the secure sdlc panel real answers from real experience€¦ · • zed attack proxy (zap) is an...
TRANSCRIPT
![Page 1: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www.owasp.org
OpenSAMMSoftware Assurance Maturity Model
Seba Deleersnyder
OWASP Foundation Board Member
OWASP Belgium Chapter Leader
SAMM project co-leader
Libre Software Meeting
Brussels 10-July-2013
![Page 2: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/2.jpg)
The OWASP Foundationhttp://www.owasp.org
OWASP World
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a not-for-profit charitable organization that ensures the ongoing availability and support for our work.
![Page 3: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/3.jpg)
The web application security challenge
Fire
wa
ll
Hardened OS
Web Server
App Server
Fire
wa
ll
Da
tab
as
es
Le
ga
cy S
ys
tem
s
We
b S
erv
ice
s
Dir
ec
tori
es
Hu
ma
n R
es
rcs
Bil
lin
g
Custom Developed
Application CodeAPPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Ne
two
rk L
aye
rA
pp
lic
ati
on
La
ye
r
Your security “perimeter” has huge holes at the application layer
![Page 4: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/4.jpg)
“Build in” software assurance
4
Design Build Test Production
vulnerability
scanning -
WAF
security testing
dynamic test
tools
coding guidelines
code reviews
static test tools
security
requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle
(SAMM)
D B T PSAMM
![Page 5: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/5.jpg)
We need a Maturity ModelAn organization’s
behavior changes slowly
over time
Changes must be iterative while working toward long-term goals
There is no single recipe that
works for all organizations
A solution must enable risk-
based choices tailored to the organization
Guidance related to security
activities must be prescriptive
A solution must provide enough details for non-security-people
Overall, must be simple, well-defined, and measurable
OWASP Software
Assurance Maturity Model
(SAMM)
D B T PSAMM
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
![Page 6: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/6.jpg)
SAMM Security Practices• From each of the Business Functions, 3 Security Practices are
defined
• The Security Practices cover all areas relevant to software security
assurance
• Each one is a ‘silo’ for improvement
D B T PSAMM
![Page 7: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/7.jpg)
Under each Security
Practice• Three successive Objectives under each Practice define how it
can be improved over time
• This establishes a notion of a Level at which an organization
fulfills a given Practice
• The three Levels for a Practice generally correspond to:
• (0: Implicit starting point with the Practice unfulfilled)
• 1: Initial understanding and ad hoc provision of the Practice
• 2: Increase efficiency and/or effectiveness of the Practice
• 3: Comprehensive mastery of the Practice at scale
D B T PSAMM
![Page 8: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/8.jpg)
Per Level, SAMM defines...
• Objective
• Activities
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels
D B T PSAMM
![Page 9: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/9.jpg)
Strategy & Metrics
9
D B T PSAMM
![Page 10: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/10.jpg)
Policy & Compliance
1
0
D B T PSAMM
![Page 11: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/11.jpg)
Education & Guidance
1
1
D B T PSAMM
![Page 12: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/12.jpg)
Education & Guidance
Resources:
• OWASP Top 10
• OWASP Education
• WebGoat
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime.
Chinese proverb
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://www.owasp.org/index.php/Category:OWASP_Education_Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
![Page 13: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/13.jpg)
OWASP Cheat Sheets
D B T PSAMM
https://www.owasp.org/index.php/Cheat_Sheets
![Page 14: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/14.jpg)
Threat Assessment
1
4
D B T PSAMM
![Page 15: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/15.jpg)
Security Requirements
1
5
D B T PSAMM
![Page 16: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/16.jpg)
Secure Coding Practices Quick
Reference Guide
• Technology agnostic coding practices
• What to do, not how to do it
• Compact, but comprehensive checklist
format
• Focuses on secure coding requirements,
rather then on vulnerabilities and exploits
• Includes a cross referenced glossary to get
developers and security folks talking the
same language
D B T PSAMM
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
![Page 17: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/17.jpg)
Secure Architecture
1
7
D B T PSAMM
![Page 18: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/18.jpg)
The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Au
the
nti
cato
r
User
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ceM
ap
Valid
ato
r
En
co
der
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ran
do
miz
er
Exce
pti
on
Han
dlin
g
Lo
gg
er
Intr
us
ion
De
tec
tor
Secu
rity
Co
nfi
gu
rati
on
Existing Enterprise Security Services/Libraries
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
![Page 19: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/19.jpg)
Design Review
1
9
D B T PSAMM
![Page 20: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/20.jpg)
Code Review
2
0
D B T PSAMM
![Page 21: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/21.jpg)
Code Review
Resources:
• OWASP Code Review Guide
SDL Integration:
• Multiple reviews defined as deliverables in your SDLC
• Structured, repeatable process with management support
• Reviews are exit criteria for the development and test phases
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
![Page 22: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/22.jpg)
Code review toolingCode review tools:
• OWASP LAPSE (Security scanner for Java EE
Applications)
• MS FxCop / CAT.NET (Code Analysis Tool for
.NET)
• Agnitio (open source Manual source code review
support tool)
D B T PSAMM
https://www.owasp.org/index.php/OWASP_LAPSE_Project
http://www.microsoft.com/security/sdl/discover/implementation.aspx
http://agnitiotool.sourceforge.net/
![Page 23: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/23.jpg)
Security Testing
2
3
D B T PSAMM
![Page 24: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/24.jpg)
Security Testing
Resources:
• OWASP ASVS
• OWASP Testing Guide
SDL Integration:
• Integrate dynamic security testing as part of you test cycles
• Derive test cases from the security requirements that apply
• Check business logic soundness as well as common
vulnerabilities
• Review results with stakeholders prior to release
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
https://www.owasp.org/index.php/OWASP_Testing_Project
![Page 25: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/25.jpg)
Security Testing
• Zed Attack Proxy (ZAP) is an easy to use integrated
penetration testing tool for finding vulnerabilities in
web applications
• Provides automated scanners as well as a set of
tools that allow you to find security vulnerabilities
manually
Features:
• Intercepting proxy
• Automated scanner
• Passive scanner
• Brute force scanner
• Spider
• Fuzzer
• Port scanner
• Dynamic SSL Certificates
• API
• Beanshell integration
D B T PSAMM
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
![Page 26: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/26.jpg)
Vulnerability Management
2
6
D B T PSAMM
![Page 27: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/27.jpg)
Environment Hardening
2
7
D B T PSAMM
![Page 28: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/28.jpg)
Web Application Firewalls
Network
Firewall
Web
Application
Firewall
Web
Server
Web client
(browser)
Malicious web traffic
Legitimate web traffic
Port 80
ModSecurity: Worlds No 1 open source Web Application Firewall
www.modsecurity.org
• HTTP Traffic Logging
• Real-Time Monitoring and Attack Detection
• Attack Prevention and Just-in-time Patching
• Flexible Rule Engine
• Embedded Deployment (Apache, IIS7 and Nginx)
• Network-Based Deployment (reverse proxy)
OWASP ModSecurity Core Rule Set Project, generic, plug-n-play
set of WAF rules
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
![Page 29: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/29.jpg)
Operational Enablement
2
9
D B T PSAMM
![Page 30: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/30.jpg)
150+ OWASP ProjectsPROTECT
Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurityCore Rule Set Project
Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide
DETECT
Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy
Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project
LIFE CYCLE
SAMM, WebGoat, Legal Project
![Page 31: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/31.jpg)
Get started
Step 1: questionnaire
as-is
Step 2: define your maturity
goal
Step 3: definephased
roadmap
D B T PSAMM
![Page 32: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/32.jpg)
Conducting assessments
SAMM includes assessment worksheets
for each Security Practice
D B T PSAMM
![Page 33: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/33.jpg)
Assessment processSupports both lightweight and detailed
assessments
D B T PSAMM
![Page 34: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/34.jpg)
Creating Scorecards• Gap analysis
• Capturing scores from detailed
assessments versus expected
performance levels
• Demonstrating improvement
• Capturing scores from before and
after an iteration of assurance
program build-out
• Ongoing measurement
• Capturing scores over consistent time
frames for an assurance program that
is already in place
D B T PSAMM
![Page 35: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/35.jpg)
Roadmap templates
• To make the “building blocks” usable, SAMM
defines Roadmaps templates for typical kinds
of organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
• Tune these to your own targets / speed
D B T PSAMM
![Page 36: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/36.jpg)
SAMM Resourceswww.opensamm.org
• Presentations
• Tools
• Assessment worksheets / templates
• Roadmap templates
• Scorecard chart generation
• Translations (Spanish / Japanese)
• SAMM mappings to ISO/EIC 27034 / BSIMM
3
6
![Page 37: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/37.jpg)
Critical Success Factors
• Get initiative buy-in from all stakeholders
• Adopt a risk-based approach
• Awareness / education is the foundation
• Integrate security in your development /
acquisition and deployment processes
• Provide management visibility
3
7
![Page 38: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/38.jpg)
Project RoadmapBuild the SAMM community:
• List of SAMM adopters
• Workshops at AppSecEU and AppSecUSA
V1.1:
• Incorporate tools / guidance / OWASP projects
• Revamp SAMM wiki
V2.0:
• Revise scoring model
• Model revision necessary ? (12 practices, 3 levels, ...)
• Application to agile
• Roadmap planning: how to measure effort ?
• Presentations & teaching material
• …3
8
![Page 39: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/39.jpg)
Get involved
• Use and donate back!
• Attend OWASP chapter meetings and
conferences
• Support OWASP become
personal/company memberhttps://www.owasp.org/index.php/Membership
![Page 40: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/40.jpg)
Q&A
![Page 41: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/41.jpg)
Global AppSec EMEA 2013
Aug. 20, 2013 - Aug. 23, 2013
Hamburg, Germany
![Page 42: The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web](https://reader035.vdocuments.site/reader035/viewer/2022070812/5f0b63617e708231d4304610/html5/thumbnails/42.jpg)
BeNeLux 2013
• 28-29 november 2013
• One day of trainings
• One day conference
• The Netherlands - Amsterdam
42