You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -78,50 +81,53 @@ The first steps for deploying DSOMM are then the following:
78
81
79
82
Identify the security policies of your organization and adhere to them.
80
83
81
-
82
84
Share with the Security Champion Guild how you perform the required activities
83
85
from the policies, so others can benefit from your experience.
86
+
84
87
In addition, provide feedback to the policy owner.
85
-
Whenever you find yourself not adhering to the policies,
86
-
communicate this to the person responsible for judging "risks vs.
87
-
revenue"
88
-
on your product (e.g., your Product Owner, manager),
89
-
so they are aware of being out of policy.
88
+
89
+
Communicate discrepancies with the defined security policies
90
+
to the "Risk Manager"
91
+
so that he can take proper measures.
90
92
91
93
### Benefits
92
94
93
-
- Building and operating software securely is hard; utilizing standards
94
-
(as described in the security policies) makes it at least a bit easier.
95
-
- Basic security risks, which are covered by security policies, are handled.
95
+
- Adopting security policies addressing threats
96
+
simplifies building secure software.
97
+
- Basic security risks are handled.
96
98
97
99
## Continuously Improve your Security Belt Rank
98
100
99
101
Security is like a big pizza.
100
102
You cannot eat it as a whole,
101
103
but you can slice it and continuously eat small slices.
102
-
To make this happen, ensure that the Product Owner continuously prioritizes
104
+
105
+
Ensure that the "Risk Manager" continuously prioritizes
103
106
the security belt activities for the next belt highly
104
107
within the product backlog.
105
-
Security belt activities make good slices because they are of reasonable
108
+
109
+
Security belt activities make "good slices" because they are of reasonable
106
110
size and have a defined output.
107
-
Celebrate all your implemented security belt activities.
108
111
109
-
## Benefits
112
+
Celebrate all your implemented security belt activities!
113
+
114
+
### Benefits
110
115
111
116
- The team has time to improve its software security.
112
117
- The team's initially high motivation and momentum can be used.
113
-
- The Product Owner has transparency of the investment
114
-
and benefit of security belts.
118
+
- The Risk Manager has visibility on the investment
119
+
and the benefits of security belts.
115
120
- The team is improving its software security.
116
121
117
122
## Review Security Belt Activities
123
+
118
124
Let the Security Champion Guild review your implementations of security belt
119
125
activities (or concepts of these implementations) as soon as possible.
120
126
This helps to eradicate misunderstandings of security belt activities early.
121
127
122
128
### Benefits
123
129
124
-
- The quality of the implementation is increased.
130
+
- The quality of the implementation increases.
125
131
- Successes can be celebrated intermediately.
126
132
- Early feedback before the belt assessment.
127
133
@@ -139,13 +145,15 @@ from the Security Champion Guild to get you started.
139
145
140
146
# Dimensions
141
147
142
-
In the following the dimensions and corresponding sub dimension are described.
148
+
This section describes the various dimensions
149
+
and the corresponding sub dimension.
150
+
143
151
The descriptions are highly based (mostly copied)
144
152
on the [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md).
145
153
146
154
## Implementation
147
155
148
-
The dimension Implementation covers topic of "traditional"
156
+
This dimension covers topic of "traditional"
149
157
hardening of software and infrastructure components.
150
158
151
159
There is an abundance of libraries and frameworks implementing
@@ -188,42 +196,57 @@ uses FTP to copy latest master to the development server which will become produ
188
196
189
197
**Example High Maturity Scenario:**
190
198
191
-
Team members have access to comprehensive documentation and a library of code snippets they can use to accelerate development.
199
+
Team members have access to comprehensive documentation
200
+
and a library of code snippets they can use to accelerate development.
192
201
193
-
Linters are bundled with pre-commit hooks and no code reaches master without peer review.
202
+
Linters are bundled with pre-commit hooks
203
+
and no code reaches master without peer review.
194
204
195
205
Pre-merge tests are executed before merging code into master.
196
-
Tests run a comprehensive suite of tests covering unit tests, service acceptance tests,
206
+
Tests run a comprehensive suite of tests covering unit tests,
207
+
service acceptance tests,
197
208
unit tests as well as regression tests.
198
209
199
-
Once a day a pipeline of specially configured static code analysis tools runs against
200
-
the features merged that day, the results are triaged by a trained security team and fed to engineering.
210
+
Once a day a pipeline of specially configured
211
+
static code analysis tools runs against
212
+
the features merged that day, the results are
213
+
triaged by a trained security team and fed to engineering.
201
214
202
215
There is a cronjob executing Dynamic Analysis tools against Staging
203
216
with a similar process.
204
217
205
-
Pentests are conducted against features released on every release and also periodically against the whole software stack.
218
+
Pentests are conducted against features released on every release
219
+
and also periodically against the whole software stack.
206
220
207
221
# Culture and Organization
208
222
209
-
Culture and Organization covers topics related to culture and organization like processes, education and the design phase.
223
+
This section covers topics related to culture and organization like
224
+
processes, education and the design phase.
210
225
211
-
Once requirements are gathered and analysis is performed, implementation specifics need to be defined.
212
-
The outcome of this stage is usually a diagram outlining data flows and a general system architecture.
213
-
This presents an opportunity for both threat modeling and attaching security considerations
214
-
to every ticket and epic that is the outcome of this stage.
226
+
Once requirements are gathered and analysis is performed,
227
+
implementation specifics need to be defined.
228
+
The outcome of this stage is usually a diagram outlining data flows
229
+
and a general system architecture.
230
+
This presents an opportunity for both threat modeling
231
+
and attaching security considerations
232
+
to every ticket and epic that is the outcome of this stage.
215
233
216
234
### Design
217
235
218
236
There is some great advice on threat modeling out there
219
-
*e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one.
OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html).
243
+
OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling)
244
+
on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html).
224
245
Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/).
225
246
226
-
There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another.
247
+
There's a few projects that can help with creating Threat Models
248
+
at this stage, [PyTM](https://github.com/izar/pytm) is one,
249
+
[ThreatSpec](https://github.com/threatspec/threatspec) is another.
227
250
228
251
> Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations.
0 commit comments