cybersecurity: engineering a secure information technology organization, 1st edition

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 10Software Assurance Maturity Model

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Appreciate the importance of using an open framework for implementing a security strategy

• Use the Software Assurance Maturity Model as a basis for software assurance

• Use a scorecard approach to measure the maturity of an organization’s software assurance program


Overview of the Software Assurance Maturity Model

• Software assurance is the level of confidence that software functions in the intended manner– And is free from vulnerabilities

• Once an organization decides to meet software assurance goals:– The next step is to assess its current development

and procurement activities and practices• Requires two things:

– A repeatable and objective assessment process– A clear benchmark or target that represents a

suitable level of risk managementCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Understanding the SAMM Framework

• SAMM was originally developed, designed, and written by Pravir Chandra– First draft was created in August 2008– First official release was in March 2009

• The document is currently maintained and updated through the OpenSAMM Project

• The project has become part of the Open Web Application Security Project (OWASP)– SAMM is an open model intended to help

organizations formulate and implement a software security strategy




• Resources provided by SAMM help an organization do the following:– Evaluate its existing software security practices– Build a balanced software security assurance

program in well-defined iterations– Demonstrate concrete improvements to a security

assurance program– Define and measure security activities




• SAMM can be used by any organization– Regardless of size or software development

methods• The model can be used to support an entire

business or just the needs of an individual project• The framework of SAMM maps all activities under

four business functions– Three security practices are mapped to each

business function• Thus, 12 security practices serve as the basis for

assurance improvementCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition



• The four business functions:– Governance - includes concerns for all groups in

development as well as business processes– Construction - encompasses processes and an

activity related to how an organization defines goals and creates software within development projects

– Verification - contains processes and activities related to how an organization checks and tests errors produced during the development phase

– Deployment - contains the processes and activities related to how an organization manages software releases




• SAMM resembles CoBIT (Control Objective for Information and Related Technology)

• In the CoBIT model, security operation maturity levels take a value from 0 to 3:– Level 0 - the operation is not applied– Level 1 - an organization does not have a systematic

approach to security but has a basic-level application– Level 2 - the operation is applied at the appropriate

maturity level– Level 3 - the operation is applied perfectly



Governance Business Function

• Governance - the process that enables people to make decisions through chains of responsibility, authority, and communications

• Governance also provides the ability to perform roles using mechanisms such as policy, control, and measurement

• Governance is not the same as management– Although managers do make governance decisions




• Governance increases the likelihood of delivering a successful product by asking:– What is the scope being governed?– Who has the governing authority and what format is

followed?– What are the governance goals?– What decision-making rights and communication

structure are needed?– What policies, procedures, guidelines, controls, and

measurements should be used to attain those goals?




• The outcome of the governance business function provides the basis for:– Mandating an organization’s software assurance

strategy– Establishing metrics to measure the success of that

strategy• Policies are developed to complement the strategy• Audits are performed to ensure compliance with

the policies• Education is provided to teach employees about

relevant security topicsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Strategy & Metrics Practice

• Strategy and metrics practice - defines an underlying framework for an organization’s software security assurance program– Establishing this practice should be an organization’s

first step in defining security goals• Protection strategies include:

– Principles enacted by policies and procedures that state the requirements and risk tolerances for the database

– Clear assignment of roles and responsibilities, periodic training and financial incentives for staff




• Protection strategies include (cont’d):– An infrastructure architecture that fulfills security

requirements, meets risk tolerances, and implements effective controls

– Periodic review of all new and upgraded technologies

– Regular review and monitoring of relevant processes, performance indicators, and performance measures

– Regular review of new and emerging threats– Regular audits of relevant controls




• Effectively achieving and sustaining security is a continuous process

• Processes to plan, monitor, review, document, and update an organization’s security state must be ongoing

• SAMM suggests that organizations begin by implementing “lightweight” risk profiles

• More advanced security measures may later be applied that gradually lead to road maps toward greater efficiency in the security program



Policy & Compliance Practice

• Policy and compliance process has two purposes:– To understand and meet external legal and

regulatory requirements– To develop and implement internal security policies

to ensure alignment with the organization’s overall mission and vision

• Requirements of this practice include audits– To gather information about project-level activities to

ensure policy compliance



Education & Guidance Practice

• This practice ensures that the appropriate staff receive the knowledge and resources needed to design, develop, and deploy secure software

• Participants on project teams are better prepared to identify and reduce or eliminate security risks

• This practice defines activities for preparing a formal set of security guidelines as a reference for project teams



Construction Business Function

• Construction: a business function that encompasses more than just the activities of software coding and testing

• Construction also includes:– Project management, requirements gathering, high-

level architecture specification, detailed design, and implementation



Construction Business Function

• Security practices applied at this level include:– Threat assessment - identifies potential attacks

against the organization’s software • To help identify risks and improve the ability to

manage them– Security requirements - enforces the practice of

including security requirements during the software development process

– Secure architecture - improves the software design process by promoting secure-by-default designs and greater control over the technologies and processes from which software is built



Threat Assessment Practice

• This practice contains activities that help an organization identify and understand project-level risks – Based on the functionality of the software being

designed and developed– Also based on the characteristics of the software’s

operating environment• Should start with simple threat models and

gradually develop more detailed methods of threat analysis and measurement



Security Requirements Practice

• This practice focuses on identifying and documenting software security requirements

• Security requirements are initially gathered based on the high-level business purpose of the software

• As the organization progresses, it can use more advanced techniques to discover new security requirements– Such as access control specifications

• An organization should map its security requirements into its relationships with suppliers



Secure Architecture Practice

• This practices defines the roles of an organization that strives to design and build secure software as part of its standard development process

• Some security risks can be reduced by integrating reusable components and services into the software design process

• By beginning with simple implementations of software frameworks and secure design principles– An organization naturally evolves toward consistent

use of design patterns for its security functions



Verification Business Function

• The purpose of verification is to determine whether the products of a software activity fulfill the requirements or conditions imposed on them in a previous activity of the lifecycle model

• Security practices defined at this level are:– Design review– Code review– Security testing



Design Review Practice

• Design review defines activities that aim to identify and assess software design and architecture for security problems

• Activities for this practice allow an organization to detect architecture-level issues early in software development– Avoiding potentially large costs from revisiting earlier

lifecycle processes as a result of security concerns



Code Review Practice

• Code review focuses on activities that are normally performed by the programmer of a project team

• This practice emphasizes software inspection at the source-code level– To find security vulnerabilities– Typically found through unit testing

• An organization uses checklists that correspond to previously developed and documented test cases



Security Testing Practice

• Security testing focuses on inspecting software in the runtime environment to find security problems– Performed through penetration testing and high-level

test cases• These activities strengthen the assurance case for

software– By checking it under real-world conditions

• Doing so, draws attention to mistakes in business logic that are difficult to find otherwise



Deployment Business Function

• Software deployment is a large and complex task– Creates new challenges in the areas of release,

installation, activation, deactivation, updates, and removal of components

• Security practices defined by SAMM’s deployment business function:– Vulnerability management– Environment hardening– Operational enablement



Vulnerability Management Practice

• This practice focuses on the activities of an organization with respect to handling vulnerability reports and security incidents

• By having this framework in place– Organizations can run projects more consistently

and handle security events with increased efficiency• A key to successful vulnerability management is to

understand the roles each person plays in a security incident– And effectively identify and handle vulnerabilities

through reporting proceduresCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Environment Hardening Practice

• This practice helps an organization build assurance for its software’s operating environment

• There is a new obstacle in building assurance into “as-a-service” architectures– These architectures have become popular with the

emergence of cloud computing solutions• The best starting point for hardening the

environment is to track and distribute information to keep development teams informed– Use scalable methods for deploying security patches

and early-warning detectorsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Operational Enablement Practice

• The focus of this practice is to keep software users and operators informed

• It is suggested to avoid overwritten documentation with a lot of technical jargon

• Start with simple documentation to capture the most important details for users and operators



Applying SAMM-Getting the Job Done

• IT managers must be able to implement and manage the success of each business function and security practice

• Using scorecards, an organization can demonstrate its improvement through a process of integrating software assurance into existing company policies and procedures

• An organization can use SAMM as a road map to assist in building or improving a security assurance initiative



Understanding the Maturity Levels

• Each level within the 12 security practices has an assigned objective– Objective is a general statement of goals for

achieving that level• The objectives at each level are attained by

successful completion of activities defined by SAMM

• SAMM characterizes capabilities and deliverables as “results” obtained by achieving the given level

• SAMM provides specific example benchmarks that it calls success metrics




• Choices for data collection and management are left to the organization– The model does recommend data sources and

thresholds• The model provides information on expenses an

organization may incur by attaining a given level• These costs are not exhaustive

– Additional expenses are possible depending on how the security practice is performed within the organization




• SAMM identifies seven IT job functions that can affect the success of software assurance:– Developers– Architects– Managers– QA testers– Security auditors– Business owners– Support operations



SAMM Approach to Assessment

• To perform an assessment, an organization must establish a set of well-defined benchmarks (or metrics)– And then adopt and perform a measurement

process against those benchmarks• SAMM uses a set of predefined worksheets that

serve as a starting point for determining the efficiency of each security practice being performed




• Each worksheet is evaluated based on one of two recommended approaches:– Lightweight - the worksheets are evaluated for each

practice and scores are assigned based on the answers

– Detailed - the worksheets are evaluated for each practice, followed by additional audits to ensure activities defined for that practice are in place




• An organization might fall within level 2 of a particular practice but perform other activities that are not substantial enough to achieve level 3

• In those cases, the score should be annotated with a + symbol to indicate that additional assurances are in place beyond the level obtained

• Organizations could end up with a maturity level score of 1, 1+, 2, 2+, 3, or 3+



Using Scorecards to Measure Success

• Using interval scorecards is encouraged in several situations, according to the 2009 version of SAMM:– Gap analysis - capturing scores from detailed

assessments versus expected performance levels– Demonstrating improvement - capturing scores from

before and after an iteration of the assurance program’s roll-out

– Ongoing measurement - capturing scores over consistent time frames for an assurance program that is already in place




Summary• The Software Assurance Maturity Model (SAMM) is

an open framework for formulating and implementing a software security strategy that is specifically tailored to an organization’s risks

• The resources provided by SAMM help an organization evaluate its existing software security practices, build a balanced software security assurance program in well-defined iterations, demonstrate concrete improvements to a security assurance program, and define and measure security activities throughout the organization



Summary• SAMM was defined with flexibility in mind so it can be

used by any organization, regardless of its size or style of software development

• A software security framework must be flexible and allow organizations to tailor their choices based on risk tolerance and the way they build and use software

• Guidance related to security activities must be prescriptive

• SAMM’s foundation is built on the core business functions of software development and the security practices associated with each

cybersecurity: engineering a secure information technology organization, 1st edition

Documents

software assurance goals

software functions

software assuranceuse

software releasescybersecurity

security strategyuse

samm frameworksamm

edition3 cengage learning

edition4 cengage learning