8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
1/24
Nick Coblentz ([email protected])http://nickcoblentz.blogspot.com
OWASP CLASP
Overview
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
2/24
2
OWASP CLASP Presentation Outline
What is CLASP?
CLASP best practices
CLASP Organization
Birds-Eye view of CLASP
ProcessConcepts View
Security Services
Vulnerability-View
Role-Based View
Introduction to each role
Activity-Assessment View
Examples
Activity-Implementation ViewExamples
CLASP Roadmap
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
3/24
3
What Is CLASP?
Comprehensive, Lightweight, Application Security Process
OWASP project
Activity driven, role-based set of processcomponents whose core containsformalized best practices for building
security into your existing or new-startsoftware development life cycles in astructured, repeatable, and measurableway
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
4/24
4
What is CLASP?
Method for applying security to an organization's applicationdevelopment process
Adaptable to any organization or development process
OWASP CLASP is intended to be a complete solution thatorganizations can read and then implement iteratively
Focuses on leveraging a database of knowledge (CLASPvulnerability lexicon, security services, security principles,etc) and automated tools/processes
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
5/24
5
CLASP Best Practices
Institute security awareness programs
Provide security training to stakeholders
Present organization's security policies, standards, and securecoding guidelines
Perform application assessments
Is a central component in overall strategyFind issues missed by implemented Security Activities
Leverage to build a business case for implementing CLASP
Capture security requirements
Specify security requirements along side business/applicationrequirements
Implement secure development process
Include Security Activities, guidelines, resources, andcontinuous reinforcement
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
6/24
6
CLASP Best Practices
Build vulnerability remediation procedures
Define steps to identify, assess, prioritize, and remediatevulnerabilities
Define and monitor metrics
Determine overall security posture
Assess CLASP implementation progressPublish operational security guidelines
Monitor and manage security of running systems
Provide advice and guidance regarding security requirementsto end-users and operational staff
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
7/24
7
CLASP Organization
Concepts View
Role-Based View
Activity-Assessment
Implementation costs
Activity applicability
Risk of inactionActivity-implementation
24 Security Activities
Vulnerability Lexicon
Consequences, problemtypes, exposure periods,avoidance & mitigationtechniques
Additional Resources
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
8/24
8
Birds-Eye View of CLASP Process
Stakeholders
Read & understand Concepts View
Read & understand Role-Based View
Project manager
Reads and understands Activity-Assessment View
Determines applicable and feasible Security Activities toimplement
Ties stakeholder roles to Security Activities
Facilitates Roles to learn and execute Security Activities
Measures progress and holds Roles accountable (Metrics)
Roles (PM, Architect, Designer, Implementer, ...)
Execute Security Activities leveraging automated tools andCLASP & Organization knowledge base (Vulnerability Lexiconand other Resources)
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
9/24
9
Concepts View CLASP Security Services
Fundamental security goals that must be satisfied for eachresource:
Authorization (access control)
Authentication
ConfidentialityData Integrity
Availability
Accountability
Non-Repudiation
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
10/24
10
Concepts View Overview of Vulnerability View
Vulnerability
Problem types:104 types
Example: Buffer Overflow
Categories:
Range and Type ErrorsEnvironmental Problems
Synchronization & TimingErrors
Protocol Errors
General Logic ErrorsExposure periods
Development artifact
Consequences
Violated Security Service
Vulnerability (Continued)
PlatformsLanguage, OS, DB, etc.
Resources
Risk assessment
SeverityLikelihood
Avoidance and mitigationperiods
Additional Info
Overview, description,examples, relatedproblems
Knowledge Base Provided!
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
11/24
11
Role-Based View - Introduction
CLASP ties Security Activities to roles rather than
development process stepsRoles:
Project Manager
Drives the CLASP initiative
Requirements SpecifierArchitect
Designer
Implementer
Test Analyst
Security Auditor
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
12/24
12
Role-Based View Project Manager
Drives CLASP initiative
Management buy-in mandatorySecurity rarely shows up as a feature
Responsibilities:
Promote security awareness within team
Promote security awareness outside teamManage metrics
Hold team accountable
Assess overall security posture (application and organization)
Possibly map this to a Security Manager and Project Managerbecause:
PM may not have expertise
SM may want to apply over the entire organization
PM would still be responsible for day-to-day tasks
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
13/24
13
Role-Based View Requirements Specifier
Generally maps customer features to business requirements
Customers often don't specify security as a requirementResponsibilities:
Detail security relevant business requirements
Determine protection requirements for resources (following an
architecture design)Attempt to reuse security requirements across organization
Specify misuse cases demonstrating major security concerns
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
14/24
14
Role-Based View Architect
Creates a network and application architecture
Specify network security requirements such as firewall,VPNs, etc.
Responsibilities:
Understand security implications of implemented technologies
Enumerate all resources in use by the systemIdentify roles in the system that will use each resource
Identify basic operations on each resource
Help others understand how resources will interact with eachother
Explicitly document trust assumptions and boundaries
Provide these items in a written format and include diagrams(for example network component model, applic
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
15/24
15
Role-Based View Designer
Keep security risks out of the application
Have the most security-relevant workResponsibilities:
Choose and research the technologies that will satisfy securityrequirements
Assess the consequences and determine how to addressidentified vulnerabilities
Support measuring the quality of application security efforts
Document the attack surface of an application
Designers should:
Push back on requirements with unrecognized security risks
Give implementers a roadmap to minimize the risk of errorsrequiring an expensive fix
Understand security risks of integrating 3rd party software
Respond to security risks
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
16/24
16
Role-Based View Implementer
Application developers
Traditionally carries the bulk of security expertiseInstead this requirement is pushed upward to other roles
Responsibilities:
Follow established secure coding requirements, policies,
standardsIdentify and notify designer if new risks are identified
Attend security awareness training
Document security concerns related to deployment,implementation, and end-user responsibilities
Bulk of security expertise is shifted to designer, architect,and project manager
Pros and Cons?
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
17/24
17
Role-Based View Test Analyst
Quality assurance
Tests can be created for security requirements in addition tobusiness requirements/features
Security testing may be limited due to limited knowledge
May be able to run automated assessment tools
May only have a general understanding of security issues
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
18/24
18
Role-Based View Security Auditor
Examines and assures current state of a project
Responsibilities:Determine whether security requirements are adequate andcomplete
Analyze design for any assumptions or symptoms of risk thatcould lead to vulnerabilities
Find vulnerabilities within an implementation based ondeviations from a specification or requirement
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
19/24
19
Activity-Assessment View Overview
There are 24 CLASP Security Activities
Added iterativelyActivity-Assessment View allows a project manager todetermine appropriateness of CLASP activities
Guide provides:
Activity applicabilityRisks due to omission of activity
Estimation of implementation cost
Roles that will execute activity
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
20/24
20
Activity-Assessment and Roles
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
21/24
21
Activity-Assessment Example Item
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
22/24
22
Activity-Implementation View Introduction
Defines the purpose or goals for the Security Activity
Provides details regarding:Sub goals such as:
Provide security training to all team members
Appoint a project security officer
Describes in detail how to carry out tasks or accomplish goalsDetails which CLASP resources support these tasks
ex: vulnerability lexicon to examine secure coding practices
ex: Security Services to examine threats to a resource (threatmodeling)
**Show Example Here**, Perform security analysis ofsystem requirements and design (threat modeling)
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
23/24
23
CLASP Roadmaps
Legacy application roadmap:
Minimal impact on ongoingdevelopment projects
Introduce only highestrelative impact on security
Key steps (12 total):1 Security awarenessprogram
6 Security assessment
8 Source-level security
review
Green-field roadmap:
holistic approachIdeal for new softwaredevelopment
Especially Spiral andIterative models
Key steps (20 total):1 Security awareness program
2 Metrics
3 8 Security related planning
and design9 Security principles
12 Threat modeling
16 Source-level review
17 Security assessment
8/14/2019 Nick Coblentz ([email protected]) Http://Nickcoblentz.blogspot.com
24/24
24
Questions?
More information:
http://www.owasp.org/index.php/Category:OWASP_CLASP_Project
Downloadable Book
http://www.list.org/~chandra/clasp/OWASP-CLASP.zip