This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Security Integration System"
From OWASP
MB netblue4 (talk | contribs) (→Description) |
MB netblue4 (talk | contribs) (→What is the Secure code assurance tool (SCAT)) |
||
(97 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
− | | valign="top" style="border-right: 1px dotted | + | | valign="top" style="border-right: 1px dotted ;padding-right:25px;" | |
− | == | + | ==What is the Secure code assurance tool (SCAT)== |
− | < | + | <h1><b>What is the SCAT</b></h1> |
− | < | + | |
− | < | + | [https://www.linkedin.com/pulse/secure-code-assurance-tool-scat-version-20-michael-bergman/ For more information on the <b>why</b> behind the SCAT, read my linkedIn Article here] |
− | |||
− | < | ||
− | |||
− | |||
− | + | ==What is the SCAT== | |
− | |||
<ul> | <ul> | ||
− | <li>SCAT is | + | |
− | + | <li>SCAT is a <span style="text-decoration:underline;">process integrity tool</span>, implementing a consistent, authorized and auditable software development process | |
− | < | + | |
+ | <li>SCAT is used by development teams to build, verify and assure secure software | ||
<ul> | <ul> | ||
− | <li> | + | |
− | <li> | + | <li><strong>Build</strong>: uses a combination of code level guidance, on demand training and DAST tools to train, guide and verify correct implementation |
+ | |||
+ | <li><strong>Verify</strong>: uses a combination of manual test plans and SATS tools to guide and verify correct implementation | ||
+ | |||
+ | <li><strong>Assure</strong>: centrally stores and publishes evidence of secure development and testing as an audit trail. Providing traceability through requirements and proving that security <span style="text-decoration:underline;">controls operate efficiently over a period of time</span> | ||
+ | </li> | ||
</ul> | </ul> | ||
− | < | + | |
− | + | <li>SCAT is <span style="text-decoration:underline;">not a point in time security verification tool </span>for detecting vulnerabilities after development</li> | |
− | |||
− | |||
− | |||
− | |||
</ul> | </ul> | ||
− | ==<b>Description</b> | + | ==Process integrity and point in time tools: How they work in the SDLC== |
+ | |||
+ | [[File:Process integrity VS point in time without check.png|800px|center|Process integrity VS point in time without check]] | ||
+ | |||
+ | <h1><b>Technical Description</b></h1> | ||
+ | ==Without further complicating development environment== | ||
<ul> | <ul> | ||
− | + | ||
− | |||
− | |||
− | |||
− | |||
− | |||
<li>SCAT is a simple 5 screen MVC, C# web application with a small footprint that can be deployed without further complicating development environment | <li>SCAT is a simple 5 screen MVC, C# web application with a small footprint that can be deployed without further complicating development environment | ||
+ | |||
+ | <li>Integrates with Jira and runs ZAP and SonarQube in docker containers | ||
+ | |||
<li>SCAT is part of three domains to consider when securing software development. <em>I've detailed the other domains in an article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.</em> | <li>SCAT is part of three domains to consider when securing software development. <em>I've detailed the other domains in an article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.</em> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ||
+ | <h1><b>See how developers use SCAT</b></h1> | ||
See below how the Secure code assurance tool integrates security into software development phases | See below how the Secure code assurance tool integrates security into software development phases | ||
− | |||
− | |||
− | |||
+ | ==Sprint planning phase == | ||
<b>Objective</b>: Ensures security requirements are understood <br> | <b>Objective</b>: Ensures security requirements are understood <br> | ||
− | + | ||
<ul> | <ul> | ||
<li><b>Developers</b> use the <b>Identify risks</b> screen to<br> | <li><b>Developers</b> use the <b>Identify risks</b> screen to<br> | ||
Line 76: | Line 67: | ||
</li> | </li> | ||
</ul> | </ul> | ||
− | |||
− | == | + | == Development phase == |
<b>Objective</b>: Ensure correct implementation of security requirements<br> | <b>Objective</b>: Ensure correct implementation of security requirements<br> | ||
− | |||
<ul> | <ul> | ||
<li><b>Developers</b> use the <b>Secure development</b> screen to<br> | <li><b>Developers</b> use the <b>Secure development</b> screen to<br> | ||
Line 94: | Line 83: | ||
</li> | </li> | ||
</ul> | </ul> | ||
− | |||
− | == | + | == Secure code review phase == |
<b>Objective</b>: Ensure correct implementation of security requirements<br> | <b>Objective</b>: Ensure correct implementation of security requirements<br> | ||
− | + | ||
<ul> | <ul> | ||
<li><b>Code reviewers</b> use the <b>Secure code review </b> screen to<br> | <li><b>Code reviewers</b> use the <b>Secure code review </b> screen to<br> | ||
Line 109: | Line 97: | ||
</li> | </li> | ||
</ul> | </ul> | ||
− | |||
− | == | + | == Testing phase== |
<b>Objective</b>: Ensure valid security testing<br> | <b>Objective</b>: Ensure valid security testing<br> | ||
− | |||
<ul> | <ul> | ||
<li><b>Testers</b> use the <b>Secure testing</b> screen to<br> | <li><b>Testers</b> use the <b>Secure testing</b> screen to<br> | ||
Line 124: | Line 110: | ||
</li> | </li> | ||
</ul> | </ul> | ||
− | + | == Approval phase == | |
− | + | <b>Objective</b>: Streamline the approval and audit process<br> | |
− | |||
− | |||
<ul> | <ul> | ||
<li><b>Approvers</b> use the <b>Assurance evidence </b> screen to<br> | <li><b>Approvers</b> use the <b>Assurance evidence </b> screen to<br> | ||
Line 139: | Line 123: | ||
</li> | </li> | ||
</ul> | </ul> | ||
− | + | == Risk management == | |
− | + | <b>Objective</b>: Enable risk managers to prioritise, plan and monitor mitigation efforts<br> | |
− | === < | ||
− | |||
− | |||
− | |||
<ul> | <ul> | ||
<li><b>Risk managers</b> use the <b>Application risk exposure</b> screen to<br> | <li><b>Risk managers</b> use the <b>Application risk exposure</b> screen to<br> | ||
Line 160: | Line 140: | ||
<br> | <br> | ||
− | + | <h1> <b>Preparation phase</b></h1> | |
When developing secure software we need to consider both standard secure code and client specific architectural requirements | When developing secure software we need to consider both standard secure code and client specific architectural requirements | ||
− | + | == Standard secure code requirements== | |
− | + | ||
− | |||
<ul> | <ul> | ||
<li>SCAT comes out the box with a standard OWASP secure code requirements map. This mapping need to be modified to the specific organisation requirements</li> | <li>SCAT comes out the box with a standard OWASP secure code requirements map. This mapping need to be modified to the specific organisation requirements</li> | ||
Line 178: | Line 157: | ||
</li> | </li> | ||
</ul> | </ul> | ||
− | |||
− | == | + | == Client specific architectural requirements== |
− | + | ||
<ul> | <ul> | ||
<li>To generate these requirements we perform a risk assessment on client application landscape and identify</li> | <li>To generate these requirements we perform a risk assessment on client application landscape and identify</li> | ||
Line 203: | Line 181: | ||
<br> | <br> | ||
− | + | <h1>Project information</h1> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | < | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==Licensing== | ==Licensing== | ||
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. | This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. | ||
+ | |||
+ | == Interested in contributing== | ||
+ | [https://www.linkedin.com/in/michael-bergman-99826212a/ Please send a connect request with subject SCAT] | ||
== Project Resources == | == Project Resources == | ||
Line 288: | Line 196: | ||
== Project Leader == | == Project Leader == | ||
− | [ | + | [https://www.linkedin.com/in/michael-bergman-99826212a/ Michael Bergman LinkedIn] |
==Classifications== | ==Classifications== |
Latest revision as of 18:33, 14 October 2019
What is the Secure code assurance tool (SCAT) |