OpenSAMM in the Real World: Pitfalls Discovered and Treasures Collected Along the Way

OpenSAMM in the Real World: Pitfalls Discovered and Treasure Collected Along the Way Philip J. Beyer - Texas Education Agency philip.beyer@tea.state.tx.us @pjbeyer Scott Stevens - Denim Group sstevens@denimgroup.comCopyright 2011 by Texas EducationAgency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 1

About• Phil Beyer – Information Security Officer – Consulting background• Scott Stevens – Project Manager – Application development background• TEA – ~700 employees – ~1200 school districts – ~5 million studentsCopyright 2011 by Texas EducationAgency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 3

Where Did TEA Start?• Application Security Program already established – Some policies & procedures – Initial training & exposure to concepts – Historically siloed approach• Outsourcing for subject matter expertiseCopyright 2011 by Texas EducationAgency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 4

Where Do You Start?• Establish your Application Security Program• Be the Champion (or find one)• Make sure your Team Gets It• Have a Roadmap to MaturityCopyright 2011 by Texas EducationAgency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 5

The Premise• It has already started• Shortcuts don’t exist – No cheat codes – No invincibility – No God mode• There are Pitfalls• There are TreasuresCopyright 2011 by Texas EducationAgency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 9

The Early Levels (Phase 1) Treasures• A Map – Not necessarily THE Map, but something to get started – An organizational roadmap is a powerful thing• Some Running Room – Awareness in the organization is increasingCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 10

The Early Levels (Phase 1) Pitfalls• The Log – You can’t stand still – Move through Phase 1 so you don’t get rolled over• Inertia – Getting started is just plain hard – Determining who should play is also hardCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 11

Racking Up Some Points (Phase 2) Treasures• Silver Bars – Development teams begin to appreciate the security problem• The Ladder – More of the team is involved in practicing security – You’ve found a new way around the alligator-infested pondCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 12

Racking Up Some Points (Phase 2) Pitfalls• The Alligator – There’s a dangerous thing there on the screen – Threats are real, and now they see some of them too• More Players – Other people are going to play your game – They may not play as { nice | carefully | safely } as youCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 13

Hitting Your Stride (Phase 3) Treasures• Gold Bars – Better visibility instills confidence in Management• The Compass – The Program has direction – From requirements to maintenance, a formal process starts to emergeCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 14

Hitting Your Stride (Phase 3) Pitfalls• The Scorpion – Better informed Management may sting• The Wall – A different kind of obstacle will block your path – Developers and Operators may not enjoy working together more closelyCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 15

Bigger Treasures, Deeper Pits (Phase 4) Treasures• The Bridge – Get rid of that Rope and jeer at the Alligators as you walk across – The whole Program is working together to build securely and verify aggressivelyCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 16

Bigger Treasures, Deeper Pits (Phase 4) Pitfalls• The Hole – Compliance is not Security – Don’t let Management fall into the trap at this stage of the game… It can be a pretty deep pitCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 17

The End Game (Phases 5 & 6) Treasures• Shangri-La – You’ve reached the mystical, harmonious valley; a permanently happy land isolated from the outside world – I’d tell you how it feels, but we haven’t gotten there yetCopyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 18

It’s Time to Play• Build a Mature Software Assurance Program• Measure and Report Your Progress• Have Fun!Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 19

Resources• OWASP – Open Web Application Security Project – http://www.owasp.org/• OpenSAMM - Software Assurance Maturity Model – http://www.opensamm.org/• Attribution – All OpenSAMM images are licensed under the Creative Commons Attribution-Share Alike 3.0 License.Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011Agency. All rights reserved. 20

http://blog.denimgroup.com	492
http://lanyrd.com	37
http://denimgroup.posterous.com	33
http://denimgroup.typepad.com	23
http://a0.twimg.com	1
http://theloop.manifestcomms.co.uk	1

OpenSAMM in the Real World: Pitfalls Discovered and Treasures Collected Along the Way

by Philip Beyer

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 587

Statistics

OpenSAMM in the Real World: Pitfalls Discovered and Treasures Collected Along the Way Presentation Transcript