Building Secure Software with the OWASP SAMM

Spiner carts blocks on each sunrise so he's going to talk about a real-world problem that we have voters I have a real-world scenario too I was here back then Hannah jerks are they teaching people how to code websites and one morning I woke up in a sweat

we've got seven production so anyway great topic yeah this is building secure software I think that I know life this was like 15 words long physics was two months of I shortened it I'm August Johnson I'm a security architect that's mark right now my my responsibility there is just the overall portfolio it's a software company of their application security so I do everything I can to make the software that we're going to produce considered more secure a little history got me actually I put a moment to like when I'm like this is when I'm going into security there was a b-side in the city 2011 which was black I actually like to volunteer at it I was like security

volunteers come on wonderful so this talk I'm really going to go pretty deep into one or two particular frameworks but really I I'm going to give you kind of my opinion a few different frameworks that all have the general goal of helping an organization build secure software I did a fair amount of research into the five that I've got a next page and kind of selected the OWASP Sam is the one that I was going to specifically use but all of them have some merits and some really valuable pieces of the handi Hughes so these are the five I'm going to talk about a little bit today I'm actually going to go into a kind from the bottom

up because I have two slides on the piece and then the rest of the presentation is on Sam but these were five that I look for there are certainly more than this that trying to accomplish the general goal of helping to helping the software organization build more secure software but these are the ones that I'll highlight Microsoft has the SDL and a bunch of documentation with that they were probably one of the First's to really kicked off this whole like security first design development lifecycle their stuffs pretty good it really is it works pretty well especially if your model is even remotely like Microsoft's with like shipping a desktop app I mean for Microsoft strong it's living it's

something that I have above too deeply into in the recent past but it very much has been updated for kind of current state of things if you tie in tightly to the Microsoft technologies and that type of thing that'd be one that I recommend strongly looking at but it's also a little bit lighter on operations and governance this one is really about building software vulnerabilities and it's less about like running an organization that does not produce or systems I just have a slightly different way to look at this 800 SP 64 is a giant heavy inducing wall of text that it is actually pretty decent if you can get into it as far as the general advice

goes and the tools that they give you it's really not that bad if you're in a highly regulated environment this is something that you're gonna be able to find some great stuff from and it is it's pretty fully featured and that's solid but I would say regulation is what would drive this over one of the other tools in general ISO 27000 for stuff at all it's pretty ugly but it's not finished and that's the one thing I would say is that this isn't nearly as complete as the other ones and just being able to offer clear advice on building secure software so not something I generally recommend it's out there and it's probably making progress

over time able to be a big deal ISO stuff is a big deal the last student of ECM and the Sam deeper into the b7 is something I would highly suggest that everyone in the room just downloads a copy of it's a free report there's a lot of great information in that report it's like a 50/50 or something like that means besom stands for building security and maturity model then actually that in the fossil sample which I'll go into they started is the same project and kind of work at some point like late 2000 this is a survey and it's survey results but it's surveys specifically about application security practices just general security practices actually the

purpose that they stayed on their website is to quantify the activities carried out by real software security initiatives and they just record the facts it's an awesome awesome tool and they're on the version that you want pretty much ever here all these places they participate in this and their answers to these survey questions about application security are in the results so like these are just some of the really interesting facts that you can bear and quickly pull out of that they also have all of these questions organized by industry so if they're in the healthcare industry you make health care better if you're a hospital or something along those lines you can see what this number is for hospitals for

health care industry that's just really really helpful data to have when you're like hey I think we need a security awareness program thirds of all companies have an awareness program and a whole bunch of bringing those hard facts to the table is that's that's what can really get changed you can have had here smoking when you bring clear one of the things that the visa really helped me to understand is that everyone's strong this is something that things like bug bounty programs which were like oh yeah these are cool these are awesome and then we'll get there in six months it's something that is super important but it helps you understand the difference in your peer groups as far as

companies go this just does a really good job of illustrating that and these charts are they're freakin awesome so like some of the really cool things you can take from this the insurance is cream and health care it is formed so like in this case you can see that insurance is almost always better than healthcare except for a couple of points and so like Oh insurance is better at training but work on just about everything out works on just about everything else in health care in general it's just it's neat to see that industries and their application security practices kind of oil to these really behind the charts just to clarify going outwards on the

chart is better more mature and in words it's less mature and this is the twelve security practices that they evaluate each of them having like a bunch of questions underneath

okay so we go up Sam this is kind of the meat of this talk it used to be called the open Sam Sam stands for software assurance maturity model and this is really just a meaning as far as what it is it's a pickle yeah or set of documents that help you to clarify I mean to understand what maturity in a bunch of different ways throughout software software development process is they have different versions I really started running my the program that I'm kind of doing now I've built out on version 1.1 which was current at the time and 1.5 got released as I was building a program so I kind of did a quick switch to a book by there weren't

huge changes 2.0 has a big change so I would generally recommend running on 2.0 at this point was yeah but it's linked it'll offer you good advice on this large diverse let's go this is a b7 both originated in 2009 roughly and has changed so the goals of the Sam I mean they speak for themselves it's just putting measurable metrics around software security in many many different ways providing clear actionable paths kind of uncover and really like making a document that works for anything that produces software and any company in the organization that produces software it's really it truly is really really flexible totally paradigm agnostic there's nothing in there that's really like oh this only works it's

that's not at all what this kind of document is and really like if you're only interested in one little piece of it it provides a ton of value by itself just however you kind of slice and dice it absolutely does

so this is kind of the chart and it talks Sam before 2.0 just have these four business functions what they trying to do was they stole a little bit from construction and a little bit for verification and then they kind of built those object to have this building deployed section the problem they were generally running into I can't ran into as well is it the actual middle part of it when developers were actually taking the code this part was not very well represented so they they kind of pushed them into the side and added this whole build and deploy portion of the Sam to better represent as that piece of it governance is overarching too deeply

into this but basically the terminology you know business functions there were four there are five now in each of the business functions has three security practices and on each of the practices you can measure yourself in your maturity so I can know that our organization is a maturity level zero force traffic data vectors but we're pretty kick-ass on policy and compliance we're pretty level three which is kind of an accident that's a realistic scenario and you kind of just need to know that that helps you respond and put your kids in one basket you you don't need to like get signed code which is even in secure bill before you like have a security policy problem those are

things that you kind of measure maturity levels of practices apples

so I'm gonna do a deep dive on a few of these definitely not all of them what I tried to do actually I'm trying to do a deep dive of one of those security practices and get you a little bit of information about what each of the maturity levels inside them what that consists of what kind of features the Sam has to offer education and guidance level one so I'm gonna go through I have one of these in each of the business functions and that I've just kind of arbitrarily picked and I'm gonna look at it in a slightly different way so my first one is education and guidance each of the security practices has two

streams so education and guidance is made up of training and awareness stuff that you're going to do and organization and culture stuff and each of those has the three maturity levels but they're kind of that's all things together so really for like stream a to know that you have the first returning level in training and awareness that's providing security awareness training for all personnel involved in software development that's pretty basic they understand security on a fairly broad level if you can say okay all the developers all the project managers even anybody who is helping to build this software is on security awareness training okay three level one training and awareness good to get a little

deeper in that same awareness you can offer role-specific guidance and then the kind of final level of maturity is a standardized set of in-house guidance around the organization secure software development standards so that means that your development staff they understand here is the security processes that we follow and you can kind of make sure that they understand some level of certification is something that they talked about a little bit the documentation might be like an internal certification I'm a certified secure software developer according to my company for 3b it's a little bit different for organization culture of maturity level one is like dubbing someone on the team of the security champion just that like it doesn't get much deeper than that it

says well here's some responsibilities that a security champion might have but that's totally up to your organization it could be many many different things but they really end up doing but W someone getting someone that title and that level of responsibility and making sure everybody's on the same page about what that means that's where trait level 1 2 & 3 developing secure Software Center of Excellence talking about leadership and here's some tools internally that we may be able to use in just having a team that works together building one sentence but it's building any secure software community including all organizational people involved security as a first bus this and in the software building process that everyone is on the

same page that security is there's different ways to measure that and offers some advice on exactly what that means but it doesn't do that either it just says here are activities you might be able to do to accomplish the next security practice I'm gonna get into is threat assessment so threat assessment really like this table right here I've literally copied and pasted this out of the Sam documentation there's one of these for every single one of the 30 security practices 30 something like that yeah 50 so there's kind of 30 of these pieces these slices and it just talks about what you accomplished if you are maturing one in threat assessment so we did our best

effort to understand the high level threats against projects that's maturity one that's something that not bad that's certainly better than that some people have spent a little bit of time thinking about threats to this piece of soft brightest like whatever it is standardization of enterprise-wide analysis knowing that your organization might get part of X Y & Z those are important things to make sure everybody's on the same page about and then Attorney trees are the proactive and improvement these are some activities that you might use to accomplish these different things and it helps you kind understand that that stepper dread modeling is really how you start and this but then you can start to get into some standardization

understanding that a an insider needs to be modeled against holographic locations an insider can attack your your main front page website and maybe they have actual right access to that through what that means

secure bill is an executed Travis I'm going to get into Easter's to talk about it's really the description of what you you as an organization get when you're back returning level one as defined by the example your build process is repeatable and consistent that's it that is maturity level one pretty much see ICD has this any team that builds their binary on their beacon server their team cities or whatever they've got it build process being optimized and integrated into the workflow that's the type of thing that you just follow me what optimized and integrated me as an organization you you kind of make sure that okay I mean this is our metrics for optimized this is our metrics who are

integrated here's where we are today and then you can start the same helps you build a process to get there maturity level three is really the build process is something you rely on this is really just talk about defects - that's one of the things is a consistent process for a building code and managing your code is it's not directly Security+ but it's so indirectly positive it just consistency and understanding that process and being able to rely on it and being able to easily show traceability between here's code that entered into the stream here's what the Shaw of that code is here's the code we were running in production those are things that are really really

valuable for all kinds of other things now straight from that

okay we've gone through this security practice education guidance threat assessment and then secure build is what we kind of just did there are tons of other home security practices as you can see I'm going to go through a couple more implementation review environment hardening but I'm kind of just doing different slices of each um so generally no like that table that I've screwed for this available for all of them paragraphs about how to accomplish strategy metrics maturity level one the part of our part of this problem part of this tool set a little bit about the difference between the Sam 2.0 and 1.5 they changed some of the names of these the general subject matters about the same I just generally

steer people towards to point out at this point too because you're going to kind of slice and dice it all kinds of anyways the 2.0 will start to build out there the different tools that are built afforded over

architecture assessment but really this shows you the two different activities

yeah this is just the types of statements that talk about here's what you have when you have when you can call yourself a local one in really Environment Management which is a super important one or just running secure software your arbitrary whining for a relatively low bar which is best-effort patching and hardening the difference between this and this can be minuscule or it can be absolutely like terrible years between these two that's something that that's why this tool is really valuable you can start to build out where you want to be as defined by some of these maturity levels and try and kind of T that into what you think your organization can do

things like we have these products available to integrate with your applications we have a we have advanced the last features that you can have in front of your app that's the type of thing that communicating that to different developers and understanding how they might be a great fit and how it might impact the process that's something that you talk through and beads to really kind of increase your return that's pretty much all of those go through some of the other tools that I'll go through that are available today these are specifically for 1.5 but it wouldn't take very much work to make these available for 2.0 and they will be fairly soon you could measure yourself

so this is basically like a survey what I did was i sat down with a few different members of my organization and said hey how do we do as much of justcan questions do we do this every time we do this sometimes and that helped to get us to okay we have 75% of maturity level 1 OB had a bunch of practice is already a maturity level 3 that we've almost done so getting us from not technically completing the 30 level one all the way up to 3 is a lower level of MU then then you might think this is another product of that same excel sheet you can talk about phases like you can do a three

month phase in your organization for example and say here's where we are now we fully got education another one we're feeling good about that so let's wait till phase 2 to bump that up but phase 1 we're going to focus on better gain metric quality compliance you can kind of see building maturity by security practice with some of these tools that are there you can set the length of your face however long you want if you're a small organization then implemental out of security controls quickly yeah to me but you build on the practices that are there so general advice I'd say for you guys sets of metrics and honestly start with the besom this is

the piece that I would highly suggest adjust every in this room reads the visa report looks in there tries to compare that to the organization and wherever you are it's a very valuable report I mean it helps you put what you know about your positioning context with everything around you and then just aim for gradual realistic improvement this is really where the Sam can help you understanding the practices that you're doing now and building on top of them to get to a level that is acceptable I generally say about this this product and then the Sam it's really easy to make good looking long-term reports and presentation based on the data in this it's just it's

a high quality tool and it makes great slides in the frickin PowerPoint presentation to the executives that's really what it does so I would highly recommend for that because that's a good way to get work done in the future the roadmap that I built has been significantly adjusted from what my big plans were a year ago or so lots of different reasons for that but the tool overall supported that pretty well I kind of use the tool as a as a reference moreso than really a true like roadmap at this point we're not in this rut going down this plan eighteen months ago it's a lot more like we've changes kind of come up and they're driven they I use

the Sam to help me illustrate what's important about this oh that's really good here's Oh [Applause]

you