Chapter 9 - 02 - Understand Software Security Standards, Models, and Frameworks_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Module Understand Secure Application Design and Flow o o Understand Secure Application, Development, Deployment, and Automation o Application Security Testing Techniques and Tools Architecture - i Understand Software Security Standards, Models, and Frameworks o @ Understand Software Security Standards, Models, and Frameworks Numerous organizations face several impediments in their information security platforms due to tremendous increases in infrastructure. Hence, it is necessary to follow basic software security standards, models, and frameworks, which consist of strategies and techniques for implementing information security controls in an organization. This section provides an overview of various software security standards, models, and frameworks. Module 09 Page 1175 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 The Open Web Application Security Project (OWASP) O The Open Web Application Security Project (OWASP) is an « improving the security of = organization focused on @ About Us | The OWASS C x 4+ @ owasporg/sbout @ownsp, software 0 OWech The mission of this organization is to make software security visible so that individuals and organizations can make informed decisions Qox W The OWASP® Foundation works o improve the security of software through its community-led open B )\ (7 source sofltwate projects > hundreds of chapters The Open Web Application Security Project (OWASP) Is a nonprofit foundation that works to improve the security of software. Our programming includes: - 70 + » « + Community-led open source software projects Over 200+ local chapters worldwide Tens of thousands of members Industry-leading educational and training conferences worldwide, tens of thousands of members, and by hosting local and global conferences Upcoming Global Events https//owasp.org All Rights Reserved. Reproduction is Strictly Prohibited The Open Web Application Security Project (OWASP) Source: https://owasp.org The Open Web Application Security Project (OWASP) is an organization focused on improving the security of software. The mission of this organization is to make software security visible so that individuals and organizations are able to make informed decisions. OWASP is a community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Through community-led software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP foundation has become an important source for developers and technologists to secure the web. Module 09 Page 1176 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security @ About Us | The OWASP Foundat pe C @ Exam 212-82 X + o ¥ owasp.org/about/ & = ownsp : About the OWASP Foundation ®Watch 70 s 191 The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters The Open Web Application Security Project (OWASP) is a nonprofit - oundation kS that works 10| to improve th — the security of software. o. Our programming includes: e i f thousands of members, and by hosting local end global conferences. « Community-led open source software projects « Over 200+ local chapters worldwide « Tens of thousands of members ) « Industry-leading educational and training conferences Upcoming Global Events v Figure 9.7: Screenshot of OWASP Module 09 Page 1177 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Software Security Framework: Software Assurance Maturity Model (SAIMIM) Q The Software Assurance Maturity Model (SAMM) is an open framework that helps organizations formulate and implement strategies for software security that Governance | Construction |"Werifieation| Deployment Software development management activities and organization-wide Goal definition and software creation processes Checking, evaluation and testing of software development artifacts Software release management and normal operational management Threat Design Review Management are tailored for the specific risks faced by them |f ". in the 2 fOllOWlllg SAIVIM helps Evaluate R an orgamzatlon _ S emstmg tasks: software security practices business process Build a balanced software security assurance F " " 3 program in well-defined iterations e 03 ~/ ¢. Demqnstrate concrete improvements in the security assurance program.. e Define and measure security-related activities throughout an organization Strategy and Vulnerability Metrics Assessment Policy and Requirements Security Code Review Environment Source Security Operational Compliance Education and Guidance Architecture Testing Hardening Enablement https.//www.opensamm.org Copyright © by I Al Rights Reserved. Reproductionis Strictly Prohibited Software Security Framework: Software Assurance Maturity Model (SAIMIM) Source: https://www.opensamm.org The Software Assurance Maturity Model (SAMM) is an open framework that helps organizations formulate and implement strategies for software security that are tailored for the specific risks faced by them. SAMM helps in the following tasks: * Evaluate an organization’s existing software security practices. = Build a balanced software security assurance program in well-defined iterations. = Demonstrate concrete improvements in the security assurance program. = Define and measure security-related activities throughout an organization. The maturity model consists of four business functions and each function possess three security practices. = Governance: Assess the management of application security in an organization = Construction: Assess the software creation process in an organization = Verification: Assess the software testing of the application = Deployment: Assess the deployment (Software release management) and production of the application Module 09 Page 1178 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Governance Construction Verification Deployment Software Goal definition and software creation Checking, evaluation and processes testing of software Software release management and normal operational management development management activities and development artifacts organization-wide business process Strategy and Metrics Vulnerability Management Policy and Compliance Requirements Education Source and Guidance Environment Hardening Operational Enablement Architecture Figure 9.8: Software Assurance Maturity Model (SAMM) Module 09 Page 1179 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Software Security Framework: Building Security In Maturity Model (BSIMM) O The main objective of BSIMM is to enable an organization to analyze and implement the security features it requires by O BSIMM consists of a software security framework used to organize the 113 activities used to assess initiative O The framework consists of 12 practices organized into four domains evaluating the most frequently implemented security features in other companies The Software Security Framework (SSF) Governance ‘ Intelligence ’ SSDL Touchpoints Deployment Strategy and Metrics Attack Models Architecture Analysis Penetration Testing Compliance and Policy Security Features and Design Code Review Software Environment Configuration Standards and Training Security Testing Requirements Management and Vulnerability Management https./fwww.bsimm.com Copyright © by EC. Al Rights Reserved. Reproductions Strictly Prohibited Software Security Framework: Building Security In Maturity Model (BSIMM) Source: https://www.bsimm.com The main objective of BSIMM is to enable an organization to analyze and implement the security features it requires by evaluating the most frequently implemented security features in other companies. BSIMM consists of a software security framework used to organize the 113 activities used to assess initiatives. The framework consists of 12 practices organized into four domains. The BSIMM is designed to help the organization understand, measure, and plan a software security initiative. It was created by observing and analyzing real-world data from leading software security initiatives. BSIMM data reflect how many organizations are adapting their approaches to address the new dynamics of modern development and deployment practices, such as shorter release cycles, increased infrastructure. use of automation, and software-defined The Software Security Framework (SSF) Governance Intelligence SSDL Touchpoints Strategy and. Metrics Attack Models Architecture Analysis Compluance #ihd Securlty'Features Code Review Trainin Standards and Requirements Security Policy & and Design.... | Penetration Testing Software Environment Testin Y Deployment g Configuration Management and Vulnerability Management Table 9.1: The Software Security Framework (SSF) Module 09 Page 1180 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.