measuring security best practices with opensamm
DESCRIPTION
Measuring Security Best Practices with OpenSAMM. Alan Jex SnowFROC 2013. Introductions. Alan Jex: Chief Security Architect at HP PPS Organization [email protected]. Outline. Security Concerns and Goals OpenSAMM Framework Business Functions Security Practices Assessments Scorecards - PowerPoint PPT PresentationTRANSCRIPT
Measuring Security Best Practices with OpenSAMM
Alan JexSnowFROC 2013
Alan Jex: Chief Security Architect at HPPPS [email protected]
Introductions
• Security Concerns and Goals• OpenSAMM Framework
– Business Functions– Security Practices– Assessments– Scorecards– Roadmaps
Outline
Security Concerns
• What is your biggest security risk?• What compliance requirements drive your
business?• How do you handle security incidents?• Does your development team produce secure
code?
Security Goals
• Avoiding the “big one” (data breach)• Protecting the company brand• Managing real security risks• Developing a secure software development
lifecycle (SDLC)• Enabling new business
• SAMM is:– A Software Assurance Maturity Model– An open framework for
• Measuring security practices • Finding vulnerabilities earlier
– Lightweight, Flexible, Simple-to-understand, and Complete
– An OWASP project
Enter OpenSAMM
4 Business Functions
12 Security Practices
Policy and Compliance
Security Requirements
Security Testing
Vulnerability Management
SAMM Assessments
• SAMM assessment is lightweight or detailed according to your security process
SAMM Assessments
• SAMM provides assessment worksheets for every Security Practice
SAMM Scorecard
Levels are from 0 to 3:
0 Starting point
1 Ad hoc (manual)
2 Increased effectiveness (automated)
3 Comprehensive mastery (audited)
SAMM Roadmap
SAMM Roadmap• Build your Security Program in phases• Implement levels based on security risk
Roadmap Templates
Government Online Service Provider
Summary
• SAMM allows you to:– Measure and improve security best practices– Focus on security risk to make effective use of
security resources– Find vulnerabilities earlier in the development
process – Prevent rather than react to security incidents
References
Security Maturity Models