The OWASP CLASP Project

Pravir Chandra
OWASP CLASP Project Lead
Principal Consultant -- Cigital, Inc.
6th OWASP chandra@cigital.com

AppSec
Conference
Milan - May 2007 Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

http://www.owasp.org/
Agenda

What is CLASP anyway?

The CLASP philosophy and contents

Comparison to other security processes

Details on the OWASP CLASP Project

6th OWASP AppSec Conference – Milan – May 2007 2

CLASP 2007

 Comprehensive, Lightweight Application Security Playbook

CLASP is a prescriptive guide for organizations to

address software security iteratively
Cover the entire organization (not just development)
Adaptable to any type of organization or
development process
New material to reflect software security’s
inexorable tie to the specifics of a business

6th OWASP AppSec Conference – Milan – May 2007 3

Origins of CLASP

 Original version was developed by Secure Software

(acquired by Fortify Software)
 Collection of ‘stuff’ - vulns, roles, activities, etc.
 Heavily modified for CLASP 2007
 This is the version we’ll discuss today
 To be released by June 2007

6th OWASP AppSec Conference – Milan – May 2007 4

 Top-level organization of CLASP 2007
 Think
 How to think about software security
 Setting long-term goals and strategy
based on your business
 Plan
 Setting near-term goals to execute
against
 Planning iterations and getting
immediate value
 Do
 The nitty-gritty details of performing
activities that provide assurance
 Executing and measuring success

6th OWASP AppSec Conference – Milan – May 2007 5

Think

6th OWASP AppSec Conference – Milan – May 2007 6

Philosophical Stuff

It’s about balancing risk, not 100% secure

Even if you don’t have well-defined process, you

can make an impact

Monitor and measure to make sure you’re on

track for efficiency and efficacy

Use the CLASP Best Practices as a ‘north star’

6th OWASP AppSec Conference – Milan – May 2007 7

The CLASP Best Practices

1. Institute awareness programs

2. Perform application assessments
3. Capture security requirements
4. Implement secure development practices
5. Build vulnerability remediation procedures
6. Define and monitor metrics
7. Publish operational security guidelines

6th OWASP AppSec Conference – Milan – May 2007 8

Key decision points

 What kind of business are you in?

 Regulatory requirements
 Rough cut at ‘risk appetite’

 How does your business rely upon software?

 Do you sell boxed applications? … platforms?
 Do you build and operate your own software?
 Do you outsource and consume?

 What top-management support is available?

 How much cost can you tolerate short-term? … long-term?

6th OWASP AppSec Conference – Milan – May 2007 9

Plan

6th OWASP AppSec Conference – Milan – May 2007 10

Creating an action plan

 CLASP 2007 introduces the concept of ‘Competencies’

 High-level areas of the SDLC
 Each has pre-determined maturity levels (not quite CMM-style)

 Based on your drivers, pick the next Competency (or

maturity level) you’ll target
 A Competency level has assigned Activities (more on this later)
 Provides some ready-made milestones
 Grow the organization’s skill and efficiency over time

 A few example roadmaps for common types of

businesses are provided to get started

6th OWASP AppSec Conference – Milan – May 2007 11

The CLASP Competencies

1. Security Management & Governance

2. Hardened Requirements & Design
3. Secure Implementation
4. Software Assessment & Testing
5. Safe Deployment & Operations

6th OWASP AppSec Conference – Milan – May 2007 12

 Do

6th OWASP AppSec Conference – Milan – May 2007 13

Putting rubber on the road

Based on target Competency level, implement

assigned Activities
Plan appropriate resources for the activity
Ensure correct Roles are filled
Instrument with prescribed monitors for metrics

In total, there are ~24 Activities

They’re spread across the Competency levels for bite-
size consumption
Some you may never need to implement

6th OWASP AppSec Conference – Milan – May 2007 14

The CLASP Activities

1. Institute Security Awareness Program 13. Document Security Relevant

2. Perform Security Analysis of System Requirements
Requirements and Design (Threat 14. Apply Security Principles to Design
Modeling) 15. Annotate Class Designs with Security
3. Perform Source Level Security Review Properties
4. Identify, Implement, and Perform 16. Implement and Elaborate Resource
Security Tests Policies and Security Technologies
5. Verify Security Attributes of Resources 17. Implement Interface Contracts
6. Research and Assess Security Posture of 18. Integrate Security Analysis into Source
Technology Solutions Management Process
7. Identify Global Security Policy 19. Perform Code Signing
8. Identify Resources and Trust Boundaries 20. Manage Security Issue Disclosure
9. Identify User Roles and Resource Process
Capabilities 21. Address Reported Security Issues
10. Specify Operational Environment 22. Monitor Security Metrics
11. Detail Misuse Cases 23. Specify Database Security Configuration
12. Identify Attack Surface 24. Build Operational Security Guide

6th OWASP AppSec Conference – Milan – May 2007 15

Lots of details

Each Activity is well-specified

Roles involved
Applicability and Impacts
Frequency and appx. Level-of-effort
How-to steps for executing the activity
Measurement criteria

CLASP specifies Roles as well

High-level so one person may hold >1 Role
Skills requirements for filling the Role

6th OWASP AppSec Conference – Milan – May 2007 16

The CLASP Roles

1. Architect
2. Designer
3. Implementer
4. Project Manager
5. Requirements Specifier
6. Security Auditor
7. Test Analyst

6th OWASP AppSec Conference – Milan – May 2007 17

Summary of CLASP 2007

Think
Philosophy of software security
Best Practices to guide decisions
Key decision points that affect logistics
Plan
Competencies and maturity levels
Sample, goal-based roadmaps
Do
Activity definitions and details
Role definitions and supporting information

6th OWASP AppSec Conference – Milan – May 2007 18

On SDLCs

6th OWASP AppSec Conference – Milan – May 2007 19

CLASP and other SDLC models

There are two other secure SDLC models that

you may have heard of
Microsoft’s SDL (The Security Development Lifecycle. Howard, Lipner)
The Security Touchpoints (Software Security. McGraw)

These both map to CLASP in a fairly

straightforward way, with a few exceptions

6th OWASP AppSec Conference – Milan – May 2007 20

The Stages of Microsoft’s SDL

 0: Education & Awareness

 1: Project Inception
 2: Define and Follow Design Best Practices
 3: Product Risk Assessment
 4: Risk Analysis
 5: Creating Security Documents, Tools, and Best Practices for Customers
 6: Secure Coding Policies
 7: Secure Testing Policies
 8: The Security Push
 9: The Final Security Review
 10: Security Response Planning
 11: Product Release
 12: Security Response Execution
Source: The Security Development Lifecycle, by Michael Howard and Steve Lipner

6th OWASP AppSec Conference – Milan – May 2007 21

CLASP and SDL

 Direct mapping is tricky since SDL isn’t specified the

same way as CLASP
 Some Stages of SDL are activities, some are artifacts, and some
are processes
 SDL contains lots more tactical advice from the MS
trenches
 CLASP is specified more prescriptively, with fewer open-ended
ideas
 Timelines or impacts for SDL stages aren’t clearly
defined
 Makes is harder to plan for cost-effectiveness (SDL is expensive)
 Following the CLASP Competency roadmap for an ISV
gives a roadmap that’s darn close to SDL

6th OWASP AppSec Conference – Milan – May 2007 22

The Security Touchpoints

Source: Software Security, by Gary McGraw

6th OWASP AppSec Conference – Milan – May 2007 23

CLASP and the Touchpoints

The Touchpoints map almost exactly to CLASP

Several CLASP activities map to a single Touchpoint
in some cases
Touchpoints focus on the core of software
development
CLASP aims to be a bit broader across an
organization (including things like policy and
awareness training)
Touchpoints have a prescribed adoption order
CLASP varies this a bit in the Competency roadmaps
according to the kind of business

6th OWASP AppSec Conference – Milan – May 2007 24

The bottom line

Whether it’s SDL, the Touchpoints, or CLASP, it’s

all good
There’s really nothing that the three fundamentally
disagree on

The real question is what applies to your

organization best and what you’re most
comfortable with

CLASP 2007 will contain a more detailed analysis

and mapping of each

6th OWASP AppSec Conference – Milan – May 2007 25

Add’l Info

6th OWASP AppSec Conference – Milan – May 2007 26

The OWASP CLASP Project

 Mission
 Reinforce application security through prescriptive
guidance that enables iterative improvement to any
development model.

 Tactical Goals
1. Getting draft of CLASP 2007 out for review
2. Updating OWASP Wiki with latest information and
downloads
3. Beefing up CLASP materials with more practical
advice/suggestions
6th OWASP AppSec Conference – Milan – May 2007 27
Get involved

We need volunteers for reviewers and

contributors

Start by browsing the wiki pages for CLASP

The Roles and most of the Activities are the same
The Competency information will be up as soon as it’s
ready for review

Mailing list for discussions

owasp-clasp@lists.owasp.org

6th OWASP AppSec Conference – Milan – May 2007 28

 Pravir Chandra
chandra@cigital.com

6th OWASP AppSec Conference – Milan – May 2007 29