMM road map template
SAMM Templates
_ Independent Software Vendors
_ Online Service Providers
_ Financial Services Organizations
_ Government Organizations
Costs?
_Deployment time
_Release and process overhead
_Licenses & training
_Light assessment: 1-5 man-days
Costs - Virtualware
_Software House: between 300 devs, 12 teams
_Platform developed over 8 years
_Mixed technologies
Phase 1 - goals
Training
Phase 1 - costs
Training
:
External
:
52
37 + n
Up to:
389 d
Call in for backup
_How can we help:
_External consulting
_Penetration tests
_Training
Contact us_Never
settle.Krzysztof Machelski
Director, Security & Automation
+48 506 539 817
