[WEB SECURITY] When all you have is a hammer...

Tue Feb 10 23:12:45 EST 2009

Have you guys seen the Software Assurance Maturity Model that Pravir has
been working on for the past months?

I think you will find that it already answers a lot of these questions:

   - main website: http://www.opensamm.org
   - latest version of this document:
   http://www.opensamm.org/downloads/SAMM-BETA-0.8.1.pdf
   - PPT presentation https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt
   - video of Pravir talking about it at the OWASP Conference in NYC 08:
   http://video.google.com/videoplay?docid=-7453282550277559385&hl=en
   - project mailing list:
   https://lists.owasp.org/mailman/listinfo/owasp-cmm

I showed this to a client a couple weeks ago and they completely bought into
certain parts of it, and although this not complete, it is already a massive
step on the right directly

I've CCed Pravir on this reply (and he is now on this list), so over to you
Pravir :)

Dinis Cruz

On Wed, Feb 11, 2009 at 2:42 AM, Rafal @ IsHackingYou.com <
rafal at ishackingyou.com> wrote:

> Actually, Arian... I've been writing this up for an OWASP proposal-project.
> This would encompass more than just incorporating the Capability Maturity
> Model into a practice-oriented step-by-step program... and I think if we
> build a blueprint for such a program people will not only follow it - but
> actually have a consistent platform for discussion.
>
> Stay tuned, I'm on it, I've had a conversation with Tom Brennan about it
> back at CSI/DC and I think I'm finally going to pull that trigger.
>
>  :)
>
> __
> Rafal M. Los
> Security & IT Risk Strategist
>
>  - Blog:         http://preachsecurity.blogspot.com
>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>
> --------------------------------------------------
> From: "Arian J. Evans" <arian.evans at anachronic.com>
> Sent: Tuesday, February 10, 2009 8:31 PM
> To: "Rafal @ IsHackingYou.com" <rafal at ishackingyou.com>
> Cc: <websecurity at webappsec.org>
> Subject: Re: [WEB SECURITY] When all you have is a hammer...
>
> One of our biggest problems in webappsec-land right now is that no one
> has clearly defined:
>
> - What an Enterprise Web Application Risk Management Program is.
>
> - What all (or most) of the possible components of that program could be.
>
> - How to measure the success of various components in the program to
> decide what they should be going forward.
>
> - Shortcuts to decide what components of that program are "more
> probably" right for you based upon known strengths/weaknesses and
> business realities of your organization.
>
> We need to define the starting line.
>
> We need to define the multiple, possible finish lines.
>
> We need a blueprint that helps folks see how to get from here to
> there. (start to target finish)
>
> I humbly suggest webappsec needs its own standards and blueprints,
> since the business case, development model, and threat landscape for
> web software is often different enough from non-web software to
> require its own approach subtleties. IMO.
>
> Certainly could be wrapped in an "Enterprise Software Security Risk
> Management Program" though.
>
> ciao
>
> --
> Arian Evans
>
> "From the hour the Pilgrims landed,
> to the present day, events, occurrences,
> and tendencies prove that to ensure
> peace, security, and happiness, the
> rifle and pistol are equally indispensable"
> -- George Washington
>
>
>
> On Tue, Feb 10, 2009 at 2:58 PM, Rafal @ IsHackingYou.com
> <rafal at ishackingyou.com> wrote:
> > Friends, Countrymen, fellow security nerds... lend me your {ears |
> > eyeballs},
> >
> >     As a security practitioner, and vendor-employed security "expert" I
> > feel
> > like I'm often unfairly labeled with a bias towards tools as a means of
> > vulnerability detection, analysis, and mitigation.  While I will readily
> > debate the merits of security tools such as white-box, black-box scanners
> > I
> > have always believed the correct answer to a sustainable web application
> > security program involves a good mix of people, tools and processes.
>  With
> > that in mind I have written a blog post that explains my point further
> and
> > why I feel like any enterprise security program based on tools or
> services
> > alone is doomed to fail.  There is an element of false-security that I
> > feel
> > creeps up and hurts more than it helps.
> >
> >     To use expand further on Vinnie Liu's[1] point from his presentation
> > at
> > Blue Hat this past year... "When all you have is a hammer, everything
> > looks
> > like a nail"... as always I appreciate community feedback and
> constructive
> > debate.
> >
> >
> http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2009/02/10/an-unfortunate-case-of-learned-behavior.aspx
> >
> > [1] http://technet.microsoft.com/en-us/security/dd285265.aspx
> >
> > Cheers!
> > __
> > Rafal M. Los
> > Security & IT Risk Strategist
> >  - Blog:         http://preachsecurity.blogspot.com
> >  - LinkedIn:  http://www.linkedin.com/in/rmlos
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090211/149a3920/attachment.html>