Chapter 10

Chapter 10

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 10 Software Assurance Maturity Model Objectives Appreciate the importance of using an open framework for implementing a security strategy Use the Software Assurance Maturity Model as a basis for software assurance Use a scorecard approach to measure the maturity of an organizations software assurance program Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 2 Overview of the Software Assurance Maturity Model Software assurance is the level of confidence that software functions in the intended manner And is free from vulnerabilities Once an organization decides to meet software assurance goals: The next step is to assess its current development and procurement activities and practices Requires two things: A repeatable and objective assessment process

A clear benchmark or target that represents a suitable level of risk management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 3 Understanding the SAMM Framework SAMM was originally developed, designed, and written by Pravir Chandra First draft was created in August 2008 First official release was in March 2009 The document is currently maintained and updated through the OpenSAMM Project

The project has become part of the Open Web Application Security Project (OWASP) SAMM is an open model intended to help organizations formulate and implement a software security strategy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 4 Understanding the SAMM Framework Resources provided by SAMM help an organization do the following: Evaluate its existing software security practices Build a balanced software security assurance

program in well-defined iterations Demonstrate concrete improvements to a security assurance program Define and measure security activities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 5 Understanding the SAMM Framework SAMM can be used by any organization Regardless of size or software development methods

The model can be used to support an entire business or just the needs of an individual project The framework of SAMM maps all activities under four business functions Three security practices are mapped to each business function Thus, 12 security practices serve as the basis for assurance improvement Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 6 Understanding the SAMM Framework

The four business functions: Governance - includes concerns for all groups in development as well as business processes Construction - encompasses processes and an activity related to how an organization defines goals and creates software within development projects Verification - contains processes and activities related to how an organization checks and tests errors produced during the development phase Deployment - contains the processes and activities related to how an organization manages software releases Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

7 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 8 Understanding the SAMM Framework SAMM resembles CoBIT (Control Objective for Information and Related Technology) In the CoBIT model, security operation maturity levels take a value from 0 to 3: Level 0 - the operation is not applied Level 1 - an organization does not have a systematic approach to security but has a basic-level application

Level 2 - the operation is applied at the appropriate maturity level Level 3 - the operation is applied perfectly Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 9 Governance Business Function Governance - the process that enables people to make decisions through chains of responsibility, authority, and communications Governance also provides the ability to perform roles using mechanisms such as policy, control, and measurement

Governance is not the same as management Although managers do make governance decisions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 10 Governance Business Function Governance increases the likelihood of delivering a successful product by asking: What is the scope being governed? Who has the governing authority and what format is followed? What are the governance goals?

What decision-making rights and communication structure are needed? What policies, procedures, guidelines, controls, and measurements should be used to attain those goals? Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 11 Governance Business Function The outcome of the governance business function provides the basis for: Mandating an organizations software assurance strategy Establishing metrics to measure the success of that

strategy Policies are developed to complement the strategy Audits are performed to ensure compliance with the policies Education is provided to teach employees about relevant security topics Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 12 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2014 13 Strategy & Metrics Practice Strategy and metrics practice - defines an underlying framework for an organizations software security assurance program Establishing this practice should be an organizations first step in defining security goals Protection strategies include: Principles enacted by policies and procedures that state the requirements and risk tolerances for the database Clear assignment of roles and responsibilities, periodic training and financial incentives for staff

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 14 Strategy & Metrics Practice Protection strategies include (contd): An infrastructure architecture that fulfills security requirements, meets risk tolerances, and implements effective controls Periodic review of all new and upgraded technologies Regular review and monitoring of relevant processes, performance indicators, and performance measures

Regular review of new and emerging threats Regular audits of relevant controls Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 15 Strategy & Metrics Practice Effectively achieving and sustaining security is a continuous process Processes to plan, monitor, review, document, and update an organizations security state must be ongoing SAMM suggests that organizations begin by implementing lightweight risk profiles

More advanced security measures may later be applied that gradually lead to road maps toward greater efficiency in the security program Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 16 Policy & Compliance Practice Policy and compliance process has two purposes: To understand and meet external legal and regulatory requirements To develop and implement internal security policies to ensure alignment with the organizations overall mission and vision

Requirements of this practice include audits To gather information about project-level activities to ensure policy compliance Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 17 Education & Guidance Practice This practice ensures that the appropriate staff receive the knowledge and resources needed to design, develop, and deploy secure software Participants on project teams are better prepared

to identify and reduce or eliminate security risks This practice defines activities for preparing a formal set of security guidelines as a reference for project teams Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 18 Construction Business Function Construction: a business function that encompasses more than just the activities of software coding and testing Construction also includes:

Project management, requirements gathering, highlevel architecture specification, detailed design, and implementation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 19 Construction Business Function Security practices applied at this level include: Threat assessment - identifies potential attacks against the organizations software To help identify risks and improve the ability to manage them

Security requirements - enforces the practice of including security requirements during the software development process Secure architecture - improves the software design process by promoting secure-by-default designs and greater control over the technologies and processes from which software is built Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 20 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2014 21 Threat Assessment Practice This practice contains activities that help an organization identify and understand project-level risks Based on the functionality of the software being designed and developed Also based on the characteristics of the softwares operating environment Should start with simple threat models and gradually develop more detailed methods of threat analysis and measurement Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition Cengage Learning 2015 22 Security Requirements Practice This practice focuses on identifying and documenting software security requirements Security requirements are initially gathered based on the high-level business purpose of the software As the organization progresses, it can use more advanced techniques to discover new security requirements Such as access control specifications An organization should map its security

requirements into its relationships with suppliers Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 23 Secure Architecture Practice This practices defines the roles of an organization that strives to design and build secure software as part of its standard development process Some security risks can be reduced by integrating reusable components and services into the software design process By beginning with simple implementations of software frameworks and secure design principles

An organization naturally evolves toward consistent use of design patterns for its security functions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 24 Verification Business Function The purpose of verification is to determine whether the products of a software activity fulfill the requirements or conditions imposed on them in a previous activity of the lifecycle model Security practices defined at this level are: Design review Code review

Security testing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 25 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 26 Design Review Practice

Design review defines activities that aim to identify and assess software design and architecture for security problems Activities for this practice allow an organization to detect architecture-level issues early in software development Avoiding potentially large costs from revisiting earlier lifecycle processes as a result of security concerns Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 27 Code Review Practice

Code review focuses on activities that are normally performed by the programmer of a project team This practice emphasizes software inspection at the source-code level To find security vulnerabilities Typically found through unit testing An organization uses checklists that correspond to previously developed and documented test cases Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 28

Security Testing Practice Security testing focuses on inspecting software in the runtime environment to find security problems Performed through penetration testing and high-level test cases These activities strengthen the assurance case for software By checking it under real-world conditions Doing so, draws attention to mistakes in business logic that are difficult to find otherwise Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

29 Deployment Business Function Software deployment is a large and complex task Creates new challenges in the areas of release, installation, activation, deactivation, updates, and removal of components Security practices defined by SAMMs deployment business function: Vulnerability management Environment hardening Operational enablement Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 30 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 31 Vulnerability Management Practice This practice focuses on the activities of an organization with respect to handling vulnerability reports and security incidents By having this framework in place

Organizations can run projects more consistently and handle security events with increased efficiency A key to successful vulnerability management is to understand the roles each person plays in a security incident And effectively identify and handle vulnerabilities through reporting procedures Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 32 Environment Hardening Practice This practice helps an organization build assurance

for its softwares operating environment There is a new obstacle in building assurance into as-a-service architectures These architectures have become popular with the emergence of cloud computing solutions The best starting point for hardening the environment is to track and distribute information to keep development teams informed Use scalable methods for deploying security patches and early-warning detectors Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 33

Operational Enablement Practice The focus of this practice is to keep software users and operators informed It is suggested to avoid overwritten documentation with a lot of technical jargon Start with simple documentation to capture the most important details for users and operators Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 34 Applying SAMM-Getting the Job Done

IT managers must be able to implement and manage the success of each business function and security practice Using scorecards, an organization can demonstrate its improvement through a process of integrating software assurance into existing company policies and procedures An organization can use SAMM as a road map to assist in building or improving a security assurance initiative Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 35

Understanding the Maturity Levels Each level within the 12 security practices has an assigned objective Objective is a general statement of goals for achieving that level The objectives at each level are attained by successful completion of activities defined by SAMM SAMM characterizes capabilities and deliverables as results obtained by achieving the given level SAMM provides specific example benchmarks that it calls success metrics Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

36 Understanding the Maturity Levels Choices for data collection and management are left to the organization The model does recommend data sources and thresholds The model provides information on expenses an organization may incur by attaining a given level These costs are not exhaustive Additional expenses are possible depending on how the security practice is performed within the organization Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 37 Understanding the Maturity Levels SAMM identifies seven IT job functions that can affect the success of software assurance: Developers

Architects Managers QA testers Security auditors Business owners Support operations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 38 SAMM Approach to Assessment To perform an assessment, an organization must establish a set of well-defined benchmarks (or

metrics) And then adopt and perform a measurement process against those benchmarks SAMM uses a set of predefined worksheets that serve as a starting point for determining the efficiency of each security practice being performed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 39 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2014 40 SAMM Approach to Assessment Each worksheet is evaluated based on one of two recommended approaches: Lightweight - the worksheets are evaluated for each practice and scores are assigned based on the answers Detailed - the worksheets are evaluated for each practice, followed by additional audits to ensure activities defined for that practice are in place Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 41 SAMM Approach to Assessment An organization might fall within level 2 of a particular practice but perform other activities that are not substantial enough to achieve level 3 In those cases, the score should be annotated with a + symbol to indicate that additional assurances are in place beyond the level obtained Organizations could end up with a maturity level score of 1, 1+, 2, 2+, 3, or 3+ Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 42 Using Scorecards to Measure Success Using interval scorecards is encouraged in several situations, according to the 2009 version of SAMM: Gap analysis - capturing scores from detailed assessments versus expected performance levels Demonstrating improvement - capturing scores from before and after an iteration of the assurance programs roll-out Ongoing measurement - capturing scores over consistent time frames for an assurance program that is already in place Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition Cengage Learning 2015 43 Summary The Software Assurance Maturity Model (SAMM) is an open framework for formulating and implementing a software security strategy that is specifically tailored to an organizations risks The resources provided by SAMM help an organization evaluate its existing software security practices, build a balanced software security assurance program in well-defined iterations, demonstrate concrete improvements to a security assurance program, and define and measure security

activities throughout the organization Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 44 Summary SAMM was defined with flexibility in mind so it can be used by any organization, regardless of its size or style of software development A software security framework must be flexible and allow organizations to tailor their choices based on risk tolerance and the way they build and use software Guidance related to security activities must be

prescriptive SAMMs foundation is built on the core business functions of software development and the security practices associated with each Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 45

Recently Viewed Presentations

  • Integrating Effective Tutors within a Math Emporium

    Integrating Effective Tutors within a Math Emporium

    The Tutor Cycle. Tutoring examples were provided and we discussed each beginning, task, and closing steps of the cycle. We also had a group activity were tutors were asked to place the twelve steps of the tutoring cycle in the...
  • Exploring Majors and Careers 2013 - PWRFaculty.org

    Exploring Majors and Careers 2013 - PWRFaculty.org

    Why Do I Need A Resume? Demonstrate . qualifications and fit. Summary of education, experience, skills and activities. It's a marketing document. To get the interview!
  • 1-6 Midpoint and Distance in the Coordinate Plane

    1-6 Midpoint and Distance in the Coordinate Plane

    Then determine whether FG JK. Step 1 Find the coordinates of each point. F(1, 2), G(5, 5), J(-4, 0), K(-1, -3) Example 3 Continued Step 2 Use the Distance Formula. * Holt Geometry 1-6 Midpoint and Distance in the Coordinate...
  • Ethical Perspectives on Personal Data and Automated Decision

    Ethical Perspectives on Personal Data and Automated Decision

    If you approach things from a utilitarian perspective, then you can view data as a resource that's out there to be harvested and put to use. The default position is that data is put to good productive use. If however,...
  • Delaware Developments: The New Rules for 2009

    Delaware Developments: The New Rules for 2009

    Eddie Bauer (cont'd). Washington Revised Code 19.255.020. Imposes liability on businesses that fail to exercise reasonable care against unauthorized access of unencrypted credit or debit card information, where failure to exercise reasonable care is the proximate cause of a breach.
  • 無投影片標題 - eng.fju.edu.tw

    無投影片標題 - eng.fju.edu.tw

    City Vision (3-3): 2. Flâneurial Look in Patricia Rozema's I've Heard the Mermaids Singing
  • Python Graphic Examples I By Dean Zellers CS10051

    Python Graphic Examples I By Dean Zellers CS10051

    Python Graphic Examples I By Dean Zeller's CS10051 class Fall, 2007 Animals People Objects Objects Abstract Shapes Scenes Animations Animations Animations Credits Animals Beautiful Butterfly, by Ashley Lorenz Snake, by Adam Krasneski Fly Away, by Bruce McElhone Cat, by Ashley...
  • Criminal Psychology - Kellogg Community College

    Criminal Psychology - Kellogg Community College

    Custody Consideration Other areas of contention or debate Custody for a mixed race couple. Custody for children of parents with physical or mental health problems. Custody issues involving parents who have alternate sexual orientations. Custody issues concerning conflicts between the...