Revision as of 18:00, 2 November 2015

1 DRAFT CHEAT SHEET - WORK IN PROGRESS
2 Background
3 How to Apply
4 Final Notes

DRAFT CHEAT SHEET - WORK IN PROGRESS

Background

This cheat sheet provides a quick reference on the most important initiatives to build security into multiple parts of software development processes. This cheat sheet is based on the OWASP Software Assurance Maturity Model (SAMM) which can be integrated into any existing SDLC.

SAMM is based around a set of 12 security practices, which are grouped into 4 business functions. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level.

The structure and setup of the SAMM maturity model are made to support (i) the assessment of the current software assurance posture, (ii) the definition of the strategy (i.e. the target) that the organization should take, (iii) the formulation of an implementation roadmap of how to get there and (iv) prescriptive advice on how to implement particular activities.

In that sense, the value of SAMM lies in providing a means to know where your organization is on its journey towards software assurance, and to understand what is recommended to move to a next level of maturity. Note that SAMM does not insist that all organizations achieve maturity level 3 in every category. Indeed, you determine the target maturity level for each Security Practice that is the best fit for your organization and its needs. SAMM provides a number of templates for typical organizations to this end, but you can adapt these as you see fit.

How to Apply

A typical approach of using SAMM in an organization is as follows:

Step	Purpose	Activities	Resources	Best Practices
Step 1 - Assess	Ensure a proper start of the project	Define the scope Set the target of the effort (The entire enterprise, a particular application or project or team etc.) Identify Stakeholders Ensure that important stakeholders supposed to support and execute the project are identified and well aligned Spread the word Inform people about the initiative and provide them with information to understand what you will be doing	Consider involving at least: Executive Sponsor Security Team Developers Architects Business Owners QA Testers Managers The OpenSAMM main site: http://www.opensamm.org/ The model in .pdf: http://www.opensamm.org/	Pre-screen software development maturity to have realistic expectations The smaller the scope, the easier the exercise
Step 2 - Assess	Identify and understand the maturity of your chosen scope in each of the 12 software security practices	Evaluate current practices Organize interviews with relevant stakeholders to understand the current state of practice within your organization. You could evaluate this yourself if you understand the organization sufficiently well. SAMM provides lightweight and detailed assessments (where the latter is an evidence-based evaluation) – use the detailed one only if you want to have absolute certainty about the scores. Determine maturity level Based on the outcome of the previous activity, determine for each security practice the maturity level according to the SAMM maturity scoring system. In a nutshell, when all activities below and within a maturity level have been implemented, this level can be used for the overall score. When extra higher-level activities have been implemented without reaching a full next level, add a “+” to the rating.	The OpenSAMM toolbox http://LINK Online Self Assessment Tool https://ssa.asteriskinfosec.com.au Both of these resources provide you with: Assessment questions Maturity level calculation	Ensure consistent assessment for different stakeholders and teams by using the same questions and interviewer Consider using different formats to gather data (e.g., workshops vs. interviews. Ensure interviewees understand the particularities of activities. Understand which activities are not applicable to the organization and take this into account in the overall scoring. Anticipate/document whether you plan to award partial credit, or just document various judgement calls. Repeat questions to several people to improve the assessment quality Consider making interviews anonymous to ensure honesty Don’t take questions too literally)
Step 3 - Set the target	Develop a target score that you can use as a measuring stick to guide you to act on the “most important” activities for your situation	Define the target Set or update the target by identifying which activities your organization should implement ideally. Typically this will include more lower-level than higher-level activities. Predefined roadmap templates can be used as a source for inspiration. Ensure that the total set of selected activities makes sense and take into account dependencies between activities. Estimate overall impact Estimate the impact of the chosen target on the organization. Try to express in budgetary arguments.	See the How-To-Guide for predefined templates Software Assurance Maturity Model (SAMM) Roadmap Chart Worksheet (part of the OpenSAMM Benchmarking as a comparative source)	Take into account the organisation’s risk profile Respect dependencies between activities As a rough measure, the overall impact of a software assurance effort is estimated at 5 to 10% of the total development cost.
Step 4 - Define the plan	Develop or update your plan to take your organization to the next level	Determine change schedule Choose a realistic change strategy in terms of number and duration of phases. A typical roadmap consists of 4-6 phases of 3 to 12 months. Develop / Update the roadmap plan Distribute the implementation of additional activities over the different roadmap phases, taking into account the effort required to implement them.. Try to balance the implementation effort over the different periods, and take dependencies between activities into account	Software Assurance Maturity Model : A guide to building security into software development page 33: http://www.opensamm.org/ Project Plan http://www.opensamm.org/downloads/	Identify quick wins and plan them early on Start with awareness/training Adapt to coming release cycles / key projects
Step 5 - Implement	Work the plan	Implement activities Implement all activities that are part of this period. Consider their impact on processes, people, knowledge and tools. The SAMM model contains prescriptive advice on how to do this. OWASP projects may help to facilitate this.	Useful OWASP resources per activity are described at https://www.owasp.org	Treat legacy software separately. Do not mandate migration unless really important. Avoid operational bottle-necks (in particular for the security team)
Step 6 - Roll out	Ensure that improvements are available and effectively used within the organization	Evangelize Improvements Make the steps and improvements visible for everyone involved by organizing training and communicating. Measure effectiveness Measure the adoption and effectiveness of implemented improvements by analyzing usage and impact.		Categorize applications according to their impact on the organization. Focus on high-impact applications. Use team champions to spread new activities throughout the organization

As part of a quick start effort, the first four phases (preparation, assess, setting the target and defining the plan) can be executed by a single person in a limited amount of time (1 to 2 days). Making sure that this is supported in the organization, as well as the implementation and roll-out phases typically require much more time to execute.

Final Notes

The best way to grasp SAMM is to start using it. This document has presented a number of concrete steps and supportive material to execute these. Now it’s your turn. We warmly invite you to spend a day or two on following the first steps, and you will quickly understand and appreciate the added value of the model. Enjoy! Suggestions for improvements are very welcome. And if you’re interested, consider to join the mailinglist or become part of the OpenSAMM community

OWASP Cheat Sheets Project Homepage

OWASP Cheat Sheet Series

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

Difference between revisions of "Secure SDLC Cheat Sheet"

Revision as of 18:00, 2 November 2015

DRAFT CHEAT SHEET - WORK IN PROGRESS

Background

How to Apply

Final Notes

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 1: / Line 1: @@
 = DRAFT CHEAT SHEET - WORK IN PROGRESS =
-= Introduction =
+= Background =
 This cheat sheet provides a quick reference on the most important initiatives to build security into multiple parts of software development processes. This cheat sheet is based on the OWASP Software Assurance Maturity Model (SAMM) which can be integrated into any existing SDLC.
 SAMM is based around a set of 12 security practices, which are grouped into 4 business functions. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level.
-= Purpose =
+The structure and setup of the '''SAMM maturity model''' are made to support (i) the '''assessment''' of the current software assurance posture, (ii) the definition of the '''strategy''' (i.e. the target) that the organization should take, (iii) the formulation of an implementation '''roadmap''' of how to get there and (iv) prescriptive advice on how to '''implement''' particular activities.
-More mature organisations undertake software assurance activities across a wider spectrum of steps, and generally earlier, than less mature organisations. This has been shown to identify more vulnerabilities sooner, have then corrected at less cost, prevent them being re-introduced more effectively, reduce the number of vulnerabilities in production environments, and reduce the number of security incidents including data breaches.
+In that sense, the value of SAMM lies in providing a means to know where your organization is on its journey towards software assurance, and to understand what is recommended to move to a next level of maturity. Note that SAMM does not insist that all organizations achieve maturity level 3 in every category. Indeed, you determine the target maturity level for each Security Practice that is the best fit for your organization and its needs. SAMM provides a number of templates for typical organizations to this end, but you can adapt these as you see fit.
-...???
-= Implementing a secure software development life cycle (S-SDLC) =
+= How to Apply =
-== Development methodology ==
+A typical approach of using SAMM in an organization is as follows:
-Waterfall, iterative, agile...???
+{| class="wikitable"
+! scope="col" | Step
+! scope="col" | Purpose
+! scope="col" | Activities
+! scope="col" | Resources
+! scope="col" | Best Practices
+|-
+| Step 1 - '''Assess'''
+| Ensure a proper start of the project
+| '''Define the scope'''
+Set the target of the effort (The entire enterprise, a particular application or project or team etc.)
-Whatever your development methodology, organizational culture, types of application and risk profile, this document provides a technology agnostic summary of recommendations to include within your own S-SDLC.
+'''Identify Stakeholders'''
+Ensure that important stakeholders supposed to support and execute the project are identified and well aligned
-== Do these first ==
+'''Spread the word'''
+Inform people about the initiative and provide them with information to understand what you will be doing
+| '''Consider involving at least:'''
+* Executive Sponsor
+* Security Team
+* Developers
+* Architects
+* Business Owners
+* QA Testers
+* Managers
-The items summarize the activities detailed in Open SAMM to meet level 1 maturity. It may not be appropriate to aim for level 1 across all these business practices and each organization should review the specific objectives, activities and expected results to determine how and what items to include in their own programmes. The presentation ordering is not significant.
+The OpenSAMM main site: http://www.opensamm.org/
-=== Education & guidance ===
+The model in .pdf: http://www.opensamm.org/
+| Pre-screen software development maturity to have realistic expectations The smaller the scope, the easier the exercise
+|-
+| Step 2 - '''Assess'''
+| Identify and understand the maturity of your chosen scope in each of the 12 software security practices
+| '''Evaluate current practices'''
+Organize interviews with relevant stakeholders to understand the current state of practice within your organization. You could evaluate this yourself if you understand the organization sufficiently well. SAMM provides   lightweight and detailed assessments (where the latter is an evidence-based evaluation) – use the detailed one only if you want to have absolute certainty about the scores.
-???
+'''Determine maturity level'''
-=== Security requirements ===
+Based on the outcome of the previous activity, determine for each security practice the maturity level according to the SAMM maturity scoring system. In a nutshell, when all activities below and within a maturity level have
+been implemented, this level can be used for the overall score. When extra higher-level activities have been implemented without reaching a full next level, add a “+” to the rating.
+| The OpenSAMM toolbox http://LINK
-???
+Online Self Assessment Tool
-=== Code review ===
+https://ssa.asteriskinfosec.com.au
-???
+Both of these resources provide you with:
+* Assessment questions
+* Maturity level calculation
+| Ensure consistent assessment for different stakeholders and teams by using the same questions and interviewer
+Consider using different formats to gather data (e.g., workshops vs. interviews.
+Ensure interviewees understand  the particularities of activities.
+Understand which activities are not applicable to the organization and take this into account in the overall scoring.
+Anticipate/document  whether you plan to award partial credit, or just  document various judgement calls.
+Repeat questions to several people to improve the assessment quality Consider making interviews anonymous to ensure honesty Don’t take questions too literally)
+|-
+| Step 3 - '''Set the target'''
+| Develop a target score that you can use as a measuring stick to guide you to act on the “most important” activities for your situation
+| '''Define the target'''
+Set or update the target by identifying which activities your organization should implement ideally. Typically this will include more lower-level than higher-level activities. Predefined roadmap templates can be used as a source for inspiration. Ensure that the total set of selected activities makes sense and take into account dependencies between activities.
+'''Estimate overall impact'''
-== A Plan to Achieve Level 1 Maturity ==
+Estimate the impact of the chosen target on the organization. Try to express in budgetary arguments.
+| See the How-To-Guide for  predefined templates Software Assurance Maturity Model (SAMM) Roadmap Chart Worksheet (part of the OpenSAMM Benchmarking as a comparative source)
+| Take into account the organisation’s risk profile Respect dependencies between activities As a rough measure, the overall impact of a software assurance effort is estimated at 5 to 10% of the total development cost.
+|-
+| Step 4 - '''Define the plan'''
+| Develop or update your plan to take your organization to the next level
+| '''Determine change schedule'''
+Choose a realistic change strategy in terms of number and duration of phases. A typical roadmap consists of 4-6 phases of 3 to 12 months.
-To have a well-rounded S-SDLC that builds security into many stages of the development lifecycle, consider whether these SAMM Level 1 practices can all be covered.
+'''Develop / Update the roadmap plan'''
-=== Strategy & metrics ===
+Distribute the implementation of additional activities over the different roadmap phases, taking into account the effort required to implement them.. Try to balance the implementation effort over the different periods, and take dependencies between activities into account
+| Software Assurance Maturity Model : A guide to building security into software development page 33:
+http://www.opensamm.org/
-* Assess and rank how applications add risk
+Project Plan
-* Implement a software assurance programme and build a roadmap for future improvement
+http://www.opensamm.org/downloads/
-* Promote understanding of the programme
+| Identify quick wins and plan them early on Start with awareness/training Adapt to coming release cycles / key projects
+|-
+| Step 5 - '''Implement'''
+| Work the plan
+| '''Implement activities'''
+Implement all activities that are part of this period. Consider their  impact on processes, people, knowledge and tools. The SAMM model contains prescriptive advice on how to do this. OWASP projects may help to facilitate
+this.
+| Useful OWASP resources per activity are described at https://www.owasp.org
+| Treat legacy software separately. Do not mandate migration unless really important. Avoid operational bottle-necks (in particular for the security team)
+|-
+| Step 6 - '''Roll out'''
+| Ensure that improvements are available and effectively used within the organization
+| '''Evangelize Improvements'''
+Make the steps and improvements visible for everyone involved by organizing training and communicating.
-=== Policy & compliance ===
+'''Measure effectiveness'''
-* Research and identify software & data compliance requirements
+Measure the adoption and effectiveness of implemented improvements by analyzing usage and impact.
-* Create guidance on how to meet the mandatory compliance requirements
+|
-* Ensure the guidance is used by project teams
+| Categorize applications according to their impact on the organization. Focus on high-impact applications. Use team champions to spread new activities throughout the organization
-* Review projects against the compliance requirements
+|}
-* Regularly review and update the requirements and guidance
-=== Education & guidance ===
+As part of a quick start effort, the first four phases (preparation, assess, setting the target and defining the plan) can be executed by a single person in a limited amount of time (1 to 2 days). Making sure that this is  supported in the organization, as well as the implementation and roll-out phases typically require much more time to execute.
-* Provide developers high-level technical security awareness training
+= Final Notes =
-* Create technology-specific best-practice secure development guidance
+The best way to grasp SAMM is to start using it. This document has presented a number of concrete steps and supportive material to execute these. Now it’s your turn. We warmly invite you to spend a day or two on following  the first steps, and you will quickly understand and appreciate the added value of the model. Enjoy! Suggestions for improvements are very welcome. And if you’re interested, consider to join the mailinglist or become part of the OpenSAMM community
-* Brief existing staff and new starters about the guidance and its expected usage
-* Undertake qualitative testing of security guidance knowledge
-=== Threat assessment ===
-* Examine and document the likely threats to the organisation and each application type
-* Build threat models
-* Develop attacker profiles defining their type and motivations
-=== Security requirements ===
-* Review projects and specify security requirements based on functionality
-* Analyze the compliance and best-practice security guidance documents to derive additional requirements
-* Ensure requirements are specific, measurable and reasonable
-=== Secure architecture ===
-* Create and maintain a list of recommended software frameworks, services and other software components
-* Develop a list of guiding security principles as a checklist against detailed designs
-* Distribute, promote and apply the design principles to new projects
-=== Design review ===
-* Identify the entry points (attack surface/defense perimeter) in software designs
-* Analyze software designs against the known security risks
-=== Code review ===
-* Create code review checklists based on common problems
-* Encourage the use of the checklists by each team member
-* Review selected high-risk code more formally
-* Consider utilizing automated code analysis tools for some checks
-=== Security testing ===
-* Specify security test cases based on known requirements and common vulnerabilities
-* Perform application penetration testing before each major release
-* Review test results and correct, or formally accept the risks of releasing with failed checks
-=== Vulnerability management ===
-* Define an application security point of contact for each project
-* Create an informal security response team
-* Develop an initial incident response process
-=== Environment hardening ===
-* Create and maintain specifications for application host environments
-* Monitor sources for information about security upgrades and patches for all software supporting or within the applications
-* Implement processes to test and apply critical security fixes
-=== Operational enablement ===
-* Record important software-specific knowledge that affects the deployed application's security
-* Inform operators/users as appropriate of this understandable/actionable information
-* Provide guidance on handling expected security-related alerts and error conditions
-== Do more ==
-Is level 1 the correct goal? Perhaps your organization is already doing more than these? Perhaps it should do more, or less. Read SAMM, and benchmark existing activities using the scorecard. Use the information resources listed below to help develop your own programme, guidance and tools.
-= Related articles =
-OWASP [http://www.opensamm.org/ Open Software Assurance Maturity Model (SAMM)] and [http://www.opensamm.org/download/ Downloads (Model, mappings, assessment templates, worksheet, project plan, tracking software, charts and graphics)]
-OWASP [https://www.owasp.org/index.php/Category:OWASP_CLASP_Project Comprehensive, Lightweight Application Security Process (CLASP)]
-OWASP [https://www.owasp.org/ Open Web Application Security Project (OWASP)], [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Security requirements], [https://www.owasp.org/index.php/Cheat_Sheets Cheat sheets], [https://www.owasp.org/index.php/OWASP_Guide_Project Development Guide], [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code Review Guide], [https://www.owasp.org/index.php/OWASP_Testing_Project Testing Guide] , [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard (ASVS)] and [https://www.owasp.org/index.php/Category:OWASP_Tool Tools]
-OWASP [https://www.owasp.org/index.php/OWASP_Podcast Application security podcast] and [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series AppSec Tutorial Series]
-BITS [http://www.bits.org/publications/security/BITSSoftwareAssurance0112.pdf Financial Services Roundtable BITS Software Assurance Framework]
-CMU [http://www.cert.org/secure-coding/secure.html Team Software Process for Secure Systems Development (TSP Secure)]
-DACS/IATAC [http://iac.dtic.mil/iatac/download/security.pdf Software Security Assurance State of the Art Report]
-ENISA [http://www.enisa.europa.eu/act/application-security/secure-software-engineering/secure-software-engineering-initiatives Secure Software Engineering Initiatives]
-ISO/IEC [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44378 ISO/IEC 27034 Application Security]
-NIST [http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf SP 800-64 Rev2 Security Considerations in the Information System Development Life Cycle]
-SAFECode [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments]
-US DoHS [https://buildsecurityin.us-cert.gov/bsi/home.html Building Security In] and [https://buildsecurityin.us-cert.gov/swa/resources.html Software Assurance Resources]
-Other [http://www.sdlc.ws/ sdlc] and [http://www.sdlc.ws/software-testing-life-cycle-stlc-complete-tutorial/ Software Testing Life Cycle], [http://www.sdlc.ws/category/models/ sdlc models]
-Other [http://bsimm.com/ Building Security In Maturity Model (BSIMM)]
-Other [http://www.microsoft.com/security/sdl/default.aspx Microsoft Security Development Lifecycle (SDL)] and [http://go.microsoft.com/?linkid=9767361 Process guidance v5.1], [http://go.microsoft.com/?linkid=9708425 Simplified implementation]
-Other [http://www.oracle.com/us/support/assurance/index.html Oracle Software Security Assurance (OSSA)]
-= Authors and primary contributors =
-This cheat sheet is largely based on infortmation from OWASP SAMM v1.0 originally written by Pravir Chandra - chandra[at]owasp.org
-The cheat sheet was created by:
-Colin Watson - colin.watson[at]owasp.org