"Navigating DevOps security journey at scale with OWASP SAMM 2.0" by Hardik Parekh

so the last uh talk uh is the title is navigating devops security journey gets scaled with last sam 2.0 by arctic um correct and um thank you hardik to be here i just to unmove your microphone it takes some time okay um so this uh arctic has more than 16 years of uh experience in the security particularly in the the application security field and he has helped organizations to develop military security programs and the different organizations of different sizes he also transformed the concept of devops organization to dev security ops by integrated security engineering tools in continuous integration and continuous development pipelines so to our topics nowadays to keep the applications running updated and also secure

and he also is also presence in the software students maturity models and building the security material models uh projects from the last and also in this topic that of course is important in my opinion this is important for everyone for the developers everyone that participates in the software development lifecycle as well for the leaders of the so it's important because it's important to get the maturity uh level of maturity in terms of software in this case or in terms of cyber security in the world range so arctic you have your time now thank you thank you thank you um first quick check can you hear me and see my slides yes i'm not seeing the

slides yet but we can hear you you need to share yeah yeah share screen option the share screen option to share the slides yes i'm seeing the background and then okay cool all right all right um well uh oy to the vamp and this is the only uh portuguese i know so uh hello and good and good evening everyone i know i am the last one who is standing between you and your dinner tonight so i'll try to be quick so first of all i wanted to uh thanks for thanks to beside koto for having me here i'm really excited to be here presenting on this topic which is very near and dear to my heart which is

navigating devops security journey at scale with uh oah software insurance maturity model aka sam uh i'm one of the core members of the oasam projects and first of all before we go deep into the topic i wanted to share a little bit about myself my professional journey line so you know where i'm coming from so i started my career as a software engineer and i got opportunity to kind of move into security in early 2000s that led me to taking some of the roles at one of the most i would say prominent software organizations leading their software security programs such as emc and then intuit amazon and splunk i'm also on advisory board for a few security and

data privacy startups and a non-profit trade organization comptia which is many of you might have heard about security certification such as security plus scissor plus things like that and compia is the organization behind that in addition to my professional contribution to the industry throughout my career i also contributed to various industry publications such as safe code i also contributed to sans top 25 programming errors cbss version 3.0 bsim version 1 and many of the versions after that osam and recently nist ssdf so for those of you who might not be familiar with bsim bsim is another software security model it's called uh building security in mercury model which is a little bit different from the or sam and that model is more

descriptive in nature by that what i mean is it was it's basically tells you uh what are some of the other organizations are doing in terms of security activities at various levels and oversam will go much into the details for this talk is more about prescriptive means it will give you guidance in terms of what an organization needs to be doing at which maturity level i started contributing to was sam project back in and i'm have been one of the core members of the wall stem project ever since then now before we start the talk just wanted to get some legal stuff out of the way so i'm not speaking on behalf of any of

my current or previous employers nor am i here to represent any of my current or previous employers all the opinions shared here are solely my own and not they do not reflect those of my current or previous employers um quick agenda i assume many of you might not be familiar with the os sam and i'll spend some time introducing what is was sam uh who is wasm why do we need a model like wasam core principles and the project history once we know what is osm i'll go into the details in terms of some of the changes that we introduced from version 1.5 to version 2. and last but not least we'll discuss how you can apply

sam in your organization to navigate this devops security journey at scale and uh if you are playing one of those 15 plus roles uh you'll be able to take valuable information from this talk and apply that to your organization literally from starting from tomorrow and that's my goal so that uh everybody is well worse on what is was them and how it can be applied so who is osm uh os sam is the result of at least especially the 2.0 is a result of hard work from this group of contributors around the globe over the past three little over three years and this group represents uh different geographies companies of various sizes consulting product development as well as academia

as a result of that osm is very versatile and can be applied in companies of various sizes across the globe what is osm for those of you who might not be familiar to oversam was is one of the owa's flagship projects and the flagship project status is given to the projects with strategic importance to both oas as well as application security in general at wasp and osam is a framework for software assurance that provides effective and measurable way for all types of organizations to analyze and improve their software security posture that is tailored towards specific risk that that particular organization is facing so there is no one-size-fits-all model this is very fungible model very flexible model and sam is full of

useful resources that will help with evaluating organizations current security practices providing recommendations and suggestions for growing and maturing those practices and providing a way to demonstrate concrete improvements over the period of time and defining and measuring security activities throughout the life cycle one of the big benefits of sam is that it is a vendor agnostic nobody is kind of paying any of us volunteers to put any material so it's completely vendor agnostic and sand can be done either in-house or you could have one of the several apsec firms help you with the assessment creating a plan and creating roadmaps for your software issuance journey now one would ask why do we need a model like sam

in quest to increase speed in today's organization is growing in complexity within the increasing number of tax tax growth of open source software various deployment models various arc structures and sometimes without even a clear requirements as a result of that almost 75 of the vulnerabilities are application related these days and if you look at latest security breaches like equifax or capital one there are more application related and to standardize security activities in such a complex software development environment we need a model like osm i like this quote from george box who has been called one of the greatest radical minds of the 20th century and this quote is something like this the most that can be

expected from any model is that it can supply a useful approximation to reality all models are wrong and some models are useful all models are wrong and some models are useful the point here is that you can't find a model that will exactly describe the reality of your organization there are too many variables in the real world plus there are so many different types of art structures and different types of cultures and all these things i work at various companies throughout my life and professional life and every company i work at they have their own nuances in terms of their their culture their maturity their overall maturity in terms of id security all of that

and that's why we cannot have a perfect model which can be applied to each and every organization but you can have a model that is close enough to be useful and that is what sam is aspiring to be sam was defined with flexibility and virtual versatility in mind so that it can be utilized by small startups mid-size organizations as well as very large corporations using any type of development methodology be it agile iterative or waterfall additionally this model can be applied organization wide for a single line of business or even for an individual project so it's really flexible from that point of view you don't have to like you know have the whole company following this

model you can definitely start small with one project two projects three projects you can apply it to the line of business and then you can scale it to the whole organization so that's why it's very flexible and versatile sam is both measurable and actionable it defines maturity levels across various business functions and provides very clear-cut pathway for improving the maturity levels this way providing step-by-step navigation plan to achieve higher levels of maturity for your software assurance program i'm not going to spend too much time on the project history but uh it originally started this uh sam project was actually started outside of us it was originally created by a gentleman named prairie chandra he is

basically uh independent software security consultant um but after five six years like you know there was no more update to this project and all these things so a group of people got together at oah summit and they worked together um to bring some life into this uh rather inactive uh openstamp project and they rename it to uh osm project the version 1.1 which came out in 2016 uh it kind of like expanded and restructured the previous uh open sem model into four complementary resources uh core document how to guide quick start guide a tools box which is like a spreadsheet which helps you do the assessment and build a roadmap and these are the resources that were

added as part of version 1.1 back in 2017 release 1.5 version because we wanted to make some refinement to the scoring model as part of the assurance to provide more granularity to the scoring in the assessment we just launched sam 2.0 in january of this year where we have changed the measurement model one more time to add qualitative measurement to represent how well an organization is performing a security practice so there are two dimensions now one is uh you know coverage and the other one is the quality now same is built on few core principles first the organization's behavior changes slowly over time changes has to be smaller and iterative to really take hold and make a difference in

organizations software assurance maturity second there are no single recipe that works for all organizations spam is built with that in mind and supports an organization building a program that is tailored towards their particular risk profile culture and the maturity current maturity third the guidance related to security activities must be prescriptive too often many security initiatives fail due to poor details lack of communication or invalid assumptions overall the success of the program will be based on being simple well defined and measurable

sam is defined in three levels of maturity of course if you consider not doing any of the security activities which are described here you could consider that as the port level which is zero level zero but essentially those three levels are ad hoc provision of certain activities secure activity increase efficiency and comprehensive mastery at scale with automation unlike other maturity models and some of the sams processors there are four levels of assessment scores for each security activity which makes it more fine-grained improvements visible such as no implementation implementation across few or some projects implementation across at least half of the projects and implementation across many or most projects so as you can see this is not like

yes or no like you know when you do the assessment many of the models they will say in fact some of the same processes where like you know do you do this security activity yes or no it's like a check mark right and we all know that in real life the answer is somewhere in between that's why we had to create this four levels of assessment scores and also a very important point i wanted to make here is at the highest level we are seeing the implementation across many or most projects we are not saying all because again we want it to be pragmatic and we all know that the any organization you go to like you know

accomplishing any security activities across all the projects it's like almost like you know never fulfilling uh promise so what happens is in the case of like you know if you're applying to retire some applications there's no point in investing more uh resources in improving their security maturity and that is why we have this provision of many of most projects and not all projects just like six sigma or cmmi the goal is not to max out on each and every practice honestly that won't be even a good use of limited resources that you might have what the target maturity should be for your organization is largely depending on the business drivers and the risks that your

organization is facing and that's how i would define um the target maturity level i would not try to score uh to go at level three in all of the areas uh in in all the companies across globe in 1.5 we have modified the scoring model to provide multiple choice answers as i mentioned earlier to provide more accurate assessment but now with this 2.0 version we are making even further refinement to the existing scoring model to add another dimension of qualitative measurement to the scoring model so as i mentioned earlier um these two dimensions are coverage which i covered earlier by means of questions and we provide some of the resources in the uh excel spreadsheet there is a

toolbox we what we call where you can do the assessment yourself so coverage will be covered by means of questions and quality will be covered by means of mandatory criteria so each question will have several mandatory criteria and if you score zero on any of the mandatory criteria that means you would score zero for that particular assessment now let's look at the previous version of sam i'm not going to spend too much time on this one because i would like to kind of go in detail for sam version 2.0 not 1.5 but at high level sam is defining three different levels at the highest levels 1.5 was defined had defined four critical business functions and each business function had three

practices degree practices and each secure practice in turn had three maturity levels now one would ask what are the motivations behind coming up the new version like you know sam 1.5 was good enough why why have to come up with a new version 2.0 so there these are the top reasons we have number one was we wanted to align with last four or five years the industry has moved more and more towards devops and agile methodology from waterfall and even though sam 1.5 or even other previous predecessors or sam were not defined with waterfall model in mind what ended up happening was there are certain guidance were missing around some modern practices such as which are

being used in ci cd and agile devops type of cultures like such as build and deployment like everybody is kind of falling towards uh going towards ci cd right continuing uh integration and continuous deployment and some of the practice guidance was missing so as a result we wanted to have a new version which has some guidance around those areas so it kind of looks like that we also support devops and agile practices the second one was as i mentioned earlier we wanted to improve the measurement model by adding the qualitative aspects because a lot of the feedback we got from across the globe was uh sam 1.5 and even one point uh the other version we were thinking in

between 1.5 and 2.0 it still was going to have that same i would say pitfall where it would tell you whether you are performing this activity or not so it's only going to cover coverage but not the quality how well you are performing that particular activity security activity the third reason was uh there are some structural changes in the framework um which which we wanted to make such as in 1.5 in uh predecessor versions of sam we had uh not intentionally but we have designed it in a way where certain activities security activities were orphaned and unrelated like like for example code signing it was like there was nothing at level uh one or nothing at level three but it

will be like at level two it will say do code signing so there was no kind of like direct relation between level one two and three and it's kind of felt like that actually it was more like an orphan activity we wanted to address that particular aspect we also wanted to arrange maturity levels in increasing order of difficulty and there was another pitfall or shortcoming of the previous uh sam versions was there are times where uh and we as the same practitioners we also noticed that ourselves where it was very easy to do level three activity but it was difficult to do level two activity or sometimes even level one activity which doesn't make sense because

maturity level by definition like as you go higher level of maturity there should be higher level of implementation cost and there should be higher order of increasing difficulty so that was also another shortcoming uh last but not least we all wanted to improve the production process that we were using itself and we were also using uh more of a waterfall model and not agile iterative model so these are some of the main motivations behind coming up with the new version of sam and here's the core framework what we call is sam 2.0 core framework at high level and the areas highlighted are changes from sam 1.5 which will cover in a few minutes so sam 2.0 is defined again in three

different levels at the highest level sam defines five critical business functions each business function is a category of activities related to the nuts and bolts of software development process each business function sam defines their three security practices each degree practice is an area of secure related activities that build assurance for the respective business function for each security practice sam defines three maturity levels as objectives to be accomplished each level within a security practice is characterized by successively more sophisticated objectives and more stringent success metrics overall as you increase the level of maturity you should expect higher cost of implementation if you look at the framework you can see that governance is more focused on the

program itself looking at more strategic elements such as strategy and metrics policy and compliance education and guidance etc we have renamed construction business function to design business function and introduce a new business function called implementation along with design implementation verification operations they cover the core of software development life cycle design is focused on threat assessment and design level implementation is focused on secure build secure deployment and defect management aspects and verification is more focused on testing and verifying aspects and operations is focused on more of incident management environment management incident detection response all of these aspects are covered during the operations so as i mentioned earlier uh i wanted to spend some time on the implementation uh business function

because this is where uh this was this additional business function was added to the same uh core framework from its predecessor and the key goal we had in mind was how do we align with more latest industry practices such as devops and agile which has cicd is the integral part of that and as a result of that the security practices that we added to implementation business function are secure build secure deployment and defect management

now let's take a closer look at some of the security practices each security practice is divided into two streams a and b the purpose of these streams is to align and link the objectives or activities within the practice or the different maturity levels and each stream has an objective to be reached and this objective can be reached in increasing level of maturity this way we ensure that there are no orphan activities that seem only relevant on a single maturity level as i mentioned the example is court signing in sem 1.5 uh let's check even more kind of a detail closer look at one of the security practices which is requirements driven testing under verification business function so

requirements driven testing secret practice is divided into two streams control verification and misuse abuse testing as you can see the streams align and link the activities in the practice over different maturity levels and each stream has an objective to be reached and this objective can be reached in increasing levels of maturity now i want to spend some time on how do you apply this particular model to your organization literally starting from tomorrow and at the end i'll also show some of the resources which are which we have made available to uh everyone and it's uh oh sam is an open source project so you can literally go to the osm.org website and download all the resources that we have made it

available there so let's look at how do we apply this model to your organization so this is a typical approach applying the model where uh overall they're like six phases first of all when you're starting for the first time uh the most critical function is uh or phase is a prepared phase then assessment then starting this target defining the plan implementation and rollout and after that again starting with assessment thus creating like a full life cycle and it's a continuous improvement cycle so this is basically where we want to make sure that once you start it's an ongoing continuous improvement model let's look at the very first phase which is the most critical phase in my mind for success of the sam

application it consists of following four activities first you have to define the scope by that what i mean is you have to identify are you going to apply sam to the whole organization or your company a particular business unit within a company or a single project or an application once you define the scope you have to identify what are the key stakeholders for that particular either business unit or that application or whole organization and this is very important because once you identify the stakeholders you have to get their buy-in and once you get their bind you should start spreading the word and evangelizing some of the sam activities this is the most important phase because

as i mentioned as part of this phase you gain the bind and same thing like if you're starting small with one application or one project and you uh gain the bind from the key stakeholders over there when you expand you have to repeat and you have to again get the bind and this is the most critical aspect because this is where you need that type of support and buying from the key stakeholders not just executive management but also some of the key stakeholders to measure current once you have the buy you start with the uh assessment to measure current level of maturity of your organization or project or business unit whatever you level of granularity that you choose you

need to start with an assessment by conducting interviews with the key stakeholders to evaluate current security practices we recommend in-person interviews or email this way you can explain key intent behind some of these activities and clarify any potential questions or doubt your stakeholders might have there are three ways in which you could perform an assessment there is a lightweight assessment detail assessment and a hybrid assessment a lightweight assessment is simply interviewing key stakeholders and recording their response during detail assessment you ask for evidence for of performance and quality for each and every activity which they claim they are performing in hybrid assessment you kind of ask for evidence on a need to know basis for some of the activities and not all

of the activities my particular favorite assessment model is a hybrid assessment because when you are part of the organization you already know certain things are being performed or not with good quality you know you only ask for evidence when you have some doubt like or you may think that the person may not have understood the full intent behind that particular question that is when you collect more evidences and it makes it also short the assessment also becomes shorter if you choose a detailed assessment be cautious that it is going to take a longer time to collect all the evidences and things like that now once you record all these responses you can assign maturity levels using the

sam worksheet and that worksheet is available as part of the resources that we make available now this is a high level how do you calculate the maturity score and we have changed some of the things that's why i wanted to spend some time over this slide so we came up with a new scoring model which we still primarily based on coverage like stem 1.5 however we added a quality criteria for each question as you can see here to add another dimension to the score our guidance is to score zero if quality criteria are not met now going back to one of the course and principles of simplicity we decided to add quality criteria for each question

this way time to complete an assessment did not significantly increase with stem 2.0 versus sam 1.5 if you are already using 71.5 and by the way sam 2.0 is not backward compatible with stem 1.5 because of some of the structural changes that we have made over the maturities overall maturity score for the security practices calculated by taking average of maturity level 1 between stream a and stream b and adding that to each level of maturity and that is how you calculate the score over here once you finish assessment you need to define the target as for your organization's business drivers and risk profile it is very important to spend some time to understand your organization's business drivers and

particular risk profile during this exercise once you define this target the most important step is to estimate the cost of implementation many stem initiatives fail when folks forget to estimate and plan increase cost of implementation resulting lack of resources dedicated to the security improvements that you have planned for the cost of implementation implementation would become a direct input to defining a plan during this step you need to determine changes uh change schedule as per upcoming releases and develop or update your roadmap plan or or the four or five phases we recommend implementing sam changes uh or minimum of three phases and maximum five phases and each phase can span somewhere between three to four months

to twelve months uh in order to focus on the highest impact you should start with high impact security improvements such as training and awareness as well as threat assessment as part of design now once the plan is defined you have to start implementation implement activities using sam 2.0 guide again sample auto guide is available as part of the resources that we provide at wasam.org website i leverage others os projects as well like i gave some example of some of the other was projects that you could leverage as part of the implementation but this is very small subset of wasp projects oas has almost about 200 open source security projects so it's a full of rich information and i

highly encourage you to go and visit oasp in general and see what are some of the projects that you can leverage as part of the implementation sam aspires to become the umbrella project for all of us projects and what i mean by that is each awards project can map back to one of the sam business functions and security practices here some of the examples but some of the uh was projects as i uh mentioned earlier they could map back to multiple wasps sam business functions such as was top 10 uh and oas mobile top 10. after you implement uh you need to start rolling out this and need to create and update scorecards on regular interval by capturing scores

uh from before and after an in an iteration of the assurance program build out and communicate progress to the management i have personally used this core cards to demonstrate and communicate secure improvements to the highest level of management in the companies i worked at this help management visualize the progress in overall security improvements so this is very important to continue to get their buying here is some of the resources which are available um and we have to uh get you started using uh sam2.2.0 all these resources are linked to the oasam.org website so if you forget all these resources just remember one website which is ovas sam.org and everything is linked to that particular website

you don't have to remember anything just uh if you have to take one key and take away from this is ovam.org website there's lots of resources available over there including the toolbox what we call is excel spreadsheet which helps you create an assessment and build out a plan or roadmap for security improvements now one one more thing uh before i end this talk is uh was uh sam benchmark initiative so we recently introduced this benchmark initiative which helps answer the question how do i compare to other organizations across the world and sam benchmark initiative is inspired by bissim as i mentioned earlier bsim is the one great thing about bisum is it tells you how do you how does your

organization compare with other organizations following security assurance program the goal of this project is to collect the most comprehensive data set related to your organizational maturity of application or software insurance programs and if you're concerned about your sharing your data just rest assured that the data collection is anonymized and it will not be shared like hey you know uh this name company has this uh gaps in their security so just keep that in mind that we are very well aware we are all secure professionals and privacy professionals so we are very well aware of that fact and that's why we are collecting this uh data with enormous data

so in terms of the future direction uh we wanted to have now more faster interactive versions it took almost like three a little over three years between the same 1.5 and 2.0 we also wanted to become this sam as an umbrella project for all other was projects that way it becomes easy for uh people who are not familiar with os in general to see what implementation projects can be applied to those uh sam project and we have aspiration for starting online assessment and roadmaps but again we are ways away from that goal but this is one of the aspirations that we have in mind as someone said proof of the pudding is it in uh eating

it if you haven't tried yet i invite you to please try using oauth spam starting from tomorrow any questions concerns anything any feedback feel free to reach out to me at my gmail and hit me up on linkedin as well having said that thank you very much thank you uh to besides photo organizers volunteers and sponsors for putting together this great first besides conference in porto and looking forward to visiting in person next year and thanks to all of you for listening to this talk thank you thank you for your presentation just let me know that i've used um the sam model for teaching proposes a few two years ago or three years ago the 2016 version

and i found it useful and well recommended so the list of questions and everything is well recommended so that's that's good i i saw two changes from that version from here the major change was the the replacement of the construction or the division of the construction phase by the design and the implementation phase you have to put two quick questions and there are no other questions i will do it very quickly it's more a curiosity than then questions by themselves um do have an idea about how widely is sam use it yeah so we are that's this is one of the great uh you know we we know that it is being used uh widely across the globe we have talked

to people like we keep collecting feedback from people across the globe in new zealand australia japan uh you know europe various places in europe in us so it's extremely widely utilized model uh however we that is why we launched this oas benchmark initially where we wanted to be more concrete in terms of we wanted to see exactly we want to measure like you know how many organizations are using it and which type or which size of organizations are using it and all of that and i'm very well aware that there are some startups and they even have it as part of their job description that like you know familiarity with osam is useful so even some startups are

using not just big companies so it's very widely utilized but again uh this is one of the reason we launched this uh osm benchmark initiative to collect specific data so that we can share the anonymized data with the rest of the world and concerning the benchmark benchmark was also a issue that come to my mind because i think the thing the things work better when you compare different different uh organizations in that case because they influence each other and they try to to to improve uh to get better you create a dynamic but um at the same time i have a i found a fund an issue or it could be an issue and which

profile should be should conduct to the interviews if you want an idea about the profile a guy inside an organization which profile should should have should be the project manager should be a developer should because it's touching governance also in production stage the broad area so which profile yeah that's a that's a great feedback uh we can also take it back and make it a little more clear so there are two different uh high level that what we have seen in the industry is one profile is internal and the one is external so internal is i think your question is more towards like internal but let me first address the external there are many application security

consultants they are very well versed in osam and they come in and they do the assessment and they help create a roadmap and plan and all these things however that's not required at all uh it's designed with uh this fungibility in mind that you can also create internal assessment yourself and in order to do the internal assessment it's again like you know there is no uh specific like you know you don't have to have the knowledge like you don't have to be a security engineer so to speak this can be created by a project manager product manager uh security engineer it really varies based on what kind of resources you have in your organization and i'll give an example

some of the companies i worked at security engineer security team created this assessment there are some organizations where i have seen a product or program managers they are using this particular so it really varies across the industry there is no and that is one of the reason we provided so much of documentation and make it more of like a descriptive enough so that you don't need to have a detailed security knowledge in order to conduct an assessment or build a plan yeah but i think the perception could be different and it could create some difficulties to to the benchmark to the comparison but i think if you the comments of the the profile it could be

it could be interesting yeah thank you one more time

harvick