Tuesday, June 1, 2010

The OWASP ASVS and SAMM Standards

By: Shay Zalalichin, CTO


Catch Shay's presentation on June 7th at InfoSec Israel 2010 - where he will be discussing "Privacy in the Modern Age - On Regulations, Challenges and Technology"!

Both the ASVS and SAMM standards are considered relatively less commonly integrated initiatives in the information security industry that have now received official OWASP project status.

The ASVS stands for Application Security Verification Standard and was created to define a standard terminology in the industry to measure the security level for applications/products. Once everybody is synchronized with the terminology, organizations can buy software and know that it is compliant with a specific pre-defined security level; and it can be sure that it is compliant with this level because it was verified according to common / standard requirements, and in the event that this is performed by an external vendor, seeing as this is a well-defined standard - benchmarking between different vendors' performance will be quite easy to evaluate.

As can be seen from the picture below, the verification level starts from a very basic level of just using an automated tool for verification (e.g. WebInspect scan) to a higher level of manual Design Review and Security Code Review (such as CODEFEND™).

SAMM stands for Software Assurance Maturity Model and is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks the organization faces. The resources provided by SAMM can aid in:

• Evaluating an organization’s existing software security practices
• Building a balanced software security program in well-defined iterations
• Demonstrating concrete improvements for a security assurance program
• Defining and measuring security-related activities within an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

The picture below exhibits the different activities within the SAMM. Each activity can be performed with a different maturity level allowing the flexibility to be adapted by organizations of different security requirements, budget, maturity etc.

The ASVS is generally a new initiative as most organizations have not yet started implementing it, but can be an excellent business driver for them as it aims to set a higher security level pan-organizationally, which will help organizations communicate in a uniform manner (across departments and divisions), and with similar external bodies.

In addition, the ASVS requires Security Code Review starting from a fully automated (basic level) to the combination of automated and manual which will help ensure the security posture of software - an important initiative - and one Comsec has been tackling with CODEFEND™.

As for the SAMM, from our initial review it seems to be an excellent model that can assist organizations in integrating security within their development lifecycle, and in essence, is very similar to the Comsec in-house developed model. This is especially relevant for SMEs or organizations that are lacking maturity for the adoption of a large-scale and comprehensive model such as the MS-SDL

It’s important to understand that several similar initiatives / standards exists (e.g. MS-SDL, OWASP CLASP) but none of them have acquired enough industry adoption - which hopefully these two standards will begin changing, as the OWASP Top 10 has done.

Ask us about our services towards compliance with these initiatives:
CODEFEND™ Security Code Review • ASVS Gap Analyses • ASVS Product/System Reviews and Security Assessments (ASVS Certification)• ASVS Integration within SDL Policy • SAMM SDL Strategic Planning/Roadmaps • SDL SAMM Assessments • SDL SAMM Compliance