Transcription
Strategic Usage of the OWASPSAMM and DSOMMTimo Pagel
Agenda Introduction/MotivationHigh Level ApproachesDetailed UsageConclusionTimo Pagel
Agenda Introduction/MotivationHigh Level ApproachesDetailed UsageConclusionTimo Pagel
About Me DevSecOps Consultant Lecturer for Security in Web Applications atdifferent Universities Open Source / Open Knowledge EnthusiastOWASP DevSecOps Maturity Model OWASP Juice Shop OWASP Security Pins OWASP DefectDojo OWASP Software Assurance Maturity ModelTimo Pagel
About Me DevSecOps Consultant Lecturer for Security in Web Applications atdifferent Universities Open Source / Open Knowledge EnthusiastOWASP DevSecOps Maturity Model OWASP Juice Shop OWASP Security Pins OWASP DefectDojo OWASP Software Assurance Maturity ModelTimo Pagel
Target Audience Security People (Information- and TechnicalSecurity) Technical Upper Management (CTO) Enthusiastic Developers, Operator, C-LevelTimo Pagel
DevOps encourages a cultural changeTimo Pagel
DevOps encourages a cultural changeto overcome the friction created by silos.Timo Pagel
Speed / Fast ReleasesIndependent TeamsDifferent SkillsAutomation
Problem Statement How to enhance security? In DevOps-Strategies Through DevOps-Strategies How to prioritize?SecurityTimo Pagel
DevOps Dimensions Build and Deployment Culture and OrganisationTimo Pagel
DevOps Dimensions Build and Deployment Culture and Organisation Information Gathering Hardening Test and VerificationTimo Pagel
Target of Security Maturity ModelsAnalyse current software security practices,build a security program in defined iterations,show progressive improvements in secure practices,and define and measure security-related activities.Based on Brian Glas, imm-and-samm/Timo Pagel
Agenda Introduction/MotivationHigh Level ApproachesUsageConclusionTimo Pagel
Simplified view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelDoingTimo Pagel
Simplified view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSDoingTimo Pagel
Simplified view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSOWASP ation.DoingTimo Pagel
Simplified view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSOWASP ernanceVerification.Build &DeploymentCulture andOrg.Test andVerification.DoingTimo Pagel
Simplified view on ISO 27001 OWASP SAMM OWASP DSOMMHigh LevelISMSOWASP ernanceVerification.Build &DeploymentCulture andOrg.Test andVerification.DSOMMDynamic Depth ActivitiesSimple ScanUsage ofdifferent rolesJavaScript.DoingTimo Pagel
Target Groups SAMM 2.0: Security: Assessment Engineers/CTO: Spider web C-Level Management: Spider web and definition oftargetsTimo Pagel
Audit / Compliance ViewHigh LevelDSOMMDynamic Depth ActivitiesISMSSimple ScanUsage ofdifferent rolesJavaScript.DoingTimo Pagel
SAMM and DSOMM “Standard”- High level overview Management topics like compliance and governance Planning of high level targets Mapping to ISO in the future Emerging- Low level overview Only DevSecOps topics Planning of concrete targets Mapping to ISO/SAMM ISMS: documentation in DSOMMTimo Pagel
Mappingtoand ISO 27001Timo Pagel
Sample Target Groups Security: Assessment Engineers/CTO: Spider web C-Level: Spider web and definition of targets Security: Assessment & Pre-Selection of targets Engineers/CTO: Discussion of how to implement All: Heatmap/number of planned/implemented activitiesTimo Pagel
Strategic Approaches Top-to-Bottom Team Independency by Maturity Interactive with TeamsTimo Pagel
Approach: Top-to-Bottom Management Support to define targets with the managementfor the next 3-24 month to define activitiesTimo Pagel
Approach: Team Independency by Maturity Pre-Requirement: C-Level is convinced Definition of maturity levels for teams and their“independency” Is a team allowed to roll out software on their own Is a pentest required for each rollout Show maturity: BeltsTimo Pagel
Approach: Interactive with Teams Definition of targets with the team What is your plan for the next 6 monthHint: Developers/Operations are not securitypeople- explanation of each activity is time consuming- reduction of activities neededTimo Pagel
DSOMM Adoption needs to be customized Remove/Add planned activities and present thetargets to the teams from thedata/ dimension yaml’sTimo Pagel
DSOMM Communication ACTUAL/TARGETSpider Web Diagram with HeatmapStart a container withcustomized on selectedData.csv (ro)Timo Pagel
Requirements / Level 0 Onboard Product Owner, Manager in SecurityGet to Know Security PoliciesContinuously Improve your Security Belt RankReview Security Belt ActivitiesUtilize Pairing when Starting an ActivityBased On: AppSecure-nrw White Belt, ee/master/whiteTimo Pagel
Agenda Introduction/MotivationHigh Level ApproachesUsageConclusionTimo Pagel
StructureBusiness FunctionCategory of activitiesTimo Pagel
StructureSecurity PracticeBusiness FunctionSub categoriesTimo Pagel
StructureStream ASecurity PracticeBusiness FunctionStream BLogical flows and divided into two streamsTimo Pagel
StructureStream AMaturity Level 1 ActivitySecurity PracticeBusiness FunctionStream BHigher is betterTimo Pagel
StructureStructureMaturity Level 3 ActivityStream AMaturity Level 1 ActivitySecurity PracticeBusiness FunctionMaturity Level 2 ActivityStream BHigher is betterTimo Pagel
StructureDevOps DimensionCategoryTimo Pagel
StructureSub-DimensionDevOps DimensionSub categoryTimo Pagel
StructureSub-DimensionDevOps DimensionMaturity Level 1 ActivityHigher is betterTimo Pagel
DSOMM StructureMaturity Level 4 ActivityMaturity Level 3 ActivitySub-DimensionMaturity Level 2 ActivityDevOps DimensionMaturity Level 1 ActivityHigher is betterTimo Pagel
Timo Pagel
DevSecOps Dimensions Build and Deployment Culture and Organisation Information Gathering Hardening Test and VerificationTimo Pagel
Build and Deployment:Example Reduction of the attack surfaceDimensionTimo Pagel
Build and Deployment:Example Reduction of the attack surfaceDimensionSub-DimensionTimo Pagel
Build and Deployment:Example Reduction of the attack surfaceDimensionSub-DimensionActivityTimo Pagel
Build and Deployment:Example Reduction of the attack surfaceTimo Pagel
Build and Deployment:Example Reduction of the attack surfaceTimo Pagel
Maturity LevelsTimo Pagel
Maturity LevelsLevel 1: Basic understanding ofsecurity practicesTimo Pagel
Maturity LevelsLevel 1: Basic understanding ofsecurity practicesLevel 2: Adoption of basic securitypracticesTimo Pagel
Maturity LevelsLevel 1: Basic understanding ofsecurity practicesLevel 2: Adoption of basic securitypracticesLevel 3: High adoption of securitypracticesTimo Pagel
Maturity LevelsLevel 1: Basic understanding ofsecurity practicesLevel 2: Adoption of basic securitypracticesLevel 3: High adoption of securitypracticesLevel 4: Advanced deployment ofsecurity practices at scaleTimo Pagel
White SpotsActivities where important- No ActivityTimo Pagel
Implementation Secure Build Build ProcessLevel 1:Determine a value for each generated artifact thatcan be later used to verify its integrity [.]Level 2:The automated process [.] code signingcertificate or access to repositories.Timo Pagel
andStructure in DetailMade for management, very schematicAlways follows the schemeNo empty levelsVerification Security TestingImplementation Defect ManagementTimo Pagel
andStructure in DetailTimo Pagel
Missing In DSOMM ------- ---------- -------------- ----------------------------- ---------- ------------------------------------------- index id function practice maturity stream ------- ---------- -------------- ----------------------------- ---------- ------------------------------------------- 36 G-PC-1-A Governance Policy & Compliance 1 Policy & Standards 44 G-PC-1-B Governance Policy & Compliance 1 Compliance Management 31 G-PC-2-A Governance Policy & Compliance 2 Policy & Standards 33 G-PC-2-B Governance Policy & Compliance 2 Compliance Management 24 G-PC-3-A Governance Policy & Compliance 3 Policy & Standards 67 G-PC-3-B Governance Policy & Compliance 3 Compliance Management 9 O-OM-1-A Operations Operational Management 1 Data Protection 2 O-OM-1-B Operations Operational Management 1 System Decomissioning / Legacy Management 63 O-OM-2-A Operations Operational Management 2 Data Protection 19 O-OM-2-B Operations Operational Management 2 System Decomissioning / Legacy Management 41 O-OM-3-A Operations Operational Management 3 Data Protection 68 O-OM-3-B Operations Operational Management 3 System Decomissioning / Legacy Management [.]Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel
Comparison of ModelsCount AMMVerificationSAMMOperationsSAMM 10381232SAMM 200122411SAMM 300151Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel
Comparison of ModelsCount/ D-TA*LevelI-DM*I-SB*I-SD*O-EM* O-IM*O-SR* V-ST*G*1332323811202072301012403001000150Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel
Analysis of ModelsCount AMMVerificationSAMMOperationsSAMM 10381232SAMM 200122411SAMM 300151Based on dsomm-orm mysql-queries.yaml from Roberto PolliTimo Pagel
Analysis Operations EnvironmentManagement Patching and Updating DSOMM needs to align level 1/2 SAMM Level 3:Develop and use managementdashboards/reports to track compliance withpatching processes and SLAs [.]- DSOMM Information GatheringTimo Pagel
How Deep? SAMM: Perform best-effort hardening ofconfigurations, based on readily available information. Removal of not needed components dependencies orfiles.Implementation hint: Distroless Usage of distroless imagesTimo Pagel
How Deep? SAMM: Perform best-effort hardening ofconfigurations, based on readily available information. Removal of not needed components, dependencies,files or file access rights.Implementation hint: Distroless, Fedora CoreOS Usage of distroless imagesTimo Pagel
How Deep? SAMM: Perform best-effort hardening ofconfigurations, based on readily available information. Removal of not needed components, dependencies,files or file access rights.Implementation hint: Distroless, Fedora CoreOS Usage of distroless images and a small operating systemTimo Pagel
How Deep? SAMM: Perform best-effort hardening ofconfigurations, based on readily available information. Removal of not needed components, dependencies,files or file access rights.Implementation hint: Distroless, Fedora CoreOS Usage of distroless images and a small operating systemTimo Pagel
Agenda Introduction/MotivationHigh Level ApproachesDetailed UsageConclusion and OutlookTimo Pagel
Conclusion Assess and plan security strategy (with SAMM) Adapt DSOMM DSOMM might be 80% of your secure DevOpsstrategyTimo Pagel
Next Steps, be involved! Better OWASP SAMM mapping visualization More and optimized activities DevSecOps Toolchain CategorizationPull Requests with suggestions are welcomeTimo Pagel
Thank mo-pagel.detimo.pagel@owasp.orgsammdsomm@pagel.pro
OWASP Software Assurance Maturity Model. Timo Pagel Target Audience Security People (Information- and Technical . data/ dimension yaml's. Timo Pagel Spider Web Diagram with Heatmap . Governance Policy & Compliance 1 Policy & Standards 44 G-PC-1-B Governance Policy & Compliance 1 Compliance Management .