Last Updated on January 12, 2024
If you’re ready to start planning web application security (DevSecOps) processes, what open standards and frameworks can help?
André Keartland, Solutions Architect at Netsurit, recommends starting with the Open Web Application Security Project (OWASP). Their publications include the famous OWASP Top 10 web application security vulnerabilities, the Software Assurance Maturity Model (SAMM), the Application Security Verification Standard (ASVS), and many others.
OWASP SAMM is particularly good for assessing current processes and charting a path to improvement while measuring progress. It gives you a framework of practices to compare against, as well as goals to aim for.
Helping with compliance
Because they often include mappings to established cybersecurity standards like NIST 800-218 or ISO 27001, SAMM and other OWASP guidance can simplify compliance requirements. This is great for the many organizations that now need to attest to compliance with NIST 800-218 so they can sell software to the US government.
Benefits of a maturity model
The idea behind a maturity model is that it supports continuous improvement. For example, OWASP SAMM’s organization and structure reflects the reality that most teams will be working on advancing application security in stages over time. DevSecOps doesn’t usually happen overnight.
André explains: “With a classic maturity model [like SAMM], you start off by asking, ‘Where am I? What do I have? What is the state of my security?’ Then set a target. ‘Where do I want to be?’ And then build a program to get from where you are to where you want to be. And measure your progress along the way.”
“You’ll never build a security culture in an organization in a year. You need to start breaking it down and saying, ‘What do I do this quarter? Next quarter? Quarter after that? What do I do next year, and the year after that?’ Then you follow that program and you need to measure as you go along. OWASP SAMM is one of the models that’s useful for that,” summarizes André.
For more guidance on this topic, listen to Episode 114 of The Virtual CISO Podcast with guest André Keartland from Netsurit.