measuring security best practices with opensamm
DESCRIPTION
Measuring Security Best Practices with OpenSAMM. Alan Jex SnowFROC 2013. Introductions. Alan Jex: Chief Security Architect at HP PPS Organization [email protected]. Outline. Security Concerns and Goals OpenSAMM Framework Business Functions Security Practices Assessments Scorecards - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/1.jpg)
Measuring Security Best Practices with OpenSAMM
Alan JexSnowFROC 2013
![Page 3: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/3.jpg)
• Security Concerns and Goals• OpenSAMM Framework
– Business Functions– Security Practices– Assessments– Scorecards– Roadmaps
Outline
![Page 4: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/4.jpg)
Security Concerns
• What is your biggest security risk?• What compliance requirements drive your
business?• How do you handle security incidents?• Does your development team produce secure
code?
![Page 5: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/5.jpg)
Security Goals
• Avoiding the “big one” (data breach)• Protecting the company brand• Managing real security risks• Developing a secure software development
lifecycle (SDLC)• Enabling new business
![Page 6: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/6.jpg)
![Page 7: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/7.jpg)
• SAMM is:– A Software Assurance Maturity Model– An open framework for
• Measuring security practices • Finding vulnerabilities earlier
– Lightweight, Flexible, Simple-to-understand, and Complete
– An OWASP project
Enter OpenSAMM
![Page 8: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/8.jpg)
4 Business Functions
![Page 9: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/9.jpg)
12 Security Practices
![Page 10: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/10.jpg)
Policy and Compliance
![Page 11: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/11.jpg)
Security Requirements
![Page 12: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/12.jpg)
Security Testing
![Page 13: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/13.jpg)
Vulnerability Management
![Page 14: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/14.jpg)
SAMM Assessments
• SAMM assessment is lightweight or detailed according to your security process
![Page 15: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/15.jpg)
SAMM Assessments
• SAMM provides assessment worksheets for every Security Practice
![Page 16: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/16.jpg)
SAMM Scorecard
Levels are from 0 to 3:
0 Starting point
1 Ad hoc (manual)
2 Increased effectiveness (automated)
3 Comprehensive mastery (audited)
![Page 17: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/17.jpg)
SAMM Roadmap
![Page 18: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/18.jpg)
SAMM Roadmap• Build your Security Program in phases• Implement levels based on security risk
![Page 19: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/19.jpg)
Roadmap Templates
Government Online Service Provider
![Page 20: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/20.jpg)
Summary
• SAMM allows you to:– Measure and improve security best practices– Focus on security risk to make effective use of
security resources– Find vulnerabilities earlier in the development
process – Prevent rather than react to security incidents
![Page 21: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/21.jpg)
References
Security Maturity Models
![Page 22: Measuring Security Best Practices with OpenSAMM](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815985550346895dc6c654/html5/thumbnails/22.jpg)