February 18, 2023

Last Updated on January 15, 2024

The cybersecurity industry has transformed enormously in the past 10 to 20 years, as has software engineering. But the point of intersection among these two hyper-innovative disciplines—web application security—has been a comparative laggard. Many Dev teams still perform little to no AppSec. And many apps still ship with significant undetected vulnerabilities. No wonder demands by customers and regulators for better security are escalating.

How mature are most orgs’ AppSec programs today? And how might your business compare?

To address that question and discuss a path to improve the situation leveraging OWASP SAMM (for Software Assurance Maturity Model), a recent episode of The Virtual CISO Podcast features Sebastien Deleersnyder, Co-founder and CTO at Toreon and a long-time SAMM contributor. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

Where are AppSec leaders today

Through OWASP and at Toreon, Sebastien has helped many Dev teams assess their current security practices and develop roadmaps for improvement. According to Sebastien, among the security-conscious subset of companies that seek his services, he generally sees “as-found” maturity levels between 1 and 2 on the OWASP SAMM scale, which goes from 0 (doing nothing) to 3 (successful and continuously improving). A 1-to-2 rating means

Similarly, as part of OWASP’s SAMM Benchmark project over 160 organizations have taken a survey on their software security practices. Among this presumably more advanced/aware group, the self-reported average maturity based on the SAMM model was between 1 and 2. At that level, teams are measuring and monitoring security practices in the SDLC, with varying degrees of consistency/efficiency.

But what about orgs that never heard of OWASP? John connects with many such companies. “Sub-1 is not an unusual circumstance,” John relates.

AppSec maturity can also fluctuate among the five SAMM domains: design, implementation, verification, operations, and governance. For example, startups and SMBs are more likely to have greater maturity in their implementation and verification areas, such as secure build. Whereas enterprises, having stronger process maturity overall, do better on governance (e.g., having KPIs to measure AppSec results) than on DevOps functions.


What’s next?

To hear this podcast episode with application security expert Sebastien Deleersnyder in its entirety, click here.

Want more reasons why your company needs an AppSec strategy?: It’s Hard to Spell Security with API (Translation: You Need an AppSec Strategy)

OWASP ASVS Controls Checklist

Download Pivot Point Security OWASP ASVS Controls Checklist.