application risk prioritization - overview - secure360 2015 - part 1 of 2
TRANSCRIPT
About Me
Yan Kravchenko, CSSLP, CISSP, CISA, CISM, QSA Compliance Advisory PracDce Lead [email protected] 612-‐455-‐8485 TwiOer: @yanfosec Contributor: hOps://www.netspi.com/blog/
Agenda
• Background – Why is this necessary? • Defining Risk: ‒ Value / PotenDal Impact ‒ Maturity / SuscepDbility
• Why Open SAMM? • Dashboards – Decision Support Systems • Demo
Background – Why Apps?
• Data perimeter is no longer networks and firewalls • ApplicaDon Security has evolved to the keystone of organizaDon’s security strategies • ApplicaDon security is complex and involves many aspects of security & technology • ApplicaDon security has been the cause of a significant percentage of security breaches
AlternaDves
• BSIMM – expensive, cumbersome, proprietary • Microso_ SDL -‐ heavyweight, limited to MS • Touchpoints -‐ high-‐level, not enough details to execute • CLASP -‐ Large collecDon of acDviDes, but no priority ordering • All alternaDves are based on a concept that all applicaDons have the same threat and risk profile
Risk Measurement Challenges
• ApplicaDons can be developed with different SDLC methodologies • Inconsistent maturity of the design and embedded security mechanisms • ApplicaDons range in size, complexity, and percepDon of risk • ApplicaDon security / maturity is difficult to normalize, contrast, and compare
Defining Risk
• Significance / Impact ‒ What an applicaDon is ‒ Does not change without significant changes to the nature of the applicaDon
• Maturity / SuscepDbility ‒ Maturity of the applicaDon ‒ Can be changed by implemenDng addiDonal security controls
‒ Based on OWASP So_ware Assurance Maturity Model (SAMM)
Significance / Impact (StaDc)
• Customized for each organizaDon • Should not change unless the applicaDon or the organizaDon undergoes big changes • Focuses on applicaDon risk categories and aOributes that are significant and meaningful • StaDc risks can be used for risk calculaDon or presenDng correlated risk scores as they relate to each staDc risk • StaDc risks can be used to pivot data, highlighDng internal iniDaDves
Maturity / SuscepDbility (Dynamic)
• Based on OWASP So_ware Assurance Maturity Model (SAMM) • Uses SAMM’s quesDonnaire for determining the maturity model • Answers to quesDons help calculate numeric dynamic risk score as well as determine control maturity levels • In addiDon to establishing the maturity level, SAMM provides detailed control implementaDon requirements
So_ware Assurance Maturity Model
Design Build Test Production
vulnerability scanning -‐‑ WAF
security testing dynamic test
tools
coding guidelines code reviews static test tools
security requirements / threat modeling
reactive proactive
Secure Development Lifecycle (SAMM)
Governance
• Strategy & Metrics -‐ PracDce is focused on establishing the framework within an organizaDon for a so_ware security assurance program. • Policy & Compliance -‐ PracDce is focused on understanding and meeDng external legal and regulatory requirements. • EducaDon & Guidance -‐ PracDce is focused on arming personnel involved in the so_ware life-‐cycle with knowledge and resources to design, develop, and deploy secure so_ware.
ConstrucDon
• Threat Assessment -‐ PracDce is centered on idenDficaDon and understanding the project-‐level risks based on so_ware funcDonality and the runDme environment. • Security Requirements -‐ PracDce is focused on proacDvely specifying the expected behavior of so_ware with respect to security. • Secure Architecture -‐ PracDce is focused on proacDve steps for an organizaDon to design and build secure so_ware by default.
VerificaDon
• Design Review -‐ PracDce is focused on assessment of so_ware design and architecture for security-‐related problems. • Code Review -‐ PracDce is focused on inspecDon of so_ware at the source code level in order to find security vulnerabiliDes. • Security TesDng -‐ PracDce is focused on inspecDon of so_ware in the runDme environment in order to find security problems.
Deployment
• Vulnerability Management -‐ PracDce is focused on handling vulnerability reports and operaDonal incidents. • Environment Hardening -‐ PracDce is focused on building assurance for the runDme environments hosDng so_ware. • OperaDonal Enablement -‐ PracDce is focused on gathering security criDcal informaDon from the project teams building so_ware and communicaDng it to the users and operators of the so_ware.
OWASP SAMM – Maturity Levels
• SAMM Maturity Levels: 0 -‐ Implicit starDng point represenDng the acDviDes in the PracDce being unfulfilled 1 -‐ IniDal understanding and ad hoc provision of Security PracDce 2 -‐ Increase efficiency and/or effecDveness of the Security PracDce 3 -‐ Comprehensive mastery of the Security PracDce at scale
OWASP SAMM -‐ Guidance
• Guidance for each level includes: ‒ ObjecDve ‒ AcDviDes ‒ Results ‒ Success Metrics ‒ Costs ‒ Personnel ‒ Related Levels
See: h&p://www.opensamm.org/
SAMM Assessment Process
• Supports lightweight and detailed assessments • Lightweight assessment can be complete in less than one hour per applicaDon • Assessment worksheet is comprised of simple Yes / No quesDons
Sample Dashboards – SAMM Scores
Applica+on 1 Applica+on 2 Applica+on 3 Applica+on 4 Applica+on 5 Applica+on 6
Governance: Strategy & Metrics 0+ 2+ 0+ 0+ 0+ 0+
Governance: Policy & Compliance 0+ 1+ 0+ 0+ 0+ 0+
Governance: Educa+on & Guidance 0+ 2 2+ 2+ 2+ 2+
Construc+on: Threat Assessment 0+ 1+ 1+ 0+ 1+ 1+
Construc+on: Security Requirements 0 2+ 0+ 0+ 1+ 0+
Construc+on: Security Architecture 1+ 2 1+ 1+ 1+ 1+
Verifica+on: Design Review 1+ 0+ 1+ 0+ 1 0+
Verifica+on: Code Review 1 2 3 1+ 0+ 3
Verifica+on: Security Tes+ng 1+ 1+ 1+ 0+ 1+ 0+
Deployment: Vulnerability Management 1+ 2+ 1+ 1+ 1+ 1+
Deployment: Environment Hardening 0 2 0+ 0 0 0+
Deployment: Opera+onal Enablement 0 2 0+ 0+ 0+ 0+
Risk CorrelaDon
Value * Maturity = Correlated Risk
• Value / Impact factors generate a numeric score, normalized against all applicaDons • SAMM acDviDes generates a numeric score, based on answers provided as part of the SAMM assessment • Provides a single measure of security for each applicaDon • Can be applied uniformly across all applicaDons • Provides a “true” value, allowing a side-‐by-‐side comparison of all applicaDons
Sample Dashboards
-‐‑
5.0
10.0
-‐‑ 5.0 10.0
SDLC Maturity Risk
Business Impact Risk
Correlated Application Security
App 1
App 2
App 3
App 4
App 5
App 6
App 7
App 8
App 9
App 10
App 11
App 12
Sample Dashboards
0.0
2.0
4.0
6.0
8.0
10.0
Governance Construction Verification Deployment
Maturity Rating (10 point scale)
Overall Maturity Categories
Sample Dashboards
0.0
2.0
4.0
6.0
8.0
10.0
Strategy & Metrics
Policy & Compliance
Education & Guidance
Governance
0.0
2.0
4.0
6.0
8.0
10.0
Threat Assessment
Security Requirements
Security Architecture
Construction
0.0
2.0
4.0
6.0
8.0
10.0
Design Review Code Review Security Testing
Verification
0.0
2.0
4.0
6.0
8.0
10.0
Vulnerability Management
Environment Hardening
Operational Enablement
Deployment
Sample Dashboards
-‐
10
20
30
40
50
60
70
80
90
100
App 1 App 2 App 3 App 4 App 5 App 6 App 7 App 8 App 9 App 10 App 11 App 12 App 13 App 14 App 15
Applica+on Risk Scores
Sample Dashboards
0.0
5.0
10.0
0.0 5.0 10.0
SDLC M
aturity
Risk
Business Impact Risk
Average Revenue
Very Large
Large
Moderate
Minimal
Sample Dashboards
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
90.0
100.0
Very Large Large Moderate Minimal
Average Revenue Scores
Sample Dashboards
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
90.0
100.0
Yes Somewhat No
Materially Significant
-‐‑
10
20
30
40
50
60
70
80
90
100
0 2000 4000 6000 8000 10000 12000
Cumulative Risk Score
Number of Clients
Number of Clients Risk Datagram
App 1
App 2
App 3
App 4
App 5
App 6
App 7
App 8
App 9
App 10
App 11
App 12
App 13
App 14
App 15
Sample Dashboards
Excessive Risk
Acceptable Risk
-‐‑
10
20
30
40
50
60
70
80
90
100
0 100 200 300 400 500 600 700 800 900
Cumulative Risk Score
Average Number of Users per Clients
Average Number of Users per Client Risk Datagram
App 1
App 2
App 3
App 4
App 5
App 6
App 7
App 8
App 9
App 10
App 11
App 12
App 13
App 14
App 15
Sample Dashboards
Excessive Risk
Acceptable Risk
Summary
• Enhanced ability to manage the enDre applicaDon security porvolio • Normalizes risk scoring between different applicaDons • Allows applicaDon security opDmizaDon through efficient “what-‐if” calculaDons • Helps idenDfy insecure applicaDons • Metrics support ability to make applicaDon security decisions • Measures accomplishments and highlights applicaDon risk reducDon acDviDes
QuesDons?
• ApplicaDon Value / PotenDal Impact • Maturity / SuscepDbility • Open SAMM • Risk CorrelaDon • Dashboards
Yan Kravchenko – 612-‐455-‐8485 [email protected]