Secure SDLC Flashcards
SAMM
OWASP Software Assurance Maturity Model (SAMM)
The structure and setup of the SAMM maturity model are made to support:
The assessment of the current software assurance posture
The definition of the strategy (i.e. the target) that the organization should take
The formulation of an implementation roadmap of how to get there and
Prescriptive advice on how to implement particular activities.
Secure SDLC:
A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances. It is however safe to say that in general, SDLCs include the following phases:
Planning and requirements Architecture and design Test planning Coding Testing and results Release and maintenance
Governance (SAMM)
Governance is centered on the processes and activities related to how an organization manages
overall software development activities. More specifically, this includes concerns that cross-cut groups
involved in development as well as business processes that are established at the organization level.
Construction (SAMM)
Construction concerns the processes and activities related to how an organization defines goals and
creates software within development projects. In general, this will include product management, requirements
gathering, high-level architecture specification, detailed design, and implementation.
Verification (SAMM)
Verification is focused on the processes and activities related to how an organization checks and tests
artifacts produced throughout software development. This typically includes quality assurance work
such as testing, but it can also include other review and evaluation activities.
Deployment (SAMM)
Deployment entails the processes and activities related to how an organization manages release of
software that has been created. This can involve shipping products to end users, deploying products to
internal or external hosts, and normal operations of software in the runtime environment
Governance Security Practices
Strategy & Metrics involves the overall
strategic direction of the software assurance
program and instrumentation of
processes and activities to collect metrics
about an organization’s security posture.
Policy & Compliance involves setting
up a security and compliance control and
audit framework throughout an organization
to achieve increased assurance in software
under construction and in operation..
Education & Guidance involves increasing
security knowledge amongst personnel
in software development through
training and guidance on security topics
relevant to individual job functions.
Construction Security Practices
Threat Assessment involves accurately identifying and characterizing potential attacks upon an organization’s software in order to better understand the risks and facilitate risk management. Security Requirements involves promoting the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception. Secure Architecture involves bolstering the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built.
Verification Security Practices
Design Review involves inspection of
the artifacts created from the design process
to ensure provision of adequate security
mechanisms and adherence to an
organization’s expectations for security.
Code Review involves assessment of
an organization’s source code to aid vulnerability
discovery and related mitigation
activities as well as establish a baseline for
secure coding expectations.
Security Testing involves testing the
organization’s software in its runtime environment
in order to both discover vulnerabilities
and establish a minimum standard
for software releases.
Deployment Security Practices
Vulnerability Management involves
establishing consistent processes for managing
internal and external vulnerability reports
to limit exposure and gather data to
enhance the security assurance program.
Environment Hardening involves
implementing controls for the operating
environment surrounding an organization’s
software to bolster the security posture of
applications that have been deployed.
Operational Enablement involves
identifying and capturing security-relevant
information needed by an operator to
properly configure, deploy, and run an organization’s
software.
SAMM Step 1
Assess:
Ensure a proper start of the project
Define the scope
Set the target of the effort (The entire enterprise, a particular application or project or team etc.)
Identify Stakeholders
Ensure that important stakeholders supposed to support and execute the project are identified and well aligned
Spread the word
Inform people about the initiative and provide them with information to understand what you will be doing
SAMM Step 2 - Assess
Identify and understand the maturity of your chosen scope in each of the 12 software security practices.
Evaluate current practices
Organize interviews with relevant stakeholders to understand the current state of practice within your organization. You could evaluate this yourself if you understand the organization sufficiently well. SAMM provides lightweight and detailed assessments (where the latter is an evidence-based evaluation) – use the detailed one only if you want to have absolute certainty about the scores.
Determine maturity level
Based on the outcome of the previous activity, determine for each security practice the maturity level according to the SAMM maturity scoring system. In a nutshell, when all activities below and within a maturity level have been implemented, this level can be used for the overall score. When extra higher-level activities have been implemented without reaching a full next level, add a “+” to the rating.
SAMM Step 3 - Set the target
Define the target
Set or update the target by identifying which activities your organization should implement ideally. Typically this will include more lower-level than higher-level activities. Predefined roadmap templates can be used as a source for inspiration. Ensure that the total set of selected activities makes sense and take into account dependencies between activities.
Estimate overall impact
Estimate the impact of the chosen target on the organization. Try to express in budgetary arguments.
SAMM Step 4 - Define the plan
Determine change schedule
Choose a realistic change strategy in terms of number and duration of phases. A typical roadmap consists of 4-6 phases of 3 to 12 months.
Develop / Update the roadmap plan
Distribute the implementation of additional activities over the different roadmap phases, taking into account the effort required to implement them.. Try to balance the implementation effort over the different periods, and take dependencies between activities into account
