OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts...
Transcript of OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts...
![Page 1: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/1.jpg)
_
Never
sett
le.
ww
w.i
nti
ve.c
om
Welcome
OWASP Open SAMM
Szczecin, 01-03-2017
PapryQArz - We test with taste. www.papryqarz.org
![Page 2: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/2.jpg)
Why should I care?
1. 2014 Tesco Bank: more than 2,000 accounts was
posted on the Internet, ICO investigation followed
2. 2015 Ashley Madison: full client database leaked
3. 2015 Juniper NetScreen Firewalls: backdoor
installed into the code
4. 2015 CIA Director John Brennan: social hack on his
AOL account lead to leaking CIA creds
![Page 3: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/3.jpg)
Am I secure?
„We host at cloud, they keep us ok!”
„We have security scanners!”
„Our devs know OWASP top 10!”
„We do penetration tests!”
![Page 4: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/4.jpg)
Anything else?
1. Are there any other holes in my system?
2. What about next release?
3. Is my code secure?
4. Is my backup secure? My back office?
5. What about hosting…. ?
![Page 5: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/5.jpg)
You need Strategy
1. OWASP – non profit org for cyber security
2. SAMM – Software Assurance Maturity Model
3. OpenSAMM – free SAMM by OWASP
4. OpenSAMM v 1.5 released Feb 28 ‚2017
![Page 6: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/6.jpg)
OPEN SAMM
CONFIDENTIAL
![Page 7: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/7.jpg)
Governance
General management of development activities.
_Strategy & metrics
_Policy & Compliance
_Education & Guidance
![Page 8: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/8.jpg)
Construction
Definition of goals and software creation from
requirements gathering to detailed implementation.
_Security requirements
_Threat assessment
_Secure architecture
![Page 9: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/9.jpg)
Verification
Checking and testing artifacts produced.
_Design review
_Implementation review
_Security testing
![Page 10: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/10.jpg)
Operations
Managing software that has been created: deployment,
configuration and runing.
_Environment hardening
_Issue Management
_Operational Enablement
![Page 11: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/11.jpg)
Objectives example - governance
![Page 12: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/12.jpg)
Objectives example - construction
![Page 13: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/13.jpg)
Getting started
![Page 14: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/14.jpg)
Assess yourself
_OpenSAMM Assessment Toolbox (xls)
_36 questions: quick assessment
_Detailed assessment: verify your activities
_Gap analysis
![Page 15: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/15.jpg)
Assesment
_ Clear representation of the maturity level
_ Each Practice rated on the scale below
_ Can capture progress over time
![Page 16: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/16.jpg)
Your Score Card
_ Clear representation of the maturity level
_ Each Practice rated on the scale below
_ Can capture progress over time
![Page 17: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/17.jpg)
![Page 18: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/18.jpg)
Define your roadmap
_ Select template from OpenSAMM HowTo
_ Adjust to your needs
_ Start!
![Page 19: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/19.jpg)
SAMM road map template
![Page 20: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/20.jpg)
SAMM Templates
_ Independent Software Vendors
_ Online Service Providers
_ Financial Services Organizations
_ Government Organizations
![Page 21: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/21.jpg)
Costs?
_Deployment time
_Release and process overhead
_Licenses & training
_Light assessment: 1-5 man-days
![Page 22: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/22.jpg)
Costs - Virtualware
_Software House: between 300 devs, 12 teams
_Platform developed over 8 years
_Mixed technologies
![Page 23: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/23.jpg)
Phase 1 - goals
![Page 24: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/24.jpg)
Training
Phase 1 - costs
Training
:
External
:
52
37 + n
Up to:
389 d
![Page 25: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/25.jpg)
Call in for backup
_How can we help:
_External consulting
_Penetration tests
_Training
![Page 26: OWASP Open SAMM - papryqarz.org · Why should I care? 1. 2014 Tesco Bank: more than 2,000 accounts was posted on the Internet, ICO investigation followed 2. 2015 Ashley Madison: full](https://reader034.fdocuments.us/reader034/viewer/2022050400/5f7dc3e8234fd561d116510d/html5/thumbnails/26.jpg)
Contact us_Never
settle.Krzysztof Machelski
Director, Security & Automation
+48 506 539 817