cybersecurity: engineering a secure information technology organization, 1st edition
DESCRIPTION
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 10 Software Assurance Maturity Model. Objectives. Appreciate the importance of using an open framework for implementing a security strategy - PowerPoint PPT PresentationTRANSCRIPT
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
Chapter 10Software Assurance Maturity Model
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
2© Cengage Learning 2015
Objectives
• Appreciate the importance of using an open framework for implementing a security strategy
• Use the Software Assurance Maturity Model as a basis for software assurance
• Use a scorecard approach to measure the maturity of an organization’s software assurance program
3© Cengage Learning 2015
Overview of the Software Assurance Maturity Model
• Software assurance is the level of confidence that software functions in the intended manner– And is free from vulnerabilities
• Once an organization decides to meet software assurance goals:– The next step is to assess its current development
and procurement activities and practices• Requires two things:
– A repeatable and objective assessment process– A clear benchmark or target that represents a
suitable level of risk managementCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
4© Cengage Learning 2015
Understanding the SAMM Framework
• SAMM was originally developed, designed, and written by Pravir Chandra– First draft was created in August 2008– First official release was in March 2009
• The document is currently maintained and updated through the OpenSAMM Project
• The project has become part of the Open Web Application Security Project (OWASP)– SAMM is an open model intended to help
organizations formulate and implement a software security strategy
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
5© Cengage Learning 2015
Understanding the SAMM Framework
• Resources provided by SAMM help an organization do the following:– Evaluate its existing software security practices– Build a balanced software security assurance
program in well-defined iterations– Demonstrate concrete improvements to a security
assurance program– Define and measure security activities
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
6© Cengage Learning 2015
Understanding the SAMM Framework
• SAMM can be used by any organization– Regardless of size or software development
methods• The model can be used to support an entire
business or just the needs of an individual project• The framework of SAMM maps all activities under
four business functions– Three security practices are mapped to each
business function• Thus, 12 security practices serve as the basis for
assurance improvementCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
7© Cengage Learning 2015
Understanding the SAMM Framework
• The four business functions:– Governance - includes concerns for all groups in
development as well as business processes– Construction - encompasses processes and an
activity related to how an organization defines goals and creates software within development projects
– Verification - contains processes and activities related to how an organization checks and tests errors produced during the development phase
– Deployment - contains the processes and activities related to how an organization manages software releases
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
8© Cengage Learning 2014
9© Cengage Learning 2015
Understanding the SAMM Framework
• SAMM resembles CoBIT (Control Objective for Information and Related Technology)
• In the CoBIT model, security operation maturity levels take a value from 0 to 3:– Level 0 - the operation is not applied– Level 1 - an organization does not have a systematic
approach to security but has a basic-level application– Level 2 - the operation is applied at the appropriate
maturity level– Level 3 - the operation is applied perfectly
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
10© Cengage Learning 2015
Governance Business Function
• Governance - the process that enables people to make decisions through chains of responsibility, authority, and communications
• Governance also provides the ability to perform roles using mechanisms such as policy, control, and measurement
• Governance is not the same as management– Although managers do make governance decisions
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
11© Cengage Learning 2015
Governance Business Function
• Governance increases the likelihood of delivering a successful product by asking:– What is the scope being governed?– Who has the governing authority and what format is
followed?– What are the governance goals?– What decision-making rights and communication
structure are needed?– What policies, procedures, guidelines, controls, and
measurements should be used to attain those goals?
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
12© Cengage Learning 2015
Governance Business Function
• The outcome of the governance business function provides the basis for:– Mandating an organization’s software assurance
strategy– Establishing metrics to measure the success of that
strategy• Policies are developed to complement the strategy• Audits are performed to ensure compliance with
the policies• Education is provided to teach employees about
relevant security topicsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
13© Cengage Learning 2014
14© Cengage Learning 2015
Strategy & Metrics Practice
• Strategy and metrics practice - defines an underlying framework for an organization’s software security assurance program– Establishing this practice should be an organization’s
first step in defining security goals• Protection strategies include:
– Principles enacted by policies and procedures that state the requirements and risk tolerances for the database
– Clear assignment of roles and responsibilities, periodic training and financial incentives for staff
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
15© Cengage Learning 2015
Strategy & Metrics Practice
• Protection strategies include (cont’d):– An infrastructure architecture that fulfills security
requirements, meets risk tolerances, and implements effective controls
– Periodic review of all new and upgraded technologies
– Regular review and monitoring of relevant processes, performance indicators, and performance measures
– Regular review of new and emerging threats– Regular audits of relevant controls
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
16© Cengage Learning 2015
Strategy & Metrics Practice
• Effectively achieving and sustaining security is a continuous process
• Processes to plan, monitor, review, document, and update an organization’s security state must be ongoing
• SAMM suggests that organizations begin by implementing “lightweight” risk profiles
• More advanced security measures may later be applied that gradually lead to road maps toward greater efficiency in the security program
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
17© Cengage Learning 2015
Policy & Compliance Practice
• Policy and compliance process has two purposes:– To understand and meet external legal and
regulatory requirements– To develop and implement internal security policies
to ensure alignment with the organization’s overall mission and vision
• Requirements of this practice include audits– To gather information about project-level activities to
ensure policy compliance
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
18© Cengage Learning 2015
Education & Guidance Practice
• This practice ensures that the appropriate staff receive the knowledge and resources needed to design, develop, and deploy secure software
• Participants on project teams are better prepared to identify and reduce or eliminate security risks
• This practice defines activities for preparing a formal set of security guidelines as a reference for project teams
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
19© Cengage Learning 2015
Construction Business Function
• Construction: a business function that encompasses more than just the activities of software coding and testing
• Construction also includes:– Project management, requirements gathering, high-
level architecture specification, detailed design, and implementation
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
20© Cengage Learning 2015
Construction Business Function
• Security practices applied at this level include:– Threat assessment - identifies potential attacks
against the organization’s software • To help identify risks and improve the ability to
manage them– Security requirements - enforces the practice of
including security requirements during the software development process
– Secure architecture - improves the software design process by promoting secure-by-default designs and greater control over the technologies and processes from which software is built
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
21© Cengage Learning 2014
22© Cengage Learning 2015
Threat Assessment Practice
• This practice contains activities that help an organization identify and understand project-level risks – Based on the functionality of the software being
designed and developed– Also based on the characteristics of the software’s
operating environment• Should start with simple threat models and
gradually develop more detailed methods of threat analysis and measurement
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
23© Cengage Learning 2015
Security Requirements Practice
• This practice focuses on identifying and documenting software security requirements
• Security requirements are initially gathered based on the high-level business purpose of the software
• As the organization progresses, it can use more advanced techniques to discover new security requirements– Such as access control specifications
• An organization should map its security requirements into its relationships with suppliers
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
24© Cengage Learning 2015
Secure Architecture Practice
• This practices defines the roles of an organization that strives to design and build secure software as part of its standard development process
• Some security risks can be reduced by integrating reusable components and services into the software design process
• By beginning with simple implementations of software frameworks and secure design principles– An organization naturally evolves toward consistent
use of design patterns for its security functions
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
25© Cengage Learning 2015
Verification Business Function
• The purpose of verification is to determine whether the products of a software activity fulfill the requirements or conditions imposed on them in a previous activity of the lifecycle model
• Security practices defined at this level are:– Design review– Code review– Security testing
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
26© Cengage Learning 2014
27© Cengage Learning 2015
Design Review Practice
• Design review defines activities that aim to identify and assess software design and architecture for security problems
• Activities for this practice allow an organization to detect architecture-level issues early in software development– Avoiding potentially large costs from revisiting earlier
lifecycle processes as a result of security concerns
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
28© Cengage Learning 2015
Code Review Practice
• Code review focuses on activities that are normally performed by the programmer of a project team
• This practice emphasizes software inspection at the source-code level– To find security vulnerabilities– Typically found through unit testing
• An organization uses checklists that correspond to previously developed and documented test cases
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
29© Cengage Learning 2015
Security Testing Practice
• Security testing focuses on inspecting software in the runtime environment to find security problems– Performed through penetration testing and high-level
test cases• These activities strengthen the assurance case for
software– By checking it under real-world conditions
• Doing so, draws attention to mistakes in business logic that are difficult to find otherwise
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
30© Cengage Learning 2015
Deployment Business Function
• Software deployment is a large and complex task– Creates new challenges in the areas of release,
installation, activation, deactivation, updates, and removal of components
• Security practices defined by SAMM’s deployment business function:– Vulnerability management– Environment hardening– Operational enablement
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
31© Cengage Learning 2014
32© Cengage Learning 2015
Vulnerability Management Practice
• This practice focuses on the activities of an organization with respect to handling vulnerability reports and security incidents
• By having this framework in place– Organizations can run projects more consistently
and handle security events with increased efficiency• A key to successful vulnerability management is to
understand the roles each person plays in a security incident– And effectively identify and handle vulnerabilities
through reporting proceduresCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
33© Cengage Learning 2015
Environment Hardening Practice
• This practice helps an organization build assurance for its software’s operating environment
• There is a new obstacle in building assurance into “as-a-service” architectures– These architectures have become popular with the
emergence of cloud computing solutions• The best starting point for hardening the
environment is to track and distribute information to keep development teams informed– Use scalable methods for deploying security patches
and early-warning detectorsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
34© Cengage Learning 2015
Operational Enablement Practice
• The focus of this practice is to keep software users and operators informed
• It is suggested to avoid overwritten documentation with a lot of technical jargon
• Start with simple documentation to capture the most important details for users and operators
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
35© Cengage Learning 2015
Applying SAMM-Getting the Job Done
• IT managers must be able to implement and manage the success of each business function and security practice
• Using scorecards, an organization can demonstrate its improvement through a process of integrating software assurance into existing company policies and procedures
• An organization can use SAMM as a road map to assist in building or improving a security assurance initiative
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
36© Cengage Learning 2015
Understanding the Maturity Levels
• Each level within the 12 security practices has an assigned objective– Objective is a general statement of goals for
achieving that level• The objectives at each level are attained by
successful completion of activities defined by SAMM
• SAMM characterizes capabilities and deliverables as “results” obtained by achieving the given level
• SAMM provides specific example benchmarks that it calls success metrics
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
37© Cengage Learning 2015
Understanding the Maturity Levels
• Choices for data collection and management are left to the organization– The model does recommend data sources and
thresholds• The model provides information on expenses an
organization may incur by attaining a given level• These costs are not exhaustive
– Additional expenses are possible depending on how the security practice is performed within the organization
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
38© Cengage Learning 2015
Understanding the Maturity Levels
• SAMM identifies seven IT job functions that can affect the success of software assurance:– Developers– Architects– Managers– QA testers– Security auditors– Business owners– Support operations
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
39© Cengage Learning 2015
SAMM Approach to Assessment
• To perform an assessment, an organization must establish a set of well-defined benchmarks (or metrics)– And then adopt and perform a measurement
process against those benchmarks• SAMM uses a set of predefined worksheets that
serve as a starting point for determining the efficiency of each security practice being performed
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
40© Cengage Learning 2014
41© Cengage Learning 2015
SAMM Approach to Assessment
• Each worksheet is evaluated based on one of two recommended approaches:– Lightweight - the worksheets are evaluated for each
practice and scores are assigned based on the answers
– Detailed - the worksheets are evaluated for each practice, followed by additional audits to ensure activities defined for that practice are in place
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
42© Cengage Learning 2015
SAMM Approach to Assessment
• An organization might fall within level 2 of a particular practice but perform other activities that are not substantial enough to achieve level 3
• In those cases, the score should be annotated with a + symbol to indicate that additional assurances are in place beyond the level obtained
• Organizations could end up with a maturity level score of 1, 1+, 2, 2+, 3, or 3+
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
43© Cengage Learning 2015
Using Scorecards to Measure Success
• Using interval scorecards is encouraged in several situations, according to the 2009 version of SAMM:– Gap analysis - capturing scores from detailed
assessments versus expected performance levels– Demonstrating improvement - capturing scores from
before and after an iteration of the assurance program’s roll-out
– Ongoing measurement - capturing scores over consistent time frames for an assurance program that is already in place
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
44© Cengage Learning 2015
Summary• The Software Assurance Maturity Model (SAMM) is
an open framework for formulating and implementing a software security strategy that is specifically tailored to an organization’s risks
• The resources provided by SAMM help an organization evaluate its existing software security practices, build a balanced software security assurance program in well-defined iterations, demonstrate concrete improvements to a security assurance program, and define and measure security activities throughout the organization
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
45© Cengage Learning 2015
Summary• SAMM was defined with flexibility in mind so it can be
used by any organization, regardless of its size or style of software development
• A software security framework must be flexible and allow organizations to tailor their choices based on risk tolerance and the way they build and use software
• Guidance related to security activities must be prescriptive
• SAMM’s foundation is built on the core business functions of software development and the security practices associated with each