Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Open SAMM

780 views

Published on

How ti use the Software Assurance Maturity Model (SAMM) as an open guide to building security into software development.

Published in: Software
  • Be the first to comment

OWASP Open SAMM

  1. 1. _ Neversettle. www.intive.com Welcome OWASP Open SAMM Szczecin, 01-03-2017 PapryQArz - We test with taste. www.papryqarz.org
  2. 2. Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full client database leaked 3. 2015 Juniper NetScreen Firewalls: backdoor installed into the code 4. 2015 CIA Director John Brennan: social hack on his AOL account lead to leaking CIA creds
  3. 3. Am I secure? „We use the cloud, they keep us ok!” „We have security scanners!” „Our devs know OWASP top 10!” „We do penetration tests!”
  4. 4. Anything else? 1. Are there any other holes in my system? 2. What about next release? 3. Is my code secure? 4. Is my backup secure? My back office? 5. What about hosting…. ?
  5. 5. You need Strategy 1. OWASP – non profit org for cyber security 2. SAMM – Software Assurance Maturity Model 3. OpenSAMM – free SAMM by OWASP 4. OpenSAMM v 1.5 released Feb 28 ‚2017
  6. 6. Neversettle. www.intive.com _Open SAMM contents
  7. 7. OPEN SAMM CONFIDENTIAL
  8. 8. Governance General management of development activities. _Strategy & metrics _Policy & Compliance _Education & Guidance
  9. 9. Construction Definition of goals and software creation from requirements gathering to detailed implementation. _Security requirements _Threat assessment _Secure architecture
  10. 10. Verification Checking and testing artifacts produced. _Design review _Implementation review _Security testing
  11. 11. Operations Managing software that has been created: deployment, configuration and runing. _Environment hardening _Issue Management _Operational Enablement
  12. 12. Objectives example - governance
  13. 13. Objectives example - construction
  14. 14. Getting started
  15. 15. Assess yourself _OpenSAMM Assessment Toolbox (xls) _36 questions: quick assessment _Detailed assessment: verify your activities _Gap analysis
  16. 16. Assesment _ Clear representation of the maturity level _ Each Practice rated on the scale below _ Can capture progress over time
  17. 17. Your Score Card _ Clear representation of the maturity level _ Each Practice rated on the scale below _ Can capture progress over time
  18. 18. Define your roadmap _ Select template from OpenSAMM HowTo _ Adjust to your needs _ Start!
  19. 19. SAMM road map template
  20. 20. SAMM Templates _ Independent Software Vendors _ Online Service Providers _ Financial Services Organizations _ Government Organizations
  21. 21. Costs? _Deployment time _Release and process overhead _Licenses & training _Light assessment: 1-5 man-days
  22. 22. Costs - Virtualware _Software House: between 300 devs, 12 teams _Platform developed over 8 years _Mixed technologies
  23. 23. Phase 1 - goals
  24. 24. Training Phase 1 - costs Training: External: 52 37 + n Up to: 389 d
  25. 25. Call in for backup _How can we help: _External consulting _Penetration tests _Training
  26. 26. Contact us _Never settle. Krzysztof Machelski Director, Security & Automation +48 506 539 817 Krzysztof.Machelski@intive.com

×