The OWASP® Foundation released Software Assurance Maturity Model (SAMM) 2.0 last week. This framework targets to build better security posture for all organizations that conduct software development activities, which is a use case of baking security deep into SDLC, regardless of your chosen flavor.
Using a single GitHub source, the SAMM team now automatically generates the Maturity Model that includes PDF documents, a website, along with the companion toolbox and applications. Model content has been converted to YAML files, improving automation while also allowing tools or other SAMM consumers to automatically use the model.
SAMM 2.0 Press Release
You can see that SAMM is not intend to be a replacement of either your existing SDLC practice, or your current maturity model, such as software capability maturity model (CMM). Instead, SAMM should be interwoven into your existing process. Be part of fabric of your team’s day to day activities.
As a proud individual and capabilities producer (developer and engineer), being chased by project managers on financials and timelines, by testers on defects, and by security professionals on findings and compliances, usually are less motivated parts of our day. Maturity model and process aim to bake those seemingly overhead into routines. Streamline them, standardize them, quantify them, and showcase their benefits the same way development team showcase the features. What you see here is an organic integration of security practices into software assurance lifecycle.
OWASP has a list of exciting projects (https://owasp.org/projects/). The most famous one was OWASP Top 10, see my early post on it. It website has a wealth of information security information and practices you will benefit from.
The open web application security project (OWASP) top 10 2021 is now in draft for peer review. OWASP is an online community that provides articles, best practices, tools, and communications, it is a nonprofit foundation you should follow. I recreated a one pager of 2021 top 10 side by side with the list from 2017 and 2013, where you can see the category movement.
OWASP Top 10 2021 Draft. 2017 is the current official list.
I add an additional icon to each category. A bug icon indicates a state of failure; a fire icon indicates an attack; and a minus icon to indicates insufficient action. Here is more explanation:
Failure: a scenario of “I forget to lock my door and I forget to check, monitor, or alarm”. It is a state, and can go unnoticed or even unharmed until someone breaks in, also known as incident.
Fire: a scenario of “My lock is not strong enough” when someone attacks. This requires a purpose action from outside to start. Please note there is a constant racing between locksmiths and lock breakers. This is an area that you might do sufficient but your attacked get ahead of the game.
Insufficient action: a scenario of “I never upgrade my locks or I put the wrong lock”. It is a root cause, it leads to the state of failure.
From 2017 to 2021: XXS is now part of injections. XXE is part of security misconfiguration. Insecure deserialization is now part of cryptographsic failure.
OWASP
You can find plenty of OWASP video on YouTube. It is a good starting place to learn the basics. In my blog, I will comment on a few items I feel strongly.
New category – Insecure design: In my career, I have been an advocate to move security from right to left, and from operation reactiveness to proactive design, development, and testing. My current design norm requires security architect be the core of the herds (along with software and infrastructure architects). They are not three architects in different disciplines, but three full stack architects with assigned focuses and accountabilities. So they can fully collaborate. In addition, in my personal view, this is still not left enough. Security needs to be all the way to the start: requirement. We should build security in as a mandatory and essential feature of every product or service. If you don’t have the requirement, you can’t design for it. You don’t have a design, you cannot start developing.
New category – Server side request forgery: OWASP stated this is a relatively low incidence rate with above average testing coverage, along with above average ratings for exploit and impact potential. This new category is a perfect example of OWASP listening to the industry and adding emerging problems that is powered by advanced techniques.
Cryptographic failures: Previously known as sensitive data exposure. Organization can have this problem unnoticed, sometime unhurt. This category comes from anywhere of a bad design, a rushed release, someone’s neglecting, corner cutting, work fatigue, or process deviation. Consider encryption the last line of defense . There are usually multiple control failures lead to data exposure. When it did happen, meaning all other things fail and your data ends with the wrong party, at least it is not readable. What I mean is do not work on encryption alone, but do work diligently to the max degree.
Know vulnerabilities: People tend to ignore technical debts, which include known vulnerabilities. Know vulnerabilities are not a self-exploding bombs, but they are flammables, weakened links, worn pipes, thus making your systems easy targets. They could be the center of next disaster when bad actors and a situation having a rendezvous. It is not as obvious as a bug, a misconfiguration, or an operation failure. Most time, it feels just like another day. I created a special minus icon for that reason, call for actions. Don’t let technical debts bankrupt an organization.
A few trending down ones: Bad actors do not give anyone a break. Injections, broken authentication are moving down the list not because we live in a less action world, but there are better tools and solutions in place to detect and fend off those issues. From software as a service, platform as a service, to modern framework, rigorous reviews and testing, plus wider deeper understanding of those problems, development team are taking care of the business. It is also an indicator OWASP is effective and contributing to the society as alarming the community year after year, and the industry is making progress on the resolution.
One Page Press 