Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

“Hands-­‐On”  Session    

by  Yan  Kravchenko  

App  Security?  There  is  a  metric  for  that!  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

About  Me  

Yan  Kravchenko,  CSSLP,  CISSP,  CISA,  CISM,  QSA  

Compliance  Advisory  Prac'ce  Lead    yan.kravchenko@netspi.com  612-­‐455-­‐8485      TwiWer:  @yanfosec  Contributor:  hWps://www.netspi.com/blog/  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Agenda  •  Model  Overview  •  Developing  Impact  /  Significance  Factors  •  Performing  an  Assessment  •  Analyzing  the  Data  –  Configuring  the  Spreadsheet  –  Impor'ng  /  entering  data  –  Crea'ng  Dashboards  

•  Next  steps  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Model  Overview  

•  Qualita've  analysis  of  app-­‐security  •  Based  on  OpenSAMM  •  Correlates  two  different  types  of  risks  •  Under  Development  •  Will  be  donated  back  to  OWASP  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Goals  /  Objec'ves  •  Enhance  the  ability  to  manage  the  en're  applica'on  security  

porgolio  •  Normalize  risk  scoring  between  different  applica'ons  •  Allow  applica'on  security  op'miza'on  through  efficient  

“what-­‐if”  calcula'ons  •  Help  iden'fy  insecure  applica'ons  •  Metrics  should  support  the  ability  to  make  applica'on  

security  decisions  •  Measure  accomplishments  and  highlights  applica'on  risk  

reduc'on  ac'vi'es  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Developing  Sta'c  Risks  

•  Make  each  one  count  •  Relate  each  risk  to  business  •  Focus  on  data  easy  to  get  •  Limit  to  no  more  than  12  •  Focus  on  “permanent”  risk  factors  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Performing  Assessment  

•  Iden'fy  applica'on  owners  •  Roll  out  a  survey…  or  not…  •  Meet  with  applica'on  owners  and  review  gathered  informa'on  

•  If  necessary,  make  changes  quickly  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Analyzing  the  Data  

“The  Spreadsheet”  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Next  Steps  

•  Evaluate  Baseline  •  Find  visualiza'ons  that  maWer  •  Report  back  to  applica'on  owners  •  Iden'fy  your  top  own  Top  10    •  Increase  scope  /  opera'onalize  re-­‐assessments  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

How  you  can  help  

•  Provide  feedback  /  ideas  /  cri'cisms  •  Let  the  world  know  you  are  using  OpenSAMM  •  Consider  contribu'ng  your  SAMM  data  •  Par'cipate  /  help  organize  local  SIG  •  Par'cipate  in  local  OWASP  MSP  chapter  mee'ngs  

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Ques'ons?  

•  Model  Overview  •  Developing  Impact  /  Significance  Factors  

•  Performing  an  Assessment  •  Analyzing  the  Data  •  Next  steps  

Yan  Kravchenko  –  612-­‐455-­‐8485  yan.kravchenko@netspi.com  

 

Celebra'ng    a  decade  of  guiding  security  professionals.  

@Secure360  or  #Sec360   www.Secure360.org  

Thank  you!