Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy - OWASP SAMM 2.0: Your Dynamic Software Security Journey by Sebastien Deleersnyder

Target Group: Anyone involved in software development
Focus: technical/organizational
Language: English

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, technology stacks, tools and processes, different stakeholders, competing priorities, etc. Implementing software assurance will have a significant, positive impact on an organization, yet trying to achieve this without a good framework often leads to marginal and unsustainable improvements.

About the Speaker:
Seba ( is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more secure software. He adapts application security models to the evolving field of DevOps and brings Threat Modeling to a wider audience (including teaching Whiteboard Hacking at Black Hat).

  • Be the first to comment

  • Be the first to like this

SBA Live Academy - OWASP SAMM 2.0: Your Dynamic Software Security Journey by Sebastien Deleersnyder

  1. 1. OWASP SAMM2 – Your Dynamic Software Security Journey SBA Live Academy Thursday, 14 May, 2020
  2. 2. Sebastien Deleersnyder CEO Toreon Belgian OWASP chapter founder SAMM project co-leader
  3. 3. What is SAMM? "The prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture.”
  4. 4. “Build in” software assurance 4 Design Build Test Production vulnerability scanning - WAF security testing dynamic test tools coding guidelines code reviews static test tools security requirements / threat modeling reactiveproactive Secure Development Lifecycle (SAMM)
  5. 5. Why a maturity model? Changes must be iterative while working toward long-term goals An organization’s behavior changes slowly over time A solution must enable risk-based choices tailored to the organization There is no single recipe that works for all organizations A solution must provide enough details for non-security-people Guidance related to security activities must be prescriptive OWASP Software Assurance Maturity Model (SAMM) Overall, must be simple, well-defined, and measurable Measurable Actionable Versatile
  6. 6. OWASP SAMM
  7. 7. Core structure
  8. 8. Per Level, SAMM defines... • Objective • Activities • Results • Success Metrics • Costs • Personnel • Related Levels
  9. 9. SAMM2 security practice structure Requirements Testing Maturity Activities Streams A: Control Verification B: Misuse /Abuse Testing Level 1 - Opportunistically find basic vulnerabilities and other security issues. Test for standard security controls Perform security fuzzing testing Level 2 - Perform implementation review to discover application- specific risks against the security requirements. Derive test cases from known security requirements Create and test abuse cases and business logic flaw test Level 3 - Maintain the application security level after bug fixes, changes or during maintenance Perform regression testing (with security unit tests) Denial of service and security stress testing
  10. 10. SAMM2 assessments SAMM2 Toolbox:
  11. 11. SAMM output
  12. 12. and toolbox demo
  13. 13. How to use SAMM? Quick-Start Guide
  14. 14. Project: SAMM CI/CD •Single source of the truth (Github) •Used to generate everything automatically –Document, website –Toolbox –Applications
  15. 15. Current roadmap V2.0: Jan 2020 2020: •v2.1, 2.2, ...: iterative releases •Agile/devops guidance •Roadshows/trainings •Benchmark
  16. 16. Try it !
  17. 17. •Talks •Roundtables •Workshops
  18. 18. Questions? Feedback? Input? #project-samm Join through
  19. 19. SAMM newsletter
  20. 20. Credits Bart De Win – Project Co-Leader, Belgium Sebastien (Seba) Deleersnyder – Project Co-Leader, Belgium Brian Glass – United States Daniel Kefer – Germany Yan Kravchenko – United States Chris Cooper – United Kingdom John DiLeo – New Zealand Nessim Kisserli – Belgium Patricia Duarte - Uruguay John Kennedy - Sweden Hardik Parekh - United States John Ellingsworth - United States Sebastian Arriada - Argentina Brett Crawley – United Kingdom ...
  21. 21. Thank You to Our Sponsors
  22. 22. SUPPORT OWASP SAMM Software powers the world, but insecure software threatens safety, trust, and economic growth.
  23. 23. Questions or Feedback ?
  24. 24. Thank you