Advertisement
NULL - OpenSAMM
Jan. 19, 2014•0 likes•1,337 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Business
A presentation about processes, Secure SDLC processes, OpenSAMM and how to go about implement it
M S SripatiFollow
Senior Information Security Consultant at Leading Third Party Inspection and Certification CompanyAdvertisement
NULL - OpenSAMM
- http://digitalcatharsis.files.wordpress.com/2008/10/sleeping-man_ml.jpg Good Morning
- openSAMM { Why & How?
- http://api.ning.com/files/OMGuiScfW0WEzLqgZ-vEG1Gocfg9TzXJ*3p8tfJVh6piUZb380lsGCXDJa0aFePIDX7qFwM16dSET5kxHSYqOcFNjdBtZiK/elephant.jpg
- http://30dom.com/wp-content/uploads/2013/11/olympic-weight-lifting-wallpaperli-xueying-weightlifting-olympic--china-photos-and-wallpapers-nusxdel.jpg
- http://www.veracode.com/blog/wp-content/uploads/2013/06/bug-bounty-programs.jpg
- https://www.owasp.org/images/thumb/f/ff/Security_in_the_SDLC_Process.png/600px-Security_in_the_SDLC_Process.png
- http://www.shipulski.com/wp-content/uploads/2012/06/Impossible.jpeg
- https://s3.amazonaws.com/pbblogassets/uploads/2013/04/donkey-pulling-cart.jpg
- http://devpolicy.org/wp-content/uploads/2013/08/Value-for-money.jpg
- http://www.rms.net/roi_investreturn.gif
- http://www.you-stylish-barcelona-apartments.com/blog/wp-content/uploads/2010/09/what-to-do.JPG.jpeg
- Classification system for a set of processes / function Shows characteristics of processes over different levels Examples CMMI (DEV, SVC, ACQ) SSE-CMM BSIMM, openSAMM, etc Maturity Models
- Open Software Assurance Maturity Model OWASP Project Open framework to help organizations Formulate Implement Strategy for software security Tailored to the specific risks facing the organization openSAMM
- Recognizes 4 type of business functions Any organization performing software development would have these (names could be different) openSAMM
- 3 business practices for each function 3 objectives (for levels) under each practice 0 (implied starting point, not included) 1 (initial understanding and ad hoc provision of practice) 2 (increase efficiency / effectiveness of practice) 3 (comprehensive mastery of the practice) openSAMM - Security Practices
- openSAMM - Example
- For every level, SAMM defines Objective Activities Results Success Metrics Costs Personnel Related Levels openSAMM
- http://creativeconstruction.files.wordpress.com/2013/02/how_to_do_one_thing_at_a_time.jpg
- http://www.jasonshen.com/wp-content/uploads/2012/04/buy-in-image-560x355.jpg
- Step 2 - Perform Gap Assessment
- Step 3 - Create Roadmap / Assurance Program
- Perform practices / activities for level 1 Keep assessing it till you are satisfied and the scorecard tells you to Inform management with the updated roadmap in a periodic manner Move to next level after you are done with the previous one Step 4 - Execute with periodic reviews
- www.sripati.info http://in.linkedin.com/in/sripati Who Am I
- http://www.opensamm.org/downloads/resources/OpenSAMM-1.0.ppt http://www.opensamm.org/downloads/resources/20090602Software%20Assurance%20Maturity%20Model.ppt Credits
Editor's Notes
- Talk about how this talk is going to benefit people who want to stay connected to security but are finding it difficult to do so in the absence of a formal transition (e.g., developer, tester, etc.). Also tell them how it is a very good thing to do if you want to jump onto the technical side of security but are currently in some other job that has little relationship with security
- Ask them about what they think of this image, and get onto the different perceptions that everyone has for their work and its impact on the business (bottomline – every role / work is important towards client satisfaction, but no-one is ready to accept it, except business)
- Ask everyone about their work, and how do they go about it … then move onto why it is a process (a way of doing things), and why any change in either of the three (people, process, and technology) results in a better client satisfaction
- Talk about how many things have forced people to come to terms now that application security should be implemented from the beginning, and not patched in the end (otherwise money just piles up).
- So it gives rise to SecureSDLCs. However, in the absence of a structured approach to implement it, and a way to measure our progress and benchmarking, management sometimes make unrealistic plans / schedules, which look like this:-
- This is how managementusually expects people to implement security
- Can you tell me what is lacking here (people, process or technology)?
- Management View of secure SDLC
Advertisement