Last Updated on February 16, 2023
Cybersecurity tools and techniques constantly evolve at a rapid pace in response to relentlessly escalating attacks. Yet web application security practices still lag—and hackers continue to exploit longstanding vulnerabilities. How can web application security catch up with the pace of modern software development and claim its rightful place in the software development lifecycle (SDLC or SDL)?
Sebastien Deleersnyder, Co-founder and CTO at Toreon, explains how the OWASP Software Assurance Maturity Model (OWASP SAMM) can help Dev teams build an effective AppSec process that moves at the speed of DevOps.
Join us as we discuss:
- The biggest challenge Dev teams face when trying to launch an AppSec program
- Using OWASP SAMM to assess your current application security process and identify “quick wins” to move forward
- Leveraging OWASP SAMM alongside other cybersecurity frameworks like ISO 27001 and NIST 800-218
Getting to “Secure by Design”
The philosophy behind web application security centers on building security into the software development lifecycle, starting with the design process. But how does that look in today’s highly complex and fast-paced DevOps scenarios?
“That’s really our biggest challenge—how can we keep up with the speed of software development?” asks Sebastien. “The only way … is to align your [AppSec] activities with the development activities themselves. There is no magical dust that we can sprinkle over the software or an on/off button at the end to say, ‘Let’s switch on the security aspect.’ There is no silver bullet for that.”
Instead, teams need to think about how they’re creating software, and which phases of the development process are most amenable to integrating security.
“There is no magical dust that we can sprinkle over the software or an on/off button at the end to say, ‘Let’s switch on the security aspect.’”—Sebastien Deleersnyder
Starting with OWASP SAMM for assessment
OWASP SAMM is designed to help teams assess their current application security posture and make a best-practice plan to move ahead.
“[SAMM] is a maturity model because it allows organizations to understand where they are and how they can improve in terms of maturity,” Sebastien explains.
For most orgs, improving AppSec maturity is an iterative process that won’t happen overnight. AppSec activities also need to align with an application’s risk profile and with business needs (e.g. customer demands or compliance drivers).
“Most importantly, SAMM helps you to measure those security activities that are part of your SDL,” notes Sebastien. “And once you can measure them, you can manage them. That’s the whole philosophy of the model.”
“SAMM helps you to measure those security activities that are part of your SDL. And once you can measure them, you can manage them.”—Sebastien Deleersnyder
Where are most orgs today with application security maturity?
Both at Toreon and through OWASP, Sebastien has broad experience helping Dev teams with assessments and roadmaps. Among forward-looking orgs that are seeking these services, he usually sees maturity levels between 1 and 2 on the OWASP SAMM scale, which goes from 0 to 3. Likewise, in a recent OWASP survey of over 160 organizations the self-reported average was between 1 and 2.
But what about orgs that never heard of OWASP, such as many of the companies John connects with? “Sub-1 is not an unusual circumstance,” John relates.
AppSec maturity can also vary across the five SAMM domains: governance, design, implementation, verification, and operations. Sebastien finds that SMBs are more likely to have greater maturity in their implementation and verification areas, while enterprises are stronger on governance.
Don’t dump security on the developers
A point Sebastien emphasizes is that the target audience for OWASP SAMM is generally not developers, but whoever is responsible for driving the AppSec program.
“The worst way that you could so an assessment is send the spreadsheets towards your development teams and say, ‘Hey, can you do this self-assessment?’” advises Sebastien. “That’s not really going to work.”
The right way to proceed is with workshops and interviews, so you can get a solid understanding of what teams are actually doing. This will help you identify “quick wins” where you can make rapid progress based on current practices.
“The worst way that you could so an assessment is send the spreadsheets towards your development teams and say, ‘Hey, can you do this self-assessment?’”—Sebastien Deleersnyder
Using OWASP SAMM with other cybersecurity standards
As mandated in President Biden’s “cybersecurity executive order” 14028 from May 2021, the US federal government has begun taking steps to mandate compliance with the NIST Secure Software Development Framework (SSDF), SP 800-218. In September 2022, the Office of Management and Budget (OMB) issued a memorandum requiring agencies to obtain a self-attestation or conformance statement from software producers before using any third-party software.
For software vendors looking to validate and attest to NIST 800-218 conformance, OWASP SAMM can help significantly as it cross-references heavily with the SSDF.
“The great thing about SAMM is it’s a maturity model,” Sebastien states. “That’s where we can help an organization that’s already doing SAMM to map that onto not only the SSDF, but also onto other frameworks as well.”
For example, SAMM also maps onto ISO 27001, which is increasingly important for SaaS vendors in many industries. ISO 27001 is also in its most recent (2022) version more focused on AppSec. According to Sebastien, more firms seeking ISO 27001 certification are slotting in SAMM as the application security component of their ISMS.
“We can help an organization that’s already doing SAMM to map that onto not only the SSDF, but also onto other frameworks as well.”—Sebastien Deleersnyder
Listen to the full podcast episode with Sebastien Deleersnyder, click here.
Learn more about OWASP SAMM in: OWASP SAMM’s 5 Business Functions Unpacked
Free OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!