permission is granted to copy, distribute and/or modify this document under the terms of the...

Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

6th OWASPAppSec

Conference

Milan - May 2007

http://www.owasp.org/

The OWASP CLASP Project

Pravir Chandra OWASP CLASP Project LeadPrincipal Consultant -- Cigital, [email protected]

6th OWASP AppSec Conference – Milan – May 2007

2

Agenda

What is CLASP anyway?

The CLASP philosophy and contents

Comparison to other security processes

Details on the OWASP CLASP Project


3

CLASP 2007

Comprehensive, Lightweight Application Security Playbook

CLASP is a prescriptive guide for organizations to address software security iterativelyCover the entire organization (not just

development)

Adaptable to any type of organization or development process

New material to reflect software security’s inexorable tie to the specifics of a business


4

Origins of CLASP

Original version was developed by Secure Software (acquired by Fortify Software) Collection of ‘stuff’ - vulns, roles, activities, etc.

Heavily modified for CLASP 2007 This is the version we’ll discuss today To be released by June 2007


5

Top-level organization of CLASP 2007

Think How to think about software

security Setting long-term goals and

strategy based on your business Plan

Setting near-term goals to execute against

Planning iterations and getting immediate value

Do The nitty-gritty details of

performing activities that provide assurance

Executing and measuring success


6

Think


7

Philosophical Stuff

It’s about balancing risk, not 100% secure

Even if you don’t have well-defined process, you can make an impact

Monitor and measure to make sure you’re on track for efficiency and efficacy

Use the CLASP Best Practices as a ‘north star’


8

The CLASP Best Practices

1. Institute awareness programs2. Perform application assessments3. Capture security requirements4. Implement secure development practices5. Build vulnerability remediation

procedures6. Define and monitor metrics7. Publish operational security guidelines


9

Key decision points

What kind of business are you in? Regulatory requirements Rough cut at ‘risk appetite’

How does your business rely upon software? Do you sell boxed applications? … platforms? Do you build and operate your own software? Do you outsource and consume?

What top-management support is available? How much cost can you tolerate short-term? … long-

term?


10

Plan


11

Creating an action plan

CLASP 2007 introduces the concept of ‘Competencies’ High-level areas of the SDLC Each has pre-determined maturity levels (not quite CMM-

style)

Based on your drivers, pick the next Competency (or maturity level) you’ll target A Competency level has assigned Activities (more on this

later) Provides some ready-made milestones Grow the organization’s skill and efficiency over time

A few example roadmaps for common types of businesses are provided to get started


12

The CLASP Competencies

1. Security Management & Governance 2. Hardened Requirements & Design3. Secure Implementation4. Software Assessment & Testing5. Safe Deployment & Operations


13

Do


14

Putting rubber on the road

Based on target Competency level, implement assigned ActivitiesPlan appropriate resources for the activityEnsure correct Roles are filled Instrument with prescribed monitors for

metrics

In total, there are ~24 ActivitiesThey’re spread across the Competency levels

for bite-size consumptionSome you may never need to implement


15

The CLASP Activities

1. Institute Security Awareness Program

2. Perform Security Analysis of System Requirements and Design (Threat Modeling)

3. Perform Source Level Security Review

4. Identify, Implement, and Perform Security Tests

5. Verify Security Attributes of Resources

6. Research and Assess Security Posture of Technology Solutions

7. Identify Global Security Policy8. Identify Resources and Trust

Boundaries9. Identify User Roles and Resource

Capabilities10. Specify Operational Environment11. Detail Misuse Cases12. Identify Attack Surface

13. Document Security Relevant Requirements

14. Apply Security Principles to Design15. Annotate Class Designs with

Security Properties16. Implement and Elaborate Resource

Policies and Security Technologies17. Implement Interface Contracts18. Integrate Security Analysis into

Source Management Process19. Perform Code Signing20. Manage Security Issue Disclosure

Process21. Address Reported Security Issues22. Monitor Security Metrics23. Specify Database Security

Configuration24. Build Operational Security Guide


16

Lots of details

Each Activity is well-specifiedRoles involvedApplicability and ImpactsFrequency and appx. Level-of-effortHow-to steps for executing the activityMeasurement criteria

CLASP specifies Roles as wellHigh-level so one person may hold >1 RoleSkills requirements for filling the Role


17

The CLASP Roles

1. Architect2. Designer3. Implementer4. Project Manager5. Requirements Specifier6. Security Auditor7. Test Analyst


18

Summary of CLASP 2007

ThinkPhilosophy of software securityBest Practices to guide decisionsKey decision points that affect logistics

PlanCompetencies and maturity levelsSample, goal-based roadmaps

DoActivity definitions and detailsRole definitions and supporting information


19

On SDLCs


20

CLASP and other SDLC models

There are two other secure SDLC models that you may have heard ofMicrosoft’s SDL (The Security Development Lifecycle. Howard,

Lipner)

The Security Touchpoints (Software Security. McGraw)

These both map to CLASP in a fairly straightforward way, with a few exceptions


21

The Stages of Microsoft’s SDL

0: Education & Awareness 1: Project Inception 2: Define and Follow Design Best Practices 3: Product Risk Assessment 4: Risk Analysis 5: Creating Security Documents, Tools, and Best Practices for

Customers 6: Secure Coding Policies 7: Secure Testing Policies 8: The Security Push 9: The Final Security Review 10: Security Response Planning 11: Product Release 12: Security Response Execution

Source: The Security Development Lifecycle, by Michael Howard and Steve Lipner


22

CLASP and SDL

Direct mapping is tricky since SDL isn’t specified the same way as CLASP Some Stages of SDL are activities, some are artifacts,

and some are processes SDL contains lots more tactical advice from the

MS trenches CLASP is specified more prescriptively, with fewer open-

ended ideas Timelines or impacts for SDL stages aren’t clearly

defined Makes is harder to plan for cost-effectiveness (SDL is

expensive) Following the CLASP Competency roadmap for an

ISV gives a roadmap that’s darn close to SDL


23

The Security Touchpoints

Source: Software Security, by Gary McGraw


24

CLASP and the Touchpoints

The Touchpoints map almost exactly to CLASPSeveral CLASP activities map to a single

Touchpoint in some cases Touchpoints focus on the core of software

developmentCLASP aims to be a bit broader across an

organization (including things like policy and awareness training)

Touchpoints have a prescribed adoption orderCLASP varies this a bit in the Competency

roadmaps according to the kind of business


25

The bottom line

Whether it’s SDL, the Touchpoints, or CLASP, it’s all goodThere’s really nothing that the three

fundamentally disagree on

The real question is what applies to your organization best and what you’re most comfortable with

CLASP 2007 will contain a more detailed analysis and mapping of each


26

Add’l Info


27

The OWASP CLASP Project

Mission Reinforce application security through

prescriptive guidance that enables iterative improvement to any development model.

Tactical Goals1. Getting draft of CLASP 2007 out for review2. Updating OWASP Wiki with latest information

and downloads3. Beefing up CLASP materials with more

practical advice/suggestions


28

Get involved

We need volunteers for reviewers and contributors

Start by browsing the wiki pages for CLASPThe Roles and most of the Activities are the

sameThe Competency information will be up as soon

as it’s ready for review

Mailing list for [email protected]


29

Pravir [email protected]

permission is granted to copy, distribute and/or modify this document under the terms of the...

Documents

owasp clasp project

owasp foundation

business slide

clasp philosophy

plan slide

clasp best practices

success slide

action plan clasp