This document discusses software security strategies and the Open Software Assurance Maturity Model (OpenSAMM). It provides examples of objectives and assessments for governance, construction, verification, and operations based on OpenSAMM. The document also outlines how to get started with OpenSAMM, including assessing maturity levels, defining a roadmap, and estimating costs. External support is offered to help with assessments, penetration tests, and training.

1. _
Neversettle.
www.intive.com
Welcome
OWASP
Open SAMM
Szczecin, 01-03-2017
PapryQArz - We test with taste. www.papryqarz.org

2. Why should I care?
1. 2014 Tesco Bank: more than 2,000 accounts was
posted on the Internet, ICO investigation followed
2. 2015 Ashley Madison: full client database leaked
3. 2015 Juniper NetScreen Firewalls: backdoor
installed into the code
4. 2015 CIA Director John Brennan: social hack on his
AOL account lead to leaking CIA creds

3. Am I secure?
„We use the cloud, they keep us ok!”
„We have security scanners!”
„Our devs know OWASP top 10!”
„We do penetration tests!”

4. Anything else?
1. Are there any other holes in my system?
2. What about next release?
3. Is my code secure?
4. Is my backup secure? My back office?
5. What about hosting…. ?

5. You need Strategy
1. OWASP – non profit org for cyber security
2. SAMM – Software Assurance Maturity Model
3. OpenSAMM – free SAMM by OWASP
4. OpenSAMM v 1.5 released Feb 28 ‚2017

6. Neversettle.
www.intive.com
_Open SAMM contents

7. OPEN SAMM
CONFIDENTIAL

8. Governance
General management of development activities.
_Strategy & metrics
_Policy & Compliance
_Education & Guidance

9. Construction
Definition of goals and software creation from
requirements gathering to detailed implementation.
_Security requirements
_Threat assessment
_Secure architecture

10. Verification
Checking and testing artifacts produced.
_Design review
_Implementation review
_Security testing

11. Operations
Managing software that has been created: deployment,
configuration and runing.
_Environment hardening
_Issue Management
_Operational Enablement

12. Objectives example - governance

13. Objectives example - construction

14. Getting started

15. Assess yourself
_OpenSAMM Assessment Toolbox (xls)
_36 questions: quick assessment
_Detailed assessment: verify your activities
_Gap analysis

16. Assesment
_ Clear representation of the maturity level
_ Each Practice rated on the scale below
_ Can capture progress over time

17. Your Score Card
_ Clear representation of the maturity level
_ Each Practice rated on the scale below
_ Can capture progress over time

19. Define your roadmap
_ Select template from OpenSAMM HowTo
_ Adjust to your needs
_ Start!

20. SAMM road map template

21. SAMM Templates
_ Independent Software Vendors
_ Online Service Providers
_ Financial Services Organizations
_ Government Organizations

22. Costs?
_Deployment time
_Release and process overhead
_Licenses & training
_Light assessment: 1-5 man-days

23. Costs - Virtualware
_Software House: between 300 devs, 12 teams
_Platform developed over 8 years
_Mixed technologies

24. Phase 1 - goals

25. Training
Phase 1 - costs
Training: External:
52
37 + n
Up to:
389 d

26. Call in for backup
_How can we help:
_External consulting
_Penetration tests
_Training

27. Contact us
_Never
settle.
Krzysztof Machelski
Director, Security & Automation
+48 506 539 817
Krzysztof.Machelski@intive.com