permission is granted to copy, distribute and/or modify this document under the terms of the...
TRANSCRIPT
Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
6th OWASPAppSec
Conference
Milan - May 2007
http://www.owasp.org/
The OWASP CLASP Project
Pravir Chandra OWASP CLASP Project LeadPrincipal Consultant -- Cigital, [email protected]
6th OWASP AppSec Conference – Milan – May 2007
2
Agenda
What is CLASP anyway?
The CLASP philosophy and contents
Comparison to other security processes
Details on the OWASP CLASP Project
6th OWASP AppSec Conference – Milan – May 2007
3
CLASP 2007
Comprehensive, Lightweight Application Security Playbook
CLASP is a prescriptive guide for organizations to address software security iterativelyCover the entire organization (not just
development)
Adaptable to any type of organization or development process
New material to reflect software security’s inexorable tie to the specifics of a business
6th OWASP AppSec Conference – Milan – May 2007
4
Origins of CLASP
Original version was developed by Secure Software (acquired by Fortify Software) Collection of ‘stuff’ - vulns, roles, activities, etc.
Heavily modified for CLASP 2007 This is the version we’ll discuss today To be released by June 2007
6th OWASP AppSec Conference – Milan – May 2007
5
Top-level organization of CLASP 2007
Think How to think about software
security Setting long-term goals and
strategy based on your business Plan
Setting near-term goals to execute against
Planning iterations and getting immediate value
Do The nitty-gritty details of
performing activities that provide assurance
Executing and measuring success
6th OWASP AppSec Conference – Milan – May 2007
7
Philosophical Stuff
It’s about balancing risk, not 100% secure
Even if you don’t have well-defined process, you can make an impact
Monitor and measure to make sure you’re on track for efficiency and efficacy
Use the CLASP Best Practices as a ‘north star’
6th OWASP AppSec Conference – Milan – May 2007
8
The CLASP Best Practices
1. Institute awareness programs2. Perform application assessments3. Capture security requirements4. Implement secure development practices5. Build vulnerability remediation
procedures6. Define and monitor metrics7. Publish operational security guidelines
6th OWASP AppSec Conference – Milan – May 2007
9
Key decision points
What kind of business are you in? Regulatory requirements Rough cut at ‘risk appetite’
How does your business rely upon software? Do you sell boxed applications? … platforms? Do you build and operate your own software? Do you outsource and consume?
What top-management support is available? How much cost can you tolerate short-term? … long-
term?
6th OWASP AppSec Conference – Milan – May 2007
11
Creating an action plan
CLASP 2007 introduces the concept of ‘Competencies’ High-level areas of the SDLC Each has pre-determined maturity levels (not quite CMM-
style)
Based on your drivers, pick the next Competency (or maturity level) you’ll target A Competency level has assigned Activities (more on this
later) Provides some ready-made milestones Grow the organization’s skill and efficiency over time
A few example roadmaps for common types of businesses are provided to get started
6th OWASP AppSec Conference – Milan – May 2007
12
The CLASP Competencies
1. Security Management & Governance 2. Hardened Requirements & Design3. Secure Implementation4. Software Assessment & Testing5. Safe Deployment & Operations
6th OWASP AppSec Conference – Milan – May 2007
14
Putting rubber on the road
Based on target Competency level, implement assigned ActivitiesPlan appropriate resources for the activityEnsure correct Roles are filled Instrument with prescribed monitors for
metrics
In total, there are ~24 ActivitiesThey’re spread across the Competency levels
for bite-size consumptionSome you may never need to implement
6th OWASP AppSec Conference – Milan – May 2007
15
The CLASP Activities
1. Institute Security Awareness Program
2. Perform Security Analysis of System Requirements and Design (Threat Modeling)
3. Perform Source Level Security Review
4. Identify, Implement, and Perform Security Tests
5. Verify Security Attributes of Resources
6. Research and Assess Security Posture of Technology Solutions
7. Identify Global Security Policy8. Identify Resources and Trust
Boundaries9. Identify User Roles and Resource
Capabilities10. Specify Operational Environment11. Detail Misuse Cases12. Identify Attack Surface
13. Document Security Relevant Requirements
14. Apply Security Principles to Design15. Annotate Class Designs with
Security Properties16. Implement and Elaborate Resource
Policies and Security Technologies17. Implement Interface Contracts18. Integrate Security Analysis into
Source Management Process19. Perform Code Signing20. Manage Security Issue Disclosure
Process21. Address Reported Security Issues22. Monitor Security Metrics23. Specify Database Security
Configuration24. Build Operational Security Guide
6th OWASP AppSec Conference – Milan – May 2007
16
Lots of details
Each Activity is well-specifiedRoles involvedApplicability and ImpactsFrequency and appx. Level-of-effortHow-to steps for executing the activityMeasurement criteria
CLASP specifies Roles as wellHigh-level so one person may hold >1 RoleSkills requirements for filling the Role
6th OWASP AppSec Conference – Milan – May 2007
17
The CLASP Roles
1. Architect2. Designer3. Implementer4. Project Manager5. Requirements Specifier6. Security Auditor7. Test Analyst
6th OWASP AppSec Conference – Milan – May 2007
18
Summary of CLASP 2007
ThinkPhilosophy of software securityBest Practices to guide decisionsKey decision points that affect logistics
PlanCompetencies and maturity levelsSample, goal-based roadmaps
DoActivity definitions and detailsRole definitions and supporting information
6th OWASP AppSec Conference – Milan – May 2007
20
CLASP and other SDLC models
There are two other secure SDLC models that you may have heard ofMicrosoft’s SDL (The Security Development Lifecycle. Howard,
Lipner)
The Security Touchpoints (Software Security. McGraw)
These both map to CLASP in a fairly straightforward way, with a few exceptions
6th OWASP AppSec Conference – Milan – May 2007
21
The Stages of Microsoft’s SDL
0: Education & Awareness 1: Project Inception 2: Define and Follow Design Best Practices 3: Product Risk Assessment 4: Risk Analysis 5: Creating Security Documents, Tools, and Best Practices for
Customers 6: Secure Coding Policies 7: Secure Testing Policies 8: The Security Push 9: The Final Security Review 10: Security Response Planning 11: Product Release 12: Security Response Execution
Source: The Security Development Lifecycle, by Michael Howard and Steve Lipner
6th OWASP AppSec Conference – Milan – May 2007
22
CLASP and SDL
Direct mapping is tricky since SDL isn’t specified the same way as CLASP Some Stages of SDL are activities, some are artifacts,
and some are processes SDL contains lots more tactical advice from the
MS trenches CLASP is specified more prescriptively, with fewer open-
ended ideas Timelines or impacts for SDL stages aren’t clearly
defined Makes is harder to plan for cost-effectiveness (SDL is
expensive) Following the CLASP Competency roadmap for an
ISV gives a roadmap that’s darn close to SDL
6th OWASP AppSec Conference – Milan – May 2007
23
The Security Touchpoints
Source: Software Security, by Gary McGraw
6th OWASP AppSec Conference – Milan – May 2007
24
CLASP and the Touchpoints
The Touchpoints map almost exactly to CLASPSeveral CLASP activities map to a single
Touchpoint in some cases Touchpoints focus on the core of software
developmentCLASP aims to be a bit broader across an
organization (including things like policy and awareness training)
Touchpoints have a prescribed adoption orderCLASP varies this a bit in the Competency
roadmaps according to the kind of business
6th OWASP AppSec Conference – Milan – May 2007
25
The bottom line
Whether it’s SDL, the Touchpoints, or CLASP, it’s all goodThere’s really nothing that the three
fundamentally disagree on
The real question is what applies to your organization best and what you’re most comfortable with
CLASP 2007 will contain a more detailed analysis and mapping of each
6th OWASP AppSec Conference – Milan – May 2007
27
The OWASP CLASP Project
Mission Reinforce application security through
prescriptive guidance that enables iterative improvement to any development model.
Tactical Goals1. Getting draft of CLASP 2007 out for review2. Updating OWASP Wiki with latest information
and downloads3. Beefing up CLASP materials with more
practical advice/suggestions
6th OWASP AppSec Conference – Milan – May 2007
28
Get involved
We need volunteers for reviewers and contributors
Start by browsing the wiki pages for CLASPThe Roles and most of the Activities are the
sameThe Competency information will be up as soon
as it’s ready for review
Mailing list for [email protected]