This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Security Integration System"

From OWASP
Jump to: navigation, search
(OWASP Tool Project Template)
(What is the Secure code assurance tool (SCAT))
 
(495 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top"  style="border-right: 1px dotted ;padding-right:25px;" |
  
<span style="color:#ff0000">
+
==What is the Secure code assurance tool (SCAT)==
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
+
<h1><b>What is the SCAT</b></h1>
</span>
 
==Project About==
 
<span style="color:#ff0000">
 
{{Template:Project_About
 
  | project_name=Software Integration System
 
  | leader_name1=Michael Bergman
 
 
}}
 
  
 +
[https://www.linkedin.com/pulse/secure-code-assurance-tool-scat-version-20-michael-bergman/ For more information on the <b>why</b> behind the SCAT, read my linkedIn Article here]
  
==OWASP Tool Project Template==
+
==What is the SCAT==
<span style="color:#ff0000">
 
This section should include an overview of what the project is, why the project was started, and what security issue is being addressed by the project deliverable. Some readers may be discouraged from looking further at the project if they do not understand the significance of the security concern that is being addressed, so provide enough context so the average reader will continue on with reading the description. You shouldn't assume the reader will understand the objective by providing security terminology, e.g. this project builds cryptographic algorithms, but should also endeavor to explain what they are used for.
 
</span>
 
  
The OWASP Tool Template Project is a template designed to help Project Leaders create suitable project pages for OWASP Projects.  By following the instructional text in red (and then deleting it) it should be easier to understand what information OWASP and the project users are looking for.  And it's easy to get started by simply creating a new project from the appropriate project template.
+
<ul>
  
 +
<li>SCAT is a <span style="text-decoration:underline;">process integrity tool</span>, implementing a consistent, authorized and auditable software development process
  
Introduction
+
<li>SCAT is used by development teams to build, verify and assure secure software
 +
<ul>
 +
 +
<li><strong>Build</strong>: uses a combination of code level guidance, on demand training and DAST tools to train, guide and verify correct implementation
 +
 +
<li><strong>Verify</strong>: uses a combination of manual test plans and SATS tools to guide and verify correct implementation
 +
 +
<li><strong>Assure</strong>: centrally stores and publishes evidence of secure development and testing as an audit trail. Providing traceability through requirements and proving that security <span style="text-decoration:underline;">controls operate efficiently over a period of time</span>
 +
</li>
 +
</ul>
  
Secure coding is an umbrella term that covers the requirements of IT risk, assurance, Information security and compliance. 
+
<li>SCAT is <span style="text-decoration:underline;">not a point in time security verification tool </span>for detecting vulnerabilities after development</li>
 +
</ul>
  
This means that when a developer codes a functional requirement he/she must not only consider the functional requirement and getting it to market before competitors but also the risks that functionality exposes the organisation too.
+
==Process integrity and point in time tools: How they work in the SDLC==
So when we develop a functionality that requires a ASW RDS developers firstly need to understand how to technically code it
 
Then needs to read and understand all 99 articles of the GDPR to make sure data is categorised and consent is stored
 
Then comply to the 114 ISO 27002 security control (if the use ISO) 
 
Then ensure that the software they write can be safely integrated into the organisations information security management system and application logs are in a format that can be consumed and reported to the SEIM
 
  
There are 2 ways to make sure development teams meet these varied requirements.
+
[[File:Process integrity VS point in time without check.png|800px|center|Process integrity VS point in time without check]]
1.  They read and understand the GDPR, ISO 27002, familiarise themselves with the organisation ISMS requirements and also, keep up to date with the development language they use.
 
2. We write a very simple tool that picks the appropriate security requirements and gives them to development teams when they need it and in a format they need it.
 
  
The secure coding tool is an attempt to follow the second way.  Before we summerise what the tool does its important to know that the tool is part of a system of components to secure software development. Other components of the system include governance and vulnerability management. I've detailed these components in a different article that will be published in the Nov/Dec issue of the ISC2 magazine.
+
<h1><b>Technical Description</b></h1>
  
After reading this short article, please take a look at the video link below to see the tool in action.
+
==Without further complicating development environment==
 +
<ul>
  
Summary of the tool functionality:
+
<li>SCAT is a simple 5 screen MVC, C# web application with a small footprint that can be deployed without further complicating development environment
Developers
 
Testers
 
Approvers \Assurance
 
IT risk
 
  
==Description==
+
<li>Integrates with Jira and runs ZAP and SonarQube in docker containers
<span style="color:#ff0000">
 
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful. 
 
</span>
 
  
The Tool Project Template is simply a sample project that was developed for instructional purposes that can be used to create default project pages for a Tool projectAfter copying this template to your new project, all you have to do is follow the instructions in red, replace the sample text with text suited for your project, and then delete the sections in red.  Doing so should make it clearer to both consumers of this project, as well as OWASP reviewers who are trying to determine if the project can be promoted to the next category.  The information requested is also intended to help Project Leaders think about the roadmap and feature priorities, and give guidance to the reviews as a result of that effort.
+
<li>SCAT is part of three domains to consider when securing software development<em>I've detailed the other domains in an article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.</em>
  
Creating a new set of project pages from scratch can be a challenging task.  By providing a sample layout, with instructional text and examples, the OWASP Tool Project Template makes it easier for Project Leaders to create effective security projects and hence helps promote security.
 
  
Contextual custom dictionary builder with character substitution and word variations for pen-testers
 
  
==Licensing==
+
<h1><b>See how developers use SCAT</b></h1>
<span style="color:#ff0000">
+
See below how the Secure code assurance tool integrates security into software development phases
A project must be licensed under a community friendly or open source license.  For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects. This example assumes that you want to use the AGPL 3.0 license.
+
 
</span>
+
==Sprint planning phase ==
 +
<b>Objective</b>: Ensures security requirements are understood <br>
 +
 
 +
    <ul>
 +
        <li><b>Developers</b> use the <b>Identify risks</b> screen to<br>
 +
            <ol>
 +
                <li>Select the critical function to developing/changing</li>
 +
                <li>Identify the technologies used</li>
 +
                <li>Automatically generate the security requirements and tests</li>
 +
                [https://youtu.be/Gpk4K5keLyw See how to use the tools and its internal mapping to generate security requirements]
 +
            </ol>
 +
        <li><b>Product owners</b> use the <b>Secure code requirements</b> screen to<br>
 +
            <ol>
 +
              <li>Create an audit trail to store evidence of secure development</li>
 +
                <li>Create Jira tickets for requirements and tests to manage work</li>
 +
            </ol>
 +
      </li>
 +
    </ul>
 +
 
 +
== Development phase ==
 +
 
 +
<b>Objective</b>: Ensure correct implementation of security requirements<br>
 +
    <ul>
 +
        <li><b>Developers</b> use the <b>Secure development</b> screen to<br>
 +
            <ol>
 +
                <li>View and understand how to attack and prevent the risk</li>
 +
                <li>View the secure code requirements</li>
 +
                <li>View the secure code block to implement the security requirement</li>
 +
                <li>Manage development effort in Jira</li>
 +
                <li>After development run a ZAP basic scan to verify security requirements have been correctly implemented</li>
 +
                [https://youtu.be/1pSatE_7mEs See how the tool helps developers understand security requirements and write secure code]
 +
            </ol>
 +
      </li>
 +
  </ul>
 +
 
 +
== Secure code review phase ==
 +
 
 +
<b>Objective</b>: Ensure correct implementation of security requirements<br>
 +
 
 +
    <ul>
 +
        <li><b>Code reviewers</b> use the <b>Secure code review </b> screen to<br>
 +
            <ol>
 +
                <li>Guide manually secure code review</li>
 +
                <li>After manual secure code review run a Sonarqube scan to verify security requirements have been correctly implemented</li>
 +
                [https://youtu.be/ygre0SrWxD4 See how the tool verifies correct security requirements implementation]
 +
            </ol>
 +
      </li>
 +
    </ul>
  
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.  OWASP XXX and any contributions are Copyright &copy; by {the Project Leader(s) or OWASP} {Year(s)}. 
+
== Testing phase==
  
==Roadmap==
+
<b>Objective</b>: Ensure valid security testing<br>
<span style="color:#ff0000">
+
    <ul>
As of <strong>November, 2013, the highest priorities for the next 6 months</strong> are:
+
        <li><b>Testers</b> use the <b>Secure testing</b> screen to<br>
<strong>
+
            <ol>
* Complete the first draft of the Tool Project Template
+
                <li>View the test plans required to test the risk</li>
* Get other people to review the Tool Project Template and provide feedback
+
                <li>Manage testing effort in Jira</li>
* Incorporate feedback into changes in the Tool Project Template
+
                [https://youtu.be/QdbCzheceUw See how the tool helps testers test risk mitigation efforts]
* Finalize the Tool Project template and have it reviewed to be promoted from an Incubator Project to a Lab Project
+
            </ol>
</strong>
+
      </li>
 +
    </ul>
 +
== Approval phase ==
  
Subsequent Releases will add
+
<b>Objective</b>: Streamline the approval and audit process<br>
<strong>
 
* Internationalization Support
 
* Additional Unit Tests
 
* Automated Regression tests
 
</strong>
 
  
==Getting Involved==
+
<ul>
<span style="color:#ff0000">
+
        <li><b>Approvers</b> use the <b>Assurance evidence </b> screen to<br>
Involvement in the development and promotion of <strong>Tool Project Template</strong> is actively encouraged!
+
            <ol>
You do not have to be a security expert or a programmer to contribute.
+
                <li>View relevant testing evidence alongside the risk, reducing the time assurance teams need to examine and approve releases</li>
Some of the ways you can help are as follows:
+
                <li>View verified development effort and whether it falls within risk tolerance levels</li>
 +
                [https://youtu.be/oyKK3Mq13B4 See how the tool streamlines the approval process with centrally stored testing evidence]
 +
            </ol>
 +
      </li>
 +
    </ul>
 +
== Risk management ==
 +
<b>Objective</b>: Enable risk managers to prioritise, plan and monitor mitigation efforts<br>
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
    <ul>
 +
        <li><b>Risk managers</b> use the <b>Application risk exposure</b> screen to<br>
 +
            <ol>
 +
                <li>View each application critical function and the associated risks</li>
 +
                <li>Identify where mitigation effort is required by viewing which risks require security requirements</li>
 +
                <li>Identify where development effort is required by viewing which security requirements need secure code blocks</li>
 +
                <li>Identify where extra testing effort is required by viewing which risks require security test plans</li>
 +
                [https://youtu.be/8pKxorPSq_M See how the Application landscape overview screen informs risk based decision making]
 +
            </ol>
 +
      </li>
 +
    </ul>
 +
<br>
 +
<br>
  
== Project Resources ==
+
<h1> <b>Preparation phase</b></h1>
<span style="color:#ff0000">
+
When developing secure software we need to consider both standard secure code and client specific architectural requirements
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.
 
</span>
 
  
[https://github.com/SamanthaGroves Installation Package]
+
== Standard secure code requirements==
  
[https://github.com/SamanthaGroves Source Code]
+
<ul>
 +
        <li>SCAT comes out the box with a standard OWASP secure code requirements map. This mapping need to be modified to the specific organisation requirements</li>
 +
<br>
 +
        <li><b>Information security and development team</b> use the <b>Internal mapping </b> screen to
 +
            <ol>
 +
                <li>Map the security requirements to OWASP risks</li>
 +
                <li>Map organisation approved secure code blocks to security requirements</li>
 +
                <li>Map security test plans to OWASP risks</li>
 +
                [https://youtu.be/EkWdAC1sbkE See how to setup the SCAT's internal mapping]
 +
            </ol>
 +
      </li>
 +
</ul>
  
[https://github.com/SamanthaGroves What's New (Revision History)]
+
== Client specific architectural requirements==
  
[https://github.com/SamanthaGroves Documentation]
+
<ul>
 +
    <li>To generate these requirements we perform a risk assessment on client application landscape and identify</li>
 +
<ol>
 +
    <li>Critical applications and functions</li>
 +
    <li>Risk associated with each critical application function</li>
 +
    <li>Architectural security requirements to secure each critical application functions</li>
 +
    <li>Client specific secure code blocks to implement security requirements</li>
 +
    <li>Secure test plans to verify risk has been mitigated</li>
 +
</ol>
 +
<br>
 +
    <li><b>Tool administrators</b> use the <b>Internal mapping </b> screen to
 +
<ol>
 +
    <li>Create json files of the organisation specific risks, security requirements, secure code blocks and tests</li>
 +
    <li>Import these into the SCAT</li>
 +
    [https://youtu.be/FD3O2ObYBQs See how to import organisations specific risks, security requirements, secure code blocks and tests]
 +
</ol>
 +
</ul>
  
[https://github.com/SamanthaGroves Wiki Home Page]
+
<br>
 +
<br>
  
[https://github.com/SamanthaGroves Issue Tracker]
+
<h1>Project information</h1>
  
[https://github.com/SamanthaGroves Slide Presentation]
+
==Licensing==
 +
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
  
[https://github.com/SamanthaGroves Video]
+
== Interested in contributing==
 +
[https://www.linkedin.com/in/michael-bergman-99826212a/ Please send a connect request with subject SCAT]
  
== Project Leader ==
+
== Project Resources ==
<span style="color:#ff0000">
+
 
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.
+
[Installation Package]
</span>
 
  
[mailto://[email protected] Michael Bergman]
+
[Source Code]
  
== Related Projects ==
+
== Project Leader ==
<span style="color:#ff0000">
+
[https://www.linkedin.com/in/michael-bergman-99826212a/ Michael Bergman LinkedIn]
This is where you can link to other OWASP Projects that are similar to yours.  
 
</span>
 
* [[OWASP_Code_Project_Template]]
 
* [[OWASP_Documentation_Project_Template]]
 
  
 
==Classifications==
 
==Classifications==

Latest revision as of 18:33, 14 October 2019

OWASP Project Header.jpg

What is the Secure code assurance tool (SCAT)

For more information on the why behind the SCAT, read my linkedIn Article here

What is the SCAT

  • SCAT is a process integrity tool, implementing a consistent, authorized and auditable software development process
  • SCAT is used by development teams to build, verify and assure secure software
    • Build: uses a combination of code level guidance, on demand training and DAST tools to train, guide and verify correct implementation
    • Verify: uses a combination of manual test plans and SATS tools to guide and verify correct implementation
    • Assure: centrally stores and publishes evidence of secure development and testing as an audit trail. Providing traceability through requirements and proving that security controls operate efficiently over a period of time
  • SCAT is not a point in time security verification tool for detecting vulnerabilities after development

Process integrity and point in time tools: How they work in the SDLC

Process integrity VS point in time without check

Without further complicating development environment

  • SCAT is a simple 5 screen MVC, C# web application with a small footprint that can be deployed without further complicating development environment
  • Integrates with Jira and runs ZAP and SonarQube in docker containers
  • SCAT is part of three domains to consider when securing software development. I've detailed the other domains in an article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.

See below how the Secure code assurance tool integrates security into software development phases

Sprint planning phase

Objective: Ensures security requirements are understood

  • Developers use the Identify risks screen to
    1. Select the critical function to developing/changing
    2. Identify the technologies used
    3. Automatically generate the security requirements and tests
      4.                See how to use the tools and its internal mapping to generate security requirements
  • Product owners use the Secure code requirements screen to
    1. Create an audit trail to store evidence of secure development
    2. Create Jira tickets for requirements and tests to manage work

Development phase

Objective: Ensure correct implementation of security requirements

Secure code review phase

Objective: Ensure correct implementation of security requirements

Testing phase

Objective: Ensure valid security testing

Approval phase

Objective: Streamline the approval and audit process

Risk management

Objective: Enable risk managers to prioritise, plan and monitor mitigation efforts

  • Risk managers use the Application risk exposure screen to
    1. View each application critical function and the associated risks
    2. Identify where mitigation effort is required by viewing which risks require security requirements
    3. Identify where development effort is required by viewing which security requirements need secure code blocks
    4. Identify where extra testing effort is required by viewing which risks require security test plans
      5.                See how the Application landscape overview screen informs risk based decision making



When developing secure software we need to consider both standard secure code and client specific architectural requirements

Standard secure code requirements

  • SCAT comes out the box with a standard OWASP secure code requirements map. This mapping need to be modified to the specific organisation requirements


  • Information security and development team use the Internal mapping screen to
    1. Map the security requirements to OWASP risks
    2. Map organisation approved secure code blocks to security requirements
    3. Map security test plans to OWASP risks
      4.                See how to setup the SCAT's internal mapping

Client specific architectural requirements

  • To generate these requirements we perform a risk assessment on client application landscape and identify
    1. Critical applications and functions
    2. Risk associated with each critical application function
    3. Architectural security requirements to secure each critical application functions
    4. Client specific secure code blocks to implement security requirements
    5. Secure test plans to verify risk has been mitigated


  • Tool administrators use the Internal mapping screen to
    1. Create json files of the organisation specific risks, security requirements, secure code blocks and tests
    2. Import these into the SCAT
      3.     See how to import organisations specific risks, security requirements, secure code blocks and tests



Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Interested in contributing

Please send a connect request with subject SCAT

Project Resources

[Installation Package]

[Source Code]

Project Leader

Michael Bergman LinkedIn

Classifications

Project Type Files TOOL.jpg
Incubator Project
Owasp-defenders-small.png
Affero General Public License 3.0