How to start a software security

initiative within your organization: a

maturity based and metrics driven
approach
OWASP Italy Day 2, 2008
March 31th, 2008
Marco.Morana@OWASP.ORG

OWASP
Copyright © 2008 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.

The OWASP Foundation

http://www.owasp.org
Agenda
1. Software Security Awareness
2. Tactical Responses
3. Software Security Strategy
4. Software Security Initiative
5. Questions & Answers

OWASP 2
Software Security Awareness : Threats

On-line fraud overtakes viruses as the

greatest source of financial loss (Symantec)
93.8% of all phishing attacks in 2007 are
targeting financial institutions (Anti-
Phishing Group)
Phishing attacks soar in 2007 (Gartner)
3.6 Million victims, $ 3.2 Billion Loss (2007)
2.3 Million victims, $ 0.5 Billion Loss (2006)

OWASP 3
Software Security Awareness : Threats

OWASP 4
Software Security Awareness: Software
Security Vs. Application Security

Security built Security applied

into each phase of by catch and
the SDLC patches

Look at root Look at

problem external
causes symptoms

Proactive, Reactive,
Threat Analysis, Incident Response,
Risk Management Compliance
OWASP 5
Agenda Update
1. Security Awareness
2. Tactical Responses
3. Software Security Strategy
4. Software Security Initiative
5. Questions & Answers

OWASP 6
Tactical Responses: Initial Security Assessment

The symptoms: are the clues that lead to

potential vulnerabilities and exploits
The root causes: security design flaws,
security bugs (coding errors), insecure-
configuration
The risk factors: how much damage can be
done, how easy is to reproduce the exploits,
how many users are exposed and how easy is to
discover the vulnerabilities

OWASP 7
Tactical Responses: Finding Vulnerabilities

Manual Manual
Penetration Code
Testing Review

Automated Automated
Vulnerability Static Code
Scanning Analysis

OWASP 8
 Tactical Responses: Risk Analysis
Risk terminology:
ƒ Threat (e.g. the cause)
ƒ Vulnerability (e.g. the application weakness)
ƒ Impact (e.g. the loss of data)
ƒ Risk (e.g. The rating, likelihood x exposure)
Risk models:
ƒ STRIDE/DREAD
ƒ Threat X Vulnerability X Impact (OWASP)
ƒ ALE = SLE X ARO

OWASP 9
Agenda Update
1. Security Awareness
2. Tactical Responses
3. Software Security Strategy
4. Software Security Initiative
5. Questions & Answers

OWASP 10
Software Security Strategy: First Approaches
Be Realistic
Organization is not yet ready (e.g. mature)
Engineers are not trained in software security
There are no tools available
Make up strategy
Based upon your company strenghts
With stakeholders buy in (CIOs, ISOs, PM,
Developers, Architects)
With achieveable goals: reduce 30% of
vulnerabilities found through ethical hacking via
source code analysys
OWASP 11
Software Security Strategy: Initial Business
Cases
Not fixing security bugs early is
expensive:
$9,000 per defect after system tests (90X
factor @ 100 dollars / hour x 1 hour= 9000
dollars) (NIST, Economic Impact of In-
secure Testing)
$100,000 per security bulletin (M. Howard
and D. LeBlanc in Writing Secure Software
book)

OWASP 12
 Software Security Strategy: Create a
Roadmap
1. Assess software maturity of the organization
software security development processes, people
and tools
2. Document the software security process:
security enhanced SDLCs and checkpoints
3. Implement a framework: software engineering
and risk management processes
4. Create business cases and set objectives
5. Collect metrics and measurements
6. Gain stakeholders commitments

OWASP 13
Agenda Update
1. Security Awareness
2. Tactical Responses
3. Software Security Strategy
4. Software Security Initiative
5. Questions & Answers

OWASP 14
Software Security Initiative: People,
Process, Technology
People: Who
manages software
security risks
Process: What where
and how security can
be build in the SDLC
Tools: How
processes can be
automated
Security = Commitment *(People+Tools
+Process^2)
OWASP 15
Software Security Initiative :Maturity Levels

OWASP 16
Software Security Initiative: Maturity Levels
Maturity Innocence (CMM 0-1)
No formal security requirements
Issues addressed with penetration testing and
incidents
Penetrate and patch and reactive approach
Maturity Awareness (CMM 2-3)
All applications have penetration tests done
before going into production
Secure coding standards are adopted as well
as source code reviews
OWASP 17
Software Security Initiative: Maturity Levels
Maturity Enlightenment (CCM 4-5)
Threat analysis in each phase of the SDLC
Risk metrics and vulnerability measurements
are used for security activity decision making
(money for the bang)

OWASP 18
Software Security Initiative: Maturity Adoption
Curve (OWASP-CLASP)

OWASP 19
 Software Security Initiative: People
What not to look for:
Ethical hackers that cannot tell how to build
applications securely
Security engineers with no experience in
software engineering, design, coding
Information security professionals that only
know how security auditing
What to look for:
Security professionals that understand both
coding and security
Software security consultants
OWASP 20
Software Security Initiative: Frameworks

OWASP 21
Software Security Initiative: SDLC Metrics

OWASP 22
Software Security Initiative: Trailing Metrics

OWASP 23
Software Security Initiative: Defending the
case
Fight common misconceptions that software
security impacts:
performance
costs/budget
development
Make the case for each role
Developers that are tired to rebuild software
Project managers that worry about missing
deadlines
Information Security Officers worry about
compliance
CIOs worry about budget,ROSI OWASP 24
 Software Security Initiative: Commitment
Top Down
Two months freeze on development
Every developer on training
SDL delivered across projects
Bottom up
Project Managers commit resources to
training and demand secure code reviews
Architects and engineering leads test and
address security issues as early as are found
in the source code and the application
CISO address compliance with information
security policies as well secure coding
standards OWASP 25
Concluding Remarks

Remember Rome was not build in a day!

You need time to mature you processes,

train your employees and implement
the right process, tools and technologies
OWASP 26
Agenda Update
1. Security Awareness
2. Tactical Responses
3. Software Security Strategy
4. Software Security Initiative
5. Questions & Answers……..?

OWASP 27
Thanks for listening, further references

Symantec threat report

http://www.symantec.com/business/theme.jsp?th
emeid=threatreport )
Gartner study on phising:
http://www.gartner.com/it/page.jsp?id=565125)
UC Berkeley Center for Law and Technology on
identity theft
http://repositories.cdlib.org/cgi/viewcontent.cgi?a
rticle=1045&context=bclt

OWASP 28
Appendix: Cost of Defects, NIST Study

OWASP 29
Appendix: Location of Defects

OWASP 30
Appendix: Location of Defects

OWASP 31
Appendix: Insecure Shopping Cart
http://www.coolcart.com/jewelrystore.html

The price charged for the

“Two Stone Feather
Ring” is now 99 cents

OWASP 32
Appendix: XFS Vulnerabilities

OWASP 33
Appendix: Reactive Approach

Go Fix Security
Bugs!
?
?

OWASP 34
 Appendix: Tie Attacks To Vulnerabilities
Phishing
 A1, A4, A7, A10
Privacy violations
 A2, A4, A6, A7, A10
Identity theft
 A3, A7, A8, A9, A10
System compromise, data alteration or data
destruction
 A2, A3
Financial loss
 A4, A5, A7, A10
Reputation loss
 A1, A2, A3, A4, A5, A6 ,A7, A8, A9, A10
OWASP 35
Appendix: The Motto

“If your software

security
practices are not
yet mature be
pragmatic and
start making
software security
a responsibility
for who builds
software in your
organization
OWASP 36
Appendix: About Me
 Graduated from University of Padua, Italy in 1987 (Dr. Ing, Laurea
Ingegneria Meccanica)
 Worked as Aerospace engineer in Italy between 1990-1994
 Got a Master in Computer System Engineering from Northwestern
Polytechnic University in 1996
 Worked as Software Eng. in silicon valley between 1996-1998
 While working at NASA as Sterling Software contractor, developed
the first e-mail S/MIME and got a patent in 1997
 Founded CerbTech LLC in 2003 and I worked at a security project
for VISA
 Developed commercial security tools/products for ISS (Safesuite
Decisions) and Sybase (Security Manager) (1998-2004)
 As Sr. Security Consultant with Foundstone/McAfee (2004-2006) and
consulted for major banks and telco in USA
 Joined Citigroup in 2006 as Technology Information Security Officer
(Sr. Director/VP)
 Founded the OWASP Cincinnati USA chapter in 2007

OWASP 37