Owasp no va bsimm

The OWASP Foundationhttp://www.owasp.org

Building a Security Initiative( Field +XP & Measures )

-jOHN (Steven)Internal CTO, Cigital Inc.

@m1splacedsoul


This Presentation…is about observed trends, DISCUSSION to follow

Wild West AppSec - State of assessment

Growing Up – Security Initiatives

BSIMM – Measuring Security Initiatives

What Most Firms Are ‘On Top’ of…

What Firms Struggle with Today

The OWASP Foundationhttp://www.owasp.org’06: Shift Philosophy to

HOW Cigital’s Touchpoints Microsoft’s SDL OWASP CLASP

(2001)


State of Assessment


Assessment is TOUGH

Dynamic Assessment (tools)

<= 10% statement coverage

IFF Authenticated

Manual Penetration Testing?

Including “Expert Crawling”

What about static analysis (tools)?

SCR?

The OWASP Foundationhttp://www.owasp.orgActual Results

Breakdown

Static tool: 20% Dynamic tool: 5% Manual SCR: 15% Architecture Risk

Analysis: 60%

Static tool: 12% Dynamic Tool: 12% Manual SCR: 21% Manual Pen: 21% ARA: 14% Sec Testing: 20%


We Won’t Test Our Way to Security,

Orgs need Security Initiatives


The OWASP Foundationhttp://www.owasp.orgA software security

initiative

A software security initiative is an: executive-backed, permanently-staffed, metrics-driven

investment in… software security policy and standards, “secure SDLC” gates, and governance knowledge, processes, and tools

to implement capabilities across a reasonable cross-section of the application portfolio.

"When I use a word…it means just what I choose it to mean - neither more

nor less.“ -H. Dumpty


Security Initiative !=Does * NOT * mean…

Heavy

Waterfall

Process

Microsoft SDL

Audit


Security Initiative ~=May look very different than

other organizations’Needs to match an

organization’s culture


Where Orgs Are

…and how do we know?

We’ve measured.


Building BSIMM (2009) Big idea: Build a maturity model from actual data

gathered from 9 well known large-scale software security initiatives

Create a software security framework

Interview nine firms in-person

Discover 110 activities through observation

Organize the activities in 3 levels

Build scorecard

The model has been validated with data from 51 firms

The OWASP Foundationhttp://www.owasp.orgPrescriptive vs.

Descriptive Prescriptive models

describe what you should do

SAFECode SAMM SDL Touchpoints

Every firm has a methodology they follow (often a hybrid)

You need an SSDL

Descriptive models describe what is actually happening

The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs


Monkeys Eat Bananas BSIMM is not about good or

bad ways to eat bananas or banana best practices

BSIMM is about observations

BSIMM is descriptive, not prescriptive

BSIMM describes and measures multiple prescriptive approaches

15

The OWASP Foundationhttp://www.owasp.orgYeah but we’re

different

You *are* a special snowflake, just like everyone else

All snowflakes are equally special

No matter how special a snowflake you are, you’ll still

melt when it’s hot out.

The OWASP Foundationhttp://www.owasp.org…but they’re HUGE

right?


BSIMM Basics


Four domains Twelve practices

See informIT article on BSIMM website http://bsimm.com

A Software Security Framework


Architecture Analysis Practice Skeleton

The OWASP Foundationhttp://www.owasp.org…It could have been

worse


Where Orgs Are

(Actually this time)


We Hold These Truths to be Self-evident

Someone (a security group) has to be responsible

Software security is more than a set of security functions

Not magic crypto fairy dust

Non-functional aspects of design are essential

Not silver-bullet security mechanisms

Bugs and flaws are 50/50

To end up with secure software, deep integration with the SDLC is necessary


12 Common Activities1. SM1.4 Identify gate locations, gather necessary artifacts

2. CP1.2 Identify PII obligations;

3. T1.1 Provide awareness training;

4. AM1.5 Gather attack intelligence;

5. SFD1.1 Build and publish security features;

6. SR1.1 Create security standards;

7. AA1.1 Perform security feature review;

8. CR1.4 Use automated tools along with manual review;

9. ST1.1 Ensure quality assurance (QA) supports edge/boundary value condition testing;

10. PT1.1 Use external penetration testers to find problems;

11. SE1.2 Ensure host and network security basics are in place; and

12. CMVM1.2 Identify software defects found in operations monitoring and feed them back to development.

The OWASP Foundationhttp://www.owasp.orgEvolving Initiatives

(2012) Build an SSG

Something in Architecture Use automated tools @ scale

Security Sign-off

The OWASP Foundationhttp://www.owasp.orgSomething in

ArchitectureUS vs. Them *

Ugly babies *

Unfunded fixes *

Lock-in *


One Architecture Climb

1.2 Perform Review

1.3 SSG Reviews

1.1 Feature Review

2.2 Standardize Descriptions

2.3 Make SSG Available

3.2 Results Arch. Patterns

Year 1

Year 3

Year 2

Year 5

The OWASP Foundationhttp://www.owasp.orgAutomation =

<anything> + Plumbing


Static Step by Step

The OWASP Foundationhttp://www.owasp.orgPlumbing can mean

email…


Real Sign-off

The OWASP Foundationhttp://www.owasp.orgEvolving Initiatives

(2014) Metrics driving budget Gather attack Intelligence

Security comes to Agile Open source risk Something in Architecture, maybe threat modeling? (again)

Security BAU Dev doing Security (particularly static testing) CM& VM plumbing (making previous ideas tools)


Metrics-driven Budget


Security Intelligence

34


Threat Traceability Matrix

Who Where What How So what? Now what?

Threat

Attack Surface

Asset/Privilege

Attack Vector

Impact Mitigation


Addressing Threat Intelhelps the Something

(Anything)

in architecture

The OWASP Foundationhttp://www.owasp.orgSSIs Fit Naturally into

AgileTop 2,3Awareness (pre-training)

Top 10Passwords, SSL[Open Source] Automation

Configuration Mgmt, plumbingInfrastructure SecurityAPI

Threat ModelingRisk ManagementSecurity Libraries

The OWASP Foundationhttp://www.owasp.orgVuln + Config.

ManagementBuild a pile, rank the pile

Rank applications w/in portfolio

Call a spade a spade

Standardize names for vulnerabilities

Normalize assessment / tool scoring

Prioritize

Calculate risk effectively

Go from “hated cop” to B.A.U.

Establish security gates

Integrate with normal change/bug management

Technology

Owasp no va bsimm