Chapter 9 - 02 - Understand Software Security Standards, Models, and Frameworks_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Gouncil
Tags
Related
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 03_ocred.pdf
- Chapter 9 - 03 - Understand Secure Application, Development, Deployment, and Automation_ocred.pdf
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 01_ocred_fax_ocred.pdf
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 03_ocred_fax_ocred.pdf
- Chapter 9 - 03 - Understand Secure Application, Development, Deployment, and Automation_ocred_fax_ocred.pdf
- Introduction-to-Application-Security_compressed.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow Understand Secure...
Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow Understand Secure Understand Secure Application Design and o o Application, Development, Architecture Deployment, and Automation - i @ Understand Software Application Security Security Standards, Models, o o Testing Techniques and and Frameworks Tools Understand Software Security Standards, Models, and Frameworks Numerous organizations face several impediments in their information security platforms due to tremendous increases in infrastructure. Hence, it is necessary to follow basic software security standards, models, and frameworks, which consist of strategies and techniques for implementing information security controls in an organization. This section provides an overview of various software security standards, models, and frameworks. Module 09 Page 1175 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security The Open Web Application Security Project (OWASP) O The Open Web Application @ About Us | The OWASS x 4+ Security Project (OWASP) is an « C @ owasporg/sbout organization focused on improving the security of = @ownsp, software OWech 70 Qox W 0 The mission of this organization The OWASP® is to make software security Foundation works o visible so that individuals and improve the security of software through its organizations can make community-led open source sofltwate projects informed decisions B )\ (7 > hundreds of chapters worldwide, tens of The Open Web Application Security Project (OWASP) Is a nonprofit thousands of members, foundation that works to improve the security of software. Our programming and by hosting local and includes: global conferences + Community-led open source software projects - » Over 200+ local chapters worldwide « Tens of thousands of members + Industry-leading educational and training conferences Upcoming Global Events https//owasp.org - All Rights Reserved. Reproduction is Strictly Prohibited The Open Web Application Security Project (OWASP) Source: https://owasp.org The Open Web Application Security Project (OWASP) is an organization focused on improving the security of software. The mission of this organization is to make software security visible so that individuals and organizations are able to make informed decisions. OWASP is a community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Through community-led software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP foundation has become an important source for developers and technologists to secure the web. Module 09 Page 1176 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security @ ® About Us Us || The The OWASP Foundat Foundat XX + + o © ¥ pe ~ C @ owasp.org/about/ T P2 & = @ownsp ownsp About the OWASP Foundati on : Foundation OWatch | 7070 | | sTSt | 191191 ®Watch The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters i worldwide, tens off The Open Web Application Security Project (OWASP) is a nonprofit e - kS 10| th — o. thousands of members, foundation oundation thatthat works toto improve thethe security of of software. OurOur programming and by hosting local end and by hosting local and includes: includes: global conferences. « Community-led open source software projects « Over 200+ local chapters worldwide « Tens of thousands of members ) « Industry-leading educational and training conferences Upcoming Global Events v Figure 9.7: Screenshot of OWASP Module 09 Page 1177 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Software Security Framework: Software Assurance (SAIMIM) Maturity Model (SAMM) OQ The Software Assurance Maturity Model (SAMM) is an Governance | Construction | WVerification |"Werifieation| || Deployment open framework that helps organizations formulate S and implement strategies for software security that YT are tailored for the specific risks faced by them. 2. Software Goal definition and Checking, Software release B |f " SAMM SAIVIM helps in the following fOllOWlllg tasks: development software creation evaluation and management and management processes testing of software normal operational operational R ey _ L activities and development management Evaluate an Evaluate an organization’s orgamzatlon S existing emstmg software software organization-wide organization-wide artifacts artifacts security practices business process Build a balanced software security assurance Strategy and Threat Design Vulnerability Vulnerabllity (E :F." :" :3 Metrics Assessment Review Management ‘ program in well-defined iterations e g¢ ". Policy and Security Security Environment 03 @ Demqnstrate concrete improvements in the Compliance Requirements Requlrements Code Review Hardening aRanEg ~/ security assurance security assurance program program.... e Education Source Security Operational m Define and Define and measure measure security-related Securltyfl'elated activities activities and Guidance and Guidance Architecture Architecture Testing Testing Enablement Enablement "/ throughout an organization https.//www.opensamm.org Copyright © by EI Al Rights Reserved.. All Reserved. Reproduction Reproduction isis Strictly Prohibited Software Security Framework: Software Assurance Maturity Model (SAIMM) (SAIMIM) Source: https://www.opensamm.org The Software Assurance Maturity Model (SAMM) is an open framework that helps organizations formulate and implement strategies for software security that are tailored for the specific risks faced by them. SAMM helps in the following tasks: =* Evaluate an organization’s existing software security practices. = Build a balanced software security assurance program in well-defined iterations. = Demonstrate concrete improvements in the security assurance program. = Define and measure security-related activities throughout an organization. The maturity model consists of four business functions and each function possess three security practices. = Governance: Assess the management of application security in an organization = Construction: Assess the software creation process in an organization = Verification: Assess the software testing of the application = Deployment: Assess the deployment (Software release management) and production of the application Module 09 Page 1178 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Governance | Construction Construction | Verification Deployment Software Goal definition and Checking, Software release development software creation evaluation and management and (Wmanagement ENETE Y E processes testing of software normal operational activities and development management organization-wide artifacts business process Strategy and Vulnerability Metrics Management Policy and. C- _ E.)fi,'_ N i i. Environment Polncy.and il i ke Code Review Envnronn.\ent Compliance Requirements Hardening Hardening Education Source | Security Operational and Guidance Architecture Enablement Figure 9.8: Software Assurance Maturity Model (SAMM) Module 09 Page 1179 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Software Security Framework: Building Security In Maturity Model (BSIMM) O The main objective of BSIMM is to enable an organization to analyze and implement the security features it requires by evaluating the most frequently implemented security features in other companies O BSIMM consists of a software security framework used to organize the 113 activities used to assess initiative O The framework consists of 12 practices organized into four domains The Software Security Framework (SSF) Governance ‘ Intelligence ’ SSDL Touchpoints Deployment Strategy and Metrics Attack Models Architecture Analysis Penetration Testing Security Features and Compliance and Policy Code Review Software Environment Design Configuration Standards and Training Requirements Security Testing Management and Vulnerability Management https./fwww.bsimm.com Copyright © by EC. Al Rights Reserved. Reproductions Strictly Prohibited Software Security Framework: Building Security In Maturity Model (BSIMM) Source: https://www.bsimm.com The main objective of BSIMM is to enable an organization to analyze and implement the security features it requires by evaluating the most frequently implemented security features in other companies. BSIMM consists of a software security framework used to organize the 113 activities used to assess initiatives. The framework consists of 12 practices organized into four domains. The BSIMM is designed to help the organization understand, measure, and plan a software security initiative. It was created by observing and analyzing real-world data from leading software security initiatives. BSIMM data reflect how many organizations are adapting their approaches to address the new dynamics of modern development and deployment practices, such as shorter release cycles, increased use of automation, and software-defined infrastructure. The Software Security Framework (SSF) Governance Intelligence SSDL Touchpoints Deployment Strategy and..... Attack Models Architecture Analysis | Penetration Testing Metrics Compluance #ihd Securlty'Features Code Review Software Environment Policy and Design Trainin Standards and Security Testin Configuration Management and & Requirements Y g Vulnerability Management Table 9.1: The Software Security Framework (SSF) Module 09 Page 1180 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
