Get best of the week

Save time and effort on implementing secure development standards with OWASP SAMM

On March 5, 2020, at the OZON office, the next meeting of the Moscow branch of the OWASP community was held . It seems that it turned out great, but a brief report with the meeting materials was recently published on Habré . The report is presented in the same post.oxdef.

Continuing the series of express reports about OWASP projects, today we will talk about OWASP SAMM - one of the most important community projects. At the beginning of the year, its second version was released - and this is a good reason to talk more about the framework.

What it is?



The abbreviation SAMM stands for Software Assurance Maturity Model - and correctly translating it into Russian is difficult ( like many English terms from the IT world ). This project is a software security model, a knowledge base and documentation framework that helps build a secure application development cycle. Exactly what is so often lacking when you come to a company or want to do everything in your business “according to Feng Shui” from the point of view of S-SDLC - to implement all the “controls” that I heard about: SAST, DAST, study and understand where to start and where to move on.

OWASP SAMM assesses the current level of information security in software development, and on the basis of this it allows you to build a full-fledged program that you can implement in understandable steps within the specified time frame, you will have a list of activities and practices for implementation - this is a huge plus. This can be compared to a textbook that you can open and follow.

OWASP SAMM consists of the following modules

  • Description of the model itself, the approach to building SDL;
  • The questionnaire is a large questionnaire, answering the questions of which, you will understand at what level you are now. This will make a plan to get to the cherished goal.
  • OWASP SAMM. , , . , — - , . , , .

image

Let's dwell on the model. It has a set of business functions: management, design, architecture, development, verification and operations. In the previous version there were four business functions, in the new one - 5. Three business information security practices are applied to these business functions that need to be implemented, in each of these practices there are two more activities. Only 30 activities that you can plan in different ways to reach the goal, and the cherished goal in this case is to increase the maturity level.

OWASP SAMM has three levels of maturity. By combining activities, introducing and evaluating them, you can understand iterations and business iterations to go to a new level. This allows you to set goals and a plan for the year, and move on it quarterly, so that after a year you can evaluate the effectiveness of the work done.

There are a lot of activities, as you noticed. For example, in the “Training” section, it is described in detail what you can do to increase the level of knowledge of developers, how to evaluate it and whether it will be enough to go to the next level. There is a separate section about defect management. It is always useful to be able to assess how good or bad things are with vulnerabilities now and compare them with how they used to be in order to understand what is happening in your product from the point of view of information security: is everything systematically eliminated and is there anything further then do it.

Work with SAMM


Usually, the introduction of safe development practices begins with asking yourself: “But can I make food safety in the company? Implement S-SDLC! ” and get ready for this: communicate with business, development, team leaders to understand whether they need it.

The next step is an assessment of the current state. The questionnaire allows you to collect security information in a company from a large number of people. The more there are, the better the data will reflect reality.

Here you have an assessment of the current state. Now you understand where you need to move and what purpose to go. At this level, you look at the goals and form a plan, and the proposed questionnaire will help you sort it out in stages from a month to a year.

And then the fun begins - directly implementing control procedures, for example, the same SAST ( do not forget to immediately think about performance metrics ). And at the end, you get roll out - this is a kind of post-action to your steps. At this stage, you understand that everything you have thought up and introduced, firstly, works, and, secondly, it is noticeable, at least for “business-partners” and for you as well.

At this point, you can take a break to gain strength and move to the next level. And the whole cycle starts anew - with such iterations you will build S-SDLC.

As I said at the very beginning, the most common question is when you are going to implement S-SDL or SDLC in a company: “Where to start?”. It is important here that whenever you are going to do this, you have the opportunity not to bother with implementing SAST first, writing guides yourself or conducting training - just take a formalized framework and build your strategy on it and build as a result information security software for developing your applications. With this, OWASP SAMM will help you.

Questions:


- Can you tell us about your experience in implementing OWASP SAMM?

- About OWASP SAMM, I learned just a couple of years ago. Everything that we did in previous projects was on a hunch based on experience. In SAMM, everything is written, and most importantly - is measurable. Finally, you will be able to understand how effectively you are implementing change. At Ozon, we took a section on training and the culture of information security and based on it we prepared a number of processes: organized trainings, started conducting new employees through questionnaires and testing on information security, conducted various activities, increasing the level of information security in our heads. In the future, we will go through other modules.

- Do I need to provide training for project managers so that they understand what S-SDLC is for?

- In OWASP SAMM at different levels of maturity, the development of training is expected. At the first level, for example, you create an internal portal where you post links to useful resources. At the next level - form specialized trainings and guides. In our internal portal there are separate guides for target groups: developers, managers, QA. At the third level, there is a need to measure quality and understand how well everyone has studied the materials and the guides have passed - perhaps someone should not be allowed into a particularly critical project without a certain level of information security test. We passed all these levels and almost immediately passed to the third.

— , , . , , , ?

- I can’t say that the need for training is easier to prove than the effectiveness of SAST. The effectiveness of information security is a topic for a separate large report with numbers, metrics, graphs. At the first level, it may well be enough that you have statistics, for example, according to the average score for your developers. For particularly critical services, this bar can be increased. And to prove, it seems to me, it will be easier, because it will be possible to show the leadership: the knowledge of developers in the field of information security is growing, because there is a metric of the number of correct answers. Many large companies have the practice of conducting internal CTFs - if you see that a lot of people participate in the competition, everyone is interested and the number of participants grows from year to year, this means that the level of knowledge is increasing.As in all information security, there is no one metric - it is always a set of indicators that you can navigate to show dynamics in certain areas.

- Is this system too complicated? Will the eyes of the one who starts to work with this not be scattered? Perhaps you should first try to come up with something yourself, and then turn to OWASP?

- Himself will be significantly longer. Just with the help of a more formalized ( disassembled ) OWASP SAMM approach, you can free up time for other tasks and not think out what to do first and with what numbers then prove to yourself and the management that the work is effective. In this case, we take OWASP SAMM and based on it we create our own program. It allows you to significantly accelerate, at least at the start, and not waste time getting experience, picking up cones and the like.

More articles:


All Articles