Embed Size (px)
DESCRIPTION
Organizations that build software and worry about security continually are asking, "How do we stack up to others?" If you are starting or inheriting an application security program that is underway, you're probably curious how your organization stacks up against others. Are you doing the right set of application testing activities? Are you training your developers to write more secure code in the most efficient manner? Does your SDLC need a review to determine whether security activities need to be included throughout? A popular framework for benchmarking an organization’s software security activities is called the Open Software Assurance Maturity Model (OpenSAMM) developed and published by the Open Web Application Security Project (OWASP). To hear the full webinar, hit this link - http://denimgroup.com/webinar_How-is-Your-AppSec-Program-Doing-Compared-to-Others.html
Citation preview
© Copyright 2014 Denim Group - All Rights Reserved
How is Your AppSec Program Doing Compared to Others?
John B. Dickson, CISSP @johnbdickson#appseccheck
© Copyright 2014 Denim Group - All Rights Reserved
Denim Group Overview• Professional services firm that builds & secures
enterprise applications• External application assessments• Web, mobile, and cloud• Software development lifecycle development (SDLC) consulting• Network and information security assessments
• Secure development services:• Secure .NET and Java application development• Post-assessment remediation
• Classroom and e-Learning for PCI compliance
2
© Copyright 2014 Denim Group - All Rights Reserved
• Application Security Enthusiast
• Helps CSO’s and CISO’s with
Application Security Programs
• ISSA Distinguished Fellow
• Experience Delivering Application
Security Maturity Assessments
3
© Copyright 2014 Denim Group - All Rights Reserved
• Many, if not most organizations, equate application security to dynamic scanning
• Most companies still use compliance reasons to justify application security resources (e.g., PCI)
• Wildly divergent strategies exist across industries and companies
4
Current State of Affairs
in Application Security
© Copyright 2014 Denim Group - All Rights Reserved 5
Results: Breaches Occur Where Applications are the Attack Vector
© Copyright 2014 Denim Group - All Rights Reserved
• Application security resources largely focused on two technologies – dynamic scanning & WAF’s
• Sophisticated CISO’s and AppSec managers want to know how they are doing relative to their peers, also CEO’s, CFO’s and Boards due to high visibility breaches
• Is AppSec “spend” in line with that of industry peers?
6
The Business Case for Benchmarking
© Copyright 2014 Denim Group - All Rights Reserved
• Open Software Assurance Maturity Model• Open framework to enable organizations to implement
a software security • One of two popular competing models
• Authored by an Industry Group from the Open Web Application Security Project (OWASP)
• So comprehensive at least one Big 4 audit firm uses it to audit software security programs
7
Background on OpenSAMM
© Copyright 2014 Denim Group - All Rights Reserved
• Four areas of Business Functions• Governance• Construction• Verification• Deployment
• Twelve Security Practices• Example: Governance
• Strategy and Metrics• Education and Guidance• Policy and Compliance
8
Background on OpenSAMM
© Copyright 2014 Denim Group - All Rights Reserved
• How can one infer results across the entire organization?
• Development groups within organizations may differ radically in practices, tools, etc.
• Different assessors might produce different results
• Still heavily reliant on interviews• How long should an interview be?• Security technologies and practices might exist in
some groups, not others.
9
Challenges of any Maturity Assessment
© Copyright 2014 Denim Group - All Rights Reserved
• OpenSAMM has different levels of maturity, only a small number of organizations can aspire to meeting Level 3 maturity.
• You may wish to stick to Level 1 which is a basic measurable level of capabilities.
• If your organization is global or widely dispersed, start with one business unit or development group to learn the methodology and assess results.
10
How you Can Put OpenSAMM to work
© Copyright 2014 Denim Group - All Rights Reserved 11
OpenSAMM Valid Maturity Levels
• 0 - Implicit starting point representing the activities in the Practice being unfulfilled
• 1 - Initial understanding and ad hoc provision of Security Practice
• 2 - Increase efficiency and/or effectiveness of the Security Practice
• 3 - Comprehensive mastery of the Security Practice at scale
© Copyright 2014 Denim Group - All Rights Reserved 12
How You Can Put OpenSAMM to Work
# Level 1 Objective Activities
1Establish a unified strategic roadmap for software security within the organization.
A Estimate overall business risk profile
BBuild and maintain assurance program roadmap
2Understand relevant governance and compliance drivers to the organization.
AIdentify and monitor external compliance drivers
BBuild and maintain compliance guidelines
3Offer development staff access to resources around the topics of secure programming and deployment.
AConduct technical security awareness training
B Build and maintain technical guidelines
© Copyright 2014 Denim Group - All Rights Reserved 13
Conclusions
• OpenSAMM is an effective mechanism to identify how your software security program is doing compared to others
• Data collection and analysis are key to any benchmarking activity
• Sophisticated companies are conducting assessments to identify software risk and secure resources
© Copyright 2014 Denim Group - All Rights Reserved
Questions?
John B. Dickson
@johnbdickson
14
