This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Security Integration System"
MB netblue4 (talk | contribs) (→What is the SCAT) |
MB netblue4 (talk | contribs) (→Process integrity VS point in time) |
||
Line 28: | Line 28: | ||
==Process integrity VS point in time== | ==Process integrity VS point in time== | ||
+ | |||
+ | <p> | ||
+ | <strong>Process integrity</strong> | ||
+ | </p> | ||
+ | <p> | ||
+ | Answers the questions: When a vulnerability is detected | ||
+ | </p> | ||
+ | <ul> | ||
+ | |||
+ | <li>Do developers <span style="text-decoration:underline;">consistently</span> uses and approved fixes? | ||
+ | |||
+ | <li>Do testers <span style="text-decoration:underline;">consistently</span> write valid test? | ||
+ | |||
+ | <li>Can dev teams <span style="text-decoration:underline;">consistently</span> produce evidence they have done it securely? | ||
+ | </li> | ||
+ | </ul> | ||
+ | <p> | ||
+ | <span style="text-decoration:underline;">Consistency is important</span>: It means that when a vulnerability is detected it is fixed and <span style="text-decoration:underline;">will not reoccur</span> in the next sprint or when a new developer joins the team. Only when consistency is in place can organisations begin improving and <span style="text-decoration:underline;">maturing the process</span> | ||
+ | </p> | ||
+ | <p> | ||
+ | Process integrity tools<strong> </strong> | ||
+ | </p> | ||
+ | <ul> | ||
+ | |||
+ | <li>Vulnerability fixes are translated into security controls and built into the process of developing software. These are verified and each phase and evidence collected proving they was implemented correctly | ||
+ | |||
+ | <li>What do we mean by “translated into security controls”?: Detected vulnerabilities are enriched with organisational specifice secure code blocks, trained, verified, evidence collected and monitored for compliance. Translating vulnerabilities into security controls has a <span style="text-decoration:underline;">higher upfront setup cost</span> | ||
+ | </li> | ||
+ | </ul> | ||
+ | <p> | ||
+ | <strong>Point in time security verification</strong> | ||
+ | </p> | ||
+ | <p> | ||
+ | Answers the question: How many vulnerabilities do we have in production at this moment in time? | ||
+ | </p> | ||
+ | <p> | ||
+ | Point in time tools | ||
+ | </p> | ||
+ | <ul> | ||
+ | |||
+ | <li>Very good at periodically checking if vulnerabilities have been fixed with a low upfront setup cost | ||
+ | |||
+ | <li>Clearly instructs as to what needs to be fixed, but gives little guidance on <span style="text-decoration:underline;">how to</span> fix vulnerabilities | ||
+ | |||
+ | <li>Without guidance and only periodic checking, dev teams <span style="text-decoration:underline;">learn to fix vulnerabilities through trial and error</span> and rely on individual knowledge and experience | ||
+ | |||
Revision as of 08:15, 7 October 2019
What is the Secure code assurance tool (SCAT)
What is the SCAT
Process integrity VS point in timeProcess integrity Answers the questions: When a vulnerability is detected
Consistency is important: It means that when a vulnerability is detected it is fixed and will not reoccur in the next sprint or when a new developer joins the team. Only when consistency is in place can organisations begin improving and maturing the process Process integrity tools
Point in time security verification Answers the question: How many vulnerabilities do we have in production at this moment in time? Point in time tools
Low levels of compliance
Compliance and assurance seen as blockers
Duplication of effort and inconsistent implementation
See below how the Secure code assurance tool integrates security into software development phases Sprint planning phaseObjective: Ensures security requirements are understood
Development phaseObjective: Ensure correct implementation of security requirements
Secure code review phaseObjective: Ensure correct implementation of security requirements
Testing phaseObjective: Ensure valid security testing
Approval phaseObjective: Streamline the approval and audit process
Risk managementObjective: Enable risk managers to prioritise, plan and monitor mitigation efforts
When developing secure software we need to consider both standard secure code and client specific architectural requirements Standard secure code requirements
Client specific architectural requirements
SCAT has the following governance objectives implemented by the following “first line of defense” functions Benefits realisation: Enabling development teams to deliver at speedRisk optimisation: Minimise the negative and maximise the positive consequencesResource optimisation: Predictable, repeatable and consistent level of security across all teams
Promoting compliance to security requirements
Minimising the impact of audit and assurance
Informing risk based decision making
Integrating security into the software development process
LicensingThis program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Project Resources[Installation Package] [Source Code] Project LeaderClassifications |