SAMM And DSOMM Strategic Usage Of The OWASP PDF Free Download

1y ago

20 Views

1 Downloads

3.39 MB

70 Pages

Report/dmca

Download PDF

Transcription

Strategic Usage of the OWASPSAMM and DSOMMTimo Pagel

Agenda Introduction/MotivationHigh Level ApproachesDetailed UsageConclusionTimo Pagel

About Me DevSecOps Consultant Lecturer for Security in Web Applications atdiﬀerent Universities Open Source / Open Knowledge EnthusiastOWASP DevSecOps Maturity Model OWASP Juice Shop OWASP Security Pins OWASP DefectDojo OWASP Software Assurance Maturity ModelTimo Pagel

Target Audience Security People (Information- and TechnicalSecurity) Technical Upper Management (CTO) Enthusiastic Developers, Operator, C-LevelTimo Pagel

DevOps encourages a cultural changeTimo Pagel

DevOps encourages a cultural changeto overcome the friction created by silos.Timo Pagel

Speed / Fast ReleasesIndependent TeamsDiﬀerent SkillsAutomation

Problem Statement How to enhance security? In DevOps-Strategies Through DevOps-Strategies How to prioritize?SecurityTimo Pagel

DevOps Dimensions Build and Deployment Culture and OrganisationTimo Pagel

DevOps Dimensions Build and Deployment Culture and Organisation Information Gathering Hardening Test and VeriﬁcationTimo Pagel

Target of Security Maturity ModelsAnalyse current software security practices,build a security program in deﬁned iterations,show progressive improvements in secure practices,and deﬁne and measure security-related activities.Based on Brian Glas, imm-and-samm/Timo Pagel

Agenda Introduction/MotivationHigh Level ApproachesUsageConclusionTimo Pagel

Simpliﬁed view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelDoingTimo Pagel

Simpliﬁed view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSDoingTimo Pagel

Simpliﬁed view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSOWASP ation.DoingTimo Pagel

Simpliﬁed view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSOWASP ernanceVeriﬁcation.Build &DeploymentCulture andOrg.Test andVeriﬁcation.DoingTimo Pagel

Simpliﬁed view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSOWASP ernanceVeriﬁcation.Build &DeploymentCulture andOrg.Test andVeriﬁcation.DSOMMDynamic Depth ActivitiesSimple ScanUsage ofdiﬀerent rolesJavaScript.DoingTimo Pagel

Target Groups SAMM 2.0: Security: Assessment Engineers/CTO: Spider web C-Level Management: Spider web and deﬁnition oftargetsTimo Pagel

Audit / Compliance ViewHigh LevelDSOMMDynamic Depth ActivitiesISMSSimple ScanUsage ofdiﬀerent rolesJavaScript.DoingTimo Pagel

SAMM and DSOMM “Standard”- High level overview Management topics like compliance and governance Planning of high level targets Mapping to ISO in the future Emerging- Low level overview Only DevSecOps topics Planning of concrete targets Mapping to ISO/SAMM ISMS: documentation in DSOMMTimo Pagel

Mappingtoand ISO 27001Timo Pagel

Sample Target Groups Security: Assessment Engineers/CTO: Spider web C-Level: Spider web and deﬁnition of targets Security: Assessment & Pre-Selection of targets Engineers/CTO: Discussion of how to implement All: Heatmap/number of planned/implemented activitiesTimo Pagel

Strategic Approaches Top-to-Bottom Team Independency by Maturity Interactive with TeamsTimo Pagel

Approach: Top-to-Bottom Management Support to deﬁne targets with the managementfor the next 3-24 month to deﬁne activitiesTimo Pagel

Approach: Team Independency by Maturity Pre-Requirement: C-Level is convinced Deﬁnition of maturity levels for teams and their“independency” Is a team allowed to roll out software on their own Is a pentest required for each rollout Show maturity: BeltsTimo Pagel

Approach: Interactive with Teams Deﬁnition of targets with the team What is your plan for the next 6 monthHint: Developers/Operations are not securitypeople- explanation of each activity is time consuming- reduction of activities neededTimo Pagel

DSOMM Adoption needs to be customized Remove/Add planned activities and present thetargets to the teams from thedata/ dimension yaml’sTimo Pagel

DSOMM Communication ACTUAL/TARGETSpider Web Diagram with HeatmapStart a container withcustomized on selectedData.csv (ro)Timo Pagel

Requirements / Level 0 Onboard Product Owner, Manager in SecurityGet to Know Security PoliciesContinuously Improve your Security Belt RankReview Security Belt ActivitiesUtilize Pairing when Starting an ActivityBased On: AppSecure-nrw White Belt, ee/master/whiteTimo Pagel

Agenda Introduction/MotivationHigh Level ApproachesUsageConclusionTimo Pagel

StructureBusiness FunctionCategory of activitiesTimo Pagel

StructureSecurity PracticeBusiness FunctionSub categoriesTimo Pagel

StructureStream ASecurity PracticeBusiness FunctionStream BLogical ﬂows and divided into two streamsTimo Pagel

StructureStream AMaturity Level 1 ActivitySecurity PracticeBusiness FunctionStream BHigher is betterTimo Pagel

StructureStructureMaturity Level 3 ActivityStream AMaturity Level 1 ActivitySecurity PracticeBusiness FunctionMaturity Level 2 ActivityStream BHigher is betterTimo Pagel

StructureDevOps DimensionCategoryTimo Pagel

StructureSub-DimensionDevOps DimensionSub categoryTimo Pagel

StructureSub-DimensionDevOps DimensionMaturity Level 1 ActivityHigher is betterTimo Pagel

DSOMM StructureMaturity Level 4 ActivityMaturity Level 3 ActivitySub-DimensionMaturity Level 2 ActivityDevOps DimensionMaturity Level 1 ActivityHigher is betterTimo Pagel

Timo Pagel

DevSecOps Dimensions Build and Deployment Culture and Organisation Information Gathering Hardening Test and VeriﬁcationTimo Pagel

Build and Deployment:Example Reduction of the attack surfaceDimensionTimo Pagel

Build and Deployment:Example Reduction of the attack surfaceDimensionSub-DimensionTimo Pagel

Build and Deployment:Example Reduction of the attack surfaceDimensionSub-DimensionActivityTimo Pagel

Build and Deployment:Example Reduction of the attack surfaceTimo Pagel

Maturity LevelsTimo Pagel

Maturity LevelsLevel 1: Basic understanding ofsecurity practicesTimo Pagel

Maturity LevelsLevel 1: Basic understanding ofsecurity practicesLevel 2: Adoption of basic securitypracticesTimo Pagel

Maturity LevelsLevel 1: Basic understanding ofsecurity practicesLevel 2: Adoption of basic securitypracticesLevel 3: High adoption of securitypracticesTimo Pagel

Maturity LevelsLevel 1: Basic understanding ofsecurity practicesLevel 2: Adoption of basic securitypracticesLevel 3: High adoption of securitypracticesLevel 4: Advanced deployment ofsecurity practices at scaleTimo Pagel

White SpotsActivities where important- No ActivityTimo Pagel

Implementation Secure Build Build ProcessLevel 1:Determine a value for each generated artifact thatcan be later used to verify its integrity [.]Level 2:The automated process [.] code signingcertiﬁcate or access to repositories.Timo Pagel

andStructure in DetailMade for management, very schematicAlways follows the schemeNo empty levelsVeriﬁcation Security TestingImplementation Defect ManagementTimo Pagel

andStructure in DetailTimo Pagel

Missing In DSOMM ------- ---------- -------------- ----------------------------- ---------- ------------------------------------------- index id function practice maturity stream ------- ---------- -------------- ----------------------------- ---------- ------------------------------------------- 36 G-PC-1-A Governance Policy & Compliance 1 Policy & Standards 44 G-PC-1-B Governance Policy & Compliance 1 Compliance Management 31 G-PC-2-A Governance Policy & Compliance 2 Policy & Standards 33 G-PC-2-B Governance Policy & Compliance 2 Compliance Management 24 G-PC-3-A Governance Policy & Compliance 3 Policy & Standards 67 G-PC-3-B Governance Policy & Compliance 3 Compliance Management 9 O-OM-1-A Operations Operational Management 1 Data Protection 2 O-OM-1-B Operations Operational Management 1 System Decomissioning / Legacy Management 63 O-OM-2-A Operations Operational Management 2 Data Protection 19 O-OM-2-B Operations Operational Management 2 System Decomissioning / Legacy Management 41 O-OM-3-A Operations Operational Management 3 Data Protection 68 O-OM-3-B Operations Operational Management 3 System Decomissioning / Legacy Management [.]Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel

Comparison of ModelsCount AMMVeriﬁcationSAMMOperationsSAMM 10381232SAMM 200122411SAMM 300151Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel

Comparison of ModelsCount/ D-TA*LevelI-DM*I-SB*I-SD*O-EM* O-IM*O-SR* V-ST*G*1332323811202072301012403001000150Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel

Analysis of ModelsCount AMMVeriﬁcationSAMMOperationsSAMM 10381232SAMM 200122411SAMM 300151Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel

Analysis Operations EnvironmentManagement Patching and Updating DSOMM needs to align level 1/2 SAMM Level 3:Develop and use managementdashboards/reports to track compliance withpatching processes and SLAs [.]- DSOMM Information GatheringTimo Pagel

How Deep? SAMM: Perform best-eﬀort hardening ofconﬁgurations, based on readily available information. Removal of not needed components dependencies orﬁles.Implementation hint: Distroless Usage of distroless imagesTimo Pagel

How Deep? SAMM: Perform best-eﬀort hardening ofconﬁgurations, based on readily available information. Removal of not needed components, dependencies,ﬁles or ﬁle access rights.Implementation hint: Distroless, Fedora CoreOS Usage of distroless imagesTimo Pagel

Agenda Introduction/MotivationHigh Level ApproachesDetailed UsageConclusion and OutlookTimo Pagel

Conclusion Assess and plan security strategy (with SAMM) Adapt DSOMM DSOMM might be 80% of your secure DevOpsstrategyTimo Pagel

Next Steps, be involved! Better OWASP SAMM mapping visualization More and optimized activities DevSecOps Toolchain CategorizationPull Requests with suggestions are welcomeTimo Pagel

Thank mo-pagel.detimo.pagel@owasp.orgsammdsomm@pagel.pro

OWASP Software Assurance Maturity Model. Timo Pagel Target Audience Security People (Information- and Technical . data/ dimension yaml's. Timo Pagel Spider Web Diagram with Heatmap . Governance Policy & Compliance 1 Policy & Standards 44 G-PC-1-B Governance Policy & Compliance 1 Compliance Management .