This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Security Integration System"

From OWASP
Jump to: navigation, search
(Description)
(What is the Secure code assurance tool (SCAT))
 
(464 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top"  style="border-right: 1px dotted ;padding-right:25px;" |
  
<span style="color:#ff0000">
+
==What is the Secure code assurance tool (SCAT)==
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
+
<h1><b>What is the SCAT</b></h1>
</span>
 
==Project About==
 
<span style="color:#ff0000">
 
{{Template:Project_About
 
  | project_name=Software Integration System
 
  | leader_name1=Michael Bergman
 
 
}}
 
  
 +
[https://www.linkedin.com/pulse/secure-code-assurance-tool-scat-version-20-michael-bergman/ For more information on the <b>why</b> behind the SCAT, read my linkedIn Article here]
  
==OWASP Tool Project Template==
+
==What is the SCAT==
<span style="color:#ff0000">
 
This section should include an overview of what the project is, why the project was started, and what security issue is being addressed by the project deliverable.
 
</span>
 
  
 +
<ul>
  
<p>
+
<li>SCAT is a <span style="text-decoration:underline;">process integrity tool</span>, implementing a consistent, authorized and auditable software development process
<b>Introduction</b><br>
 
Secure software development has a number of stakeholders.
 
<ol>
 
<li><b>IT risk</b>: I need to know where my highest risks are, so I can focus on mitigating these</li>
 
<li><b>Information security</b>: I need to generate a list f security requirements to protect against vulnerabilities</li>
 
<li><b>Compliance and Assurance</b>: I need to ensure the code meets security requirements and we have evidence proving that</li>
 
<li><b>Business</b>:  I need to get the functionality to the market before our competitors </li>
 
<li><b>Development teams</b>: I need to do all of the above and within a two week sprint cycle :-)</li>
 
</ol>
 
  
 +
<li>SCAT is used by development teams to build, verify and assure secure software
 +
<ul>
 +
 +
<li><strong>Build</strong>: uses a combination of code level guidance, on demand training and DAST tools to train, guide and verify correct implementation
 +
 +
<li><strong>Verify</strong>: uses a combination of manual test plans and SATS tools to guide and verify correct implementation
 +
 +
<li><strong>Assure</strong>: centrally stores and publishes evidence of secure development and testing as an audit trail. Providing traceability through requirements and proving that security <span style="text-decoration:underline;">controls operate efficiently over a period of time</span>
 +
</li>
 +
</ul>
  
<br>
+
<li>SCAT is <span style="text-decoration:underline;">not a point in time security verification tool </span>for detecting vulnerabilities after development</li>  
<b>How these stakeholder requirements are often met?</b><br>
+
</ul>
For every development cycle
 
<ol>
 
<li><b>Development teams</b>: Need to read and understand all 99 articles of the GDPR:  to make sure, for example, the data is categorised and user consent is stored</li>
 
<li><b>Development teams</b>: Need to read and understand the 114 controls listed in ISO 27002 (if the use ISO):  To make sure the solution can be safely integrated into the organisations information security management system (ISMS) and for example, application logs are in a format that can be consumed and reported to the SEIM</li>
 
<li><b>Development teams</b>: Need to select from the 99 GDPR articles and the 114 ISO controls those that apply to the solution, perform a risk assessment on the selected controls, write security test plans to test selected controls</li>
 
<li><b>Development teams</b>: Need to technically implementation and test security requirements</li>
 
<li><b>Approvers</b>:  Need to hunt through hundreds of automated test results to find the testing evidence proving that the security requirements were tested</li>
 
<li><b>Business</b>:  Need Scream and shout about not meeting the two week sprint cycle deadline</li>
 
</ol>
 
<i>Development teams cannot perform these security tasks within a reasonable time frame, let alone a two week sprint cycle By this time the 2 week sprint cycle has elapsed and </i>
 
</p>
 
  
<br>
+
==Process integrity and point in time tools: How they work in the SDLC==
<b>How should these stakeholder requirements be met</b><br>
 
For every development cycle
 
<ol>
 
<li><b>Information security</b>: Needs to understand the technical implementation and generate a list of security requirements to protect against vulnerabilities</li>
 
<li><b>Information security</b>: Make sure development teams understand the security requirements</li>
 
<li><b>Development teams</b>: Need to implement, test and record evidence proving the security requirements are met</li>
 
<li><b>Approvers</b>:  Need to review testing evidence, accept the risk and approve the release</li>
 
<li><b>Compliance and Assurance</b>: Need to review collect evidence for consistency and traceability</li>
 
</ol>
 
  
 +
[[File:Process integrity VS point in time without check.png|800px|center|Process integrity VS point in time without check]]
  
 +
<h1><b>Technical Description</b></h1>
  
<br>
+
==Without further complicating development environment==
<p>
 
<b>Why is it so hard to meet these stakeholder requirements?</b><br>
 
 
<ul>
 
<ul>
<li>Each stakeholder represents a separate domain, each domain contains a huge body of knowledge.</li>
 
<li>This huge body of security, risk, compliance and assurance knowledge needs to be filtered, made applicable and applied to every critical function in the application landscape</li>
 
<li>Adding to the complexity is that every critical function in the application landscape could be coded in a different language and implemented in a different environment</li>
 
<li>Further compounding the problem is the fact that most other organisational processes have a <b>first line of defence that integrates these security controls into the process</b> but, unless your organisation is gifted with budget and resources the software development process does not have a first line of defence</li>
 
</ul>
 
<b>The lack of a dedicated fist line of defence or a planned security control implementation usually results in a a 50 page security policy being dumped on the developers desk with the comment "Implement this please"</b>
 
  
<br>
+
<li>SCAT is a simple 5 screen MVC, C# web application with a small footprint that can be deployed without further complicating development environment
<b>What will the role of a first line of defence be in the software development process</b>:
+
 
<ol>
+
<li>Integrates with Jira and runs ZAP and SonarQube in docker containers
<li>Generates security requirements before coding begins</li>
 
<li>Guiding developers towards correctly implementing security requirements</li>
 
<li>Guiding testers towards correctly verifying security requirements are met</li>
 
<li>Speeding up the approval process to minimise its impact on responsiveness to market</li>
 
<li>Inform risk based decision making and prioritising</li>
 
</ol>
 
<b>To combat the limited budget and resources the Secure coding tool attempts to fill the shoes of the first line of defence</b>
 
  
 +
<li>SCAT is part of three domains to consider when securing software development.  <em>I've detailed the other domains in an article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.</em>
  
<br>
 
<p>
 
<b>Please note</b><br>
 
It's important to note that the secure coding tool is part of a system of components to secure software development. <br>
 
Other components of the system include <b>governance</b>, <b>human support</b> and <b>vulnerability management<b>. <br>
 
I've detailed these components in a different article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.
 
</p>
 
  
  
==Description==
+
<h1><b>See how developers use SCAT</b></h1>
<span style="color:#ff0000">
+
See below how the Secure code assurance tool integrates security into software development phases
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful. 
 
</span>
 
  
<br>
+
==Sprint planning phase ==
<b>What does the Secure coding tool do?</b><br>
+
<b>Objective</b>: Ensures security requirements are understood <br>
The secure coding tool, goes beyond theory and procedure and attempts to implement a planned control integration effort.<br>
 
The Secure coding tool is written in MVC \ MySQL and consists of 5 screens each serving a specific stakeholder
 
  
[[File:OWASP data flow.png|thumb]]
+
    <ul>
<ol>
+
        <li><b>Developers</b> use the <b>Identify risks</b> screen to<br>
<li><b>Information security stakeholder</b>: Filters the security requirements according to the functional requirement:  Streamlining security requirements generation </li>
+
            <ol>
<li><b>Dev team stakeholder</b>: Provides secure code blocks to implement the security requirement:  Providing code level guidance for developers towards correctly implementing security requirements</li>
+
                <li>Select the critical function to developing/changing</li>
<li><b>Dev team stakeholder</b>: Provides security test plans to testing the security requirements: Guiding testers towards correctly verifying security requirements are met</li>
+
                <li>Identify the technologies used</li>
<li><b>Compliance and assurance stakeholder</b>: Provides a central store for testing results: Promoting traceability through requirements and serving as a quick reference screen for assurance to view control assurance evidence, speeding up the approval process and minimising its impact on responsiveness to market</li>
+
                <li>Automatically generate the security requirements and tests</li>
<li><b>IT risk stakeholder</b>: Provides IT risk with an overview of each applications exposure to OWASP TOP 10 risks:  Informing risk based decision making and prioritising</li>
+
                [https://youtu.be/Gpk4K5keLyw See how to use the tools and its internal mapping to generate security requirements]
</ol>
+
            </ol>
 +
        <li><b>Product owners</b> use the <b>Secure code requirements</b> screen to<br>
 +
            <ol>
 +
              <li>Create an audit trail to store evidence of secure development</li>
 +
                <li>Create Jira tickets for requirements and tests to manage work</li>
 +
            </ol>
 +
      </li>
 +
    </ul>
  
 +
== Development phase ==
  
[[File:Internal mapping.png|thumb]]
+
<b>Objective</b>: Ensure correct implementation of security requirements<br>
 +
    <ul>
 +
        <li><b>Developers</b> use the <b>Secure development</b> screen to<br>
 +
            <ol>
 +
                <li>View and understand how to attack and prevent the risk</li>
 +
                <li>View the secure code requirements</li>
 +
                <li>View the secure code block to implement the security requirement</li>
 +
                <li>Manage development effort in Jira</li>
 +
                <li>After development run a ZAP basic scan to verify security requirements have been correctly implemented</li>
 +
                [https://youtu.be/1pSatE_7mEs See how the tool helps developers understand security requirements and write secure code]
 +
            </ol>
 +
      </li>
 +
  </ul>
  
 +
== Secure code review phase ==
  
 +
<b>Objective</b>: Ensure correct implementation of security requirements<br>
  
<br>
+
    <ul>
<p>
+
        <li><b>Code reviewers</b> use the <b>Secure code review </b> screen to<br>
<b>How does the secure coding tool do it?</b><br>
+
            <ol>
The secure coding tool, goes beyond theory and procedure and attempts to implement a planned control integration effort.<br>
+
                <li>Guide manually secure code review</li>
The Secure coding tool is written in MVC \ MySQL and consists of 5 screens each serving a specific stakeholder
+
                <li>After manual secure code review run a Sonarqube scan to verify security requirements have been correctly implemented</li>
<ol>
+
                [https://youtu.be/ygre0SrWxD4 See how the tool verifies correct security requirements implementation]
<li><b>Information security stakeholder</b>: Filters the security requirements according to the functional requirement:  Streamlining security requirements generation </li>
+
            </ol>
<li><b>Dev team stakeholder</b>: Provides secure code blocks to implement the security requirement:  Providing code level guidance for developers towards correctly implementing security requirements</li>
+
      </li>
<li><b>Dev team stakeholder</b>: Provides security test plans to testing the security requirements: Guiding testers towards correctly verifying security requirements are met</li>
+
    </ul>
<li><b>Compliance and assurance stakeholder</b>: Provides a central store for testing results: Promoting traceability through requirements and serving as a quick reference screen for assurance to view control assurance evidence, speeding up the approval process and minimising its impact on responsiveness to market</li>
 
<li><b>IT risk stakeholder</b>: Provides IT risk with an overview of each applications exposure to OWASP TOP 10 risks:  Informing risk based decision making and prioritising</li>
 
</ol>
 
  
<br>
+
== Testing phase==
<p>
 
<b>Implementation instructions</b><br>
 
Not a silver bullet ready to go
 
<ol>
 
<li>Filter the list of OWASP risks</li>
 
<li>Filter the list of OWASP ASVS requirements</li>
 
<li>Add additional architectural security requirements</li>
 
<li>Filter the list of OWASP security tests</li>
 
</ol>
 
</p>
 
  
For a more detailed look at the inner workings of the tool and a brief instructional video please take a look at my linkedIn article
+
<b>Objective</b>: Ensure valid security testing<br>
<a href="https://www.linkedin.com/pulse/secure-coding-tool-michael-bergman/">Secure coding tool</a>
+
    <ul>
 +
        <li><b>Testers</b> use the <b>Secure testing</b> screen to<br>
 +
            <ol>
 +
                <li>View the test plans required to test the risk</li>
 +
                <li>Manage testing effort in Jira</li>
 +
                [https://youtu.be/QdbCzheceUw See how the tool helps testers test risk mitigation efforts]
 +
            </ol>
 +
      </li>
 +
    </ul>
 +
== Approval phase ==
  
==Licensing==
+
<b>Objective</b>: Streamline the approval and audit process<br>
<span style="color:#ff0000">
 
A project must be licensed under a community friendly or open source license.  For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.  This example assumes that you want to use the AGPL 3.0 license.
 
</span>
 
  
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.  OWASP XXX and any contributions are Copyright &copy; by {the Project Leader(s) or OWASP} {Year(s)}. 
+
<ul>
 +
        <li><b>Approvers</b> use the <b>Assurance evidence </b> screen to<br>
 +
            <ol>
 +
                <li>View relevant testing evidence alongside the risk, reducing the time assurance teams need to examine and approve releases</li>
 +
                <li>View verified development effort and whether it falls within risk tolerance levels</li>
 +
                [https://youtu.be/oyKK3Mq13B4 See how the tool streamlines the approval process with centrally stored testing evidence]
 +
            </ol>
 +
      </li>
 +
    </ul>
 +
== Risk management ==
 +
<b>Objective</b>: Enable risk managers to prioritise, plan and monitor mitigation efforts<br>
  
==Roadmap==
+
    <ul>
<span style="color:#ff0000">
+
        <li><b>Risk managers</b> use the <b>Application risk exposure</b> screen to<br>
As of <strong>November, 2013, the highest priorities for the next 6 months</strong> are:
+
            <ol>
<strong>
+
                <li>View each application critical function and the associated risks</li>
* Complete the first draft of the Tool Project Template
+
                <li>Identify where mitigation effort is required by viewing which risks require security requirements</li>
* Get other people to review the Tool Project Template and provide feedback
+
                <li>Identify where development effort is required by viewing which security requirements need secure code blocks</li>
* Incorporate feedback into changes in the Tool Project Template
+
                <li>Identify where extra testing effort is required by viewing which risks require security test plans</li>
* Finalize the Tool Project template and have it reviewed to be promoted from an Incubator Project to a Lab Project
+
                [https://youtu.be/8pKxorPSq_M See how the Application landscape overview screen informs risk based decision making]
</strong>
+
            </ol>
 +
      </li>
 +
    </ul>
 +
<br>
 +
<br>
  
Subsequent Releases will add
+
<h1> <b>Preparation phase</b></h1>
<strong>
+
When developing secure software we need to consider both standard secure code and client specific architectural requirements
* Internationalization Support
 
* Additional Unit Tests
 
* Automated Regression tests
 
</strong>
 
  
==Getting Involved==
+
== Standard secure code requirements==
<span style="color:#ff0000">
 
Involvement in the development and promotion of <strong>Tool Project Template</strong> is actively encouraged!
 
You do not have to be a security expert or a programmer to contribute.
 
Some of the ways you can help are as follows:
 
  
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
<ul>
 +
        <li>SCAT comes out the box with a standard OWASP secure code requirements map. This mapping need to be modified to the specific organisation requirements</li>
 +
<br>
 +
        <li><b>Information security and development team</b> use the <b>Internal mapping </b> screen to
 +
            <ol>
 +
                <li>Map the security requirements to OWASP risks</li>
 +
                <li>Map organisation approved secure code blocks to security requirements</li>
 +
                <li>Map security test plans to OWASP risks</li>
 +
                [https://youtu.be/EkWdAC1sbkE See how to setup the SCAT's internal mapping]
 +
            </ol>
 +
      </li>
 +
  </ul>
  
== Project Resources ==
+
== Client specific architectural requirements==
<span style="color:#ff0000">
 
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.
 
</span>
 
  
[https://github.com/SamanthaGroves Installation Package]
+
<ul>
 +
    <li>To generate these requirements we perform a risk assessment on client application landscape and identify</li>
 +
<ol>
 +
    <li>Critical applications and functions</li>
 +
    <li>Risk associated with each critical application function</li>
 +
    <li>Architectural security requirements to secure each critical application functions</li>
 +
    <li>Client specific secure code blocks to implement security requirements</li>
 +
    <li>Secure test plans to verify risk has been mitigated</li>
 +
</ol>
 +
<br>
 +
    <li><b>Tool administrators</b> use the <b>Internal mapping </b> screen to
 +
<ol>
 +
    <li>Create json files of the organisation specific risks, security requirements, secure code blocks and tests</li>
 +
    <li>Import these into the SCAT</li>
 +
    [https://youtu.be/FD3O2ObYBQs See how to import organisations specific risks, security requirements, secure code blocks and tests]
 +
</ol>
 +
</ul>
  
[https://github.com/SamanthaGroves Source Code]
+
<br>
 +
<br>
  
[https://github.com/SamanthaGroves What's New (Revision History)]
+
<h1>Project information</h1>
  
[https://github.com/SamanthaGroves Documentation]
+
==Licensing==
 +
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
  
[https://github.com/SamanthaGroves Wiki Home Page]
+
== Interested in contributing==
 +
[https://www.linkedin.com/in/michael-bergman-99826212a/ Please send a connect request with subject SCAT]
  
[https://github.com/SamanthaGroves Issue Tracker]
+
== Project Resources ==
  
[https://github.com/SamanthaGroves Slide Presentation]
+
[Installation Package]
  
[https://github.com/SamanthaGroves Video]
+
[Source Code]
  
 
== Project Leader ==
 
== Project Leader ==
<span style="color:#ff0000">
+
[https://www.linkedin.com/in/michael-bergman-99826212a/ Michael Bergman LinkedIn]
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.
 
</span>
 
 
 
[mailto://[email protected] Michael Bergman]
 
 
 
== Related Projects ==
 
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.
 
</span>
 
* [[OWASP_Code_Project_Template]]
 
* [[OWASP_Documentation_Project_Template]]
 
  
 
==Classifications==
 
==Classifications==

Latest revision as of 18:33, 14 October 2019

OWASP Project Header.jpg

What is the Secure code assurance tool (SCAT)

For more information on the why behind the SCAT, read my linkedIn Article here

What is the SCAT

  • SCAT is a process integrity tool, implementing a consistent, authorized and auditable software development process
  • SCAT is used by development teams to build, verify and assure secure software
    • Build: uses a combination of code level guidance, on demand training and DAST tools to train, guide and verify correct implementation
    • Verify: uses a combination of manual test plans and SATS tools to guide and verify correct implementation
    • Assure: centrally stores and publishes evidence of secure development and testing as an audit trail. Providing traceability through requirements and proving that security controls operate efficiently over a period of time
  • SCAT is not a point in time security verification tool for detecting vulnerabilities after development

Process integrity and point in time tools: How they work in the SDLC

Process integrity VS point in time without check

Without further complicating development environment

  • SCAT is a simple 5 screen MVC, C# web application with a small footprint that can be deployed without further complicating development environment
  • Integrates with Jira and runs ZAP and SonarQube in docker containers
  • SCAT is part of three domains to consider when securing software development. I've detailed the other domains in an article that will be published in the Nov/Dec issue of the ISC2 magazine, I will add a link here after publication.

See below how the Secure code assurance tool integrates security into software development phases

Sprint planning phase

Objective: Ensures security requirements are understood

  • Developers use the Identify risks screen to
    1. Select the critical function to developing/changing
    2. Identify the technologies used
    3. Automatically generate the security requirements and tests
      4.                See how to use the tools and its internal mapping to generate security requirements
  • Product owners use the Secure code requirements screen to
    1. Create an audit trail to store evidence of secure development
    2. Create Jira tickets for requirements and tests to manage work

Development phase

Objective: Ensure correct implementation of security requirements

Secure code review phase

Objective: Ensure correct implementation of security requirements

Testing phase

Objective: Ensure valid security testing

Approval phase

Objective: Streamline the approval and audit process

Risk management

Objective: Enable risk managers to prioritise, plan and monitor mitigation efforts

  • Risk managers use the Application risk exposure screen to
    1. View each application critical function and the associated risks
    2. Identify where mitigation effort is required by viewing which risks require security requirements
    3. Identify where development effort is required by viewing which security requirements need secure code blocks
    4. Identify where extra testing effort is required by viewing which risks require security test plans
      5.                See how the Application landscape overview screen informs risk based decision making



When developing secure software we need to consider both standard secure code and client specific architectural requirements

Standard secure code requirements

  • SCAT comes out the box with a standard OWASP secure code requirements map. This mapping need to be modified to the specific organisation requirements


  • Information security and development team use the Internal mapping screen to
    1. Map the security requirements to OWASP risks
    2. Map organisation approved secure code blocks to security requirements
    3. Map security test plans to OWASP risks
      4.                See how to setup the SCAT's internal mapping

Client specific architectural requirements

  • To generate these requirements we perform a risk assessment on client application landscape and identify
    1. Critical applications and functions
    2. Risk associated with each critical application function
    3. Architectural security requirements to secure each critical application functions
    4. Client specific secure code blocks to implement security requirements
    5. Secure test plans to verify risk has been mitigated


  • Tool administrators use the Internal mapping screen to
    1. Create json files of the organisation specific risks, security requirements, secure code blocks and tests
    2. Import these into the SCAT
      3.     See how to import organisations specific risks, security requirements, secure code blocks and tests



Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Interested in contributing

Please send a connect request with subject SCAT

Project Resources

[Installation Package]

[Source Code]

Project Leader

Michael Bergman LinkedIn

Classifications

Project Type Files TOOL.jpg
Incubator Project
Owasp-defenders-small.png
Affero General Public License 3.0