OWASP SAMM Guidance

Updated: 13 December, 2024 26 September, 2023 NIST has finalized the Cybersecurity Framework (CSF) 2.0. CSF 2.0 focuses on understanding, assessing, prioritising, communicating, and above all reducing cybersecurity risks in organisations. CSF can be leveraged to describe an organisation’s current as well as target security posture. Organisations can also (in theory) compare their CSF scores between each other…. wait a minute. I’ve heard that before! I bet you did as well, especially if you’ve read my blogs on OWASP SAMM. So, I’ve decided to dive deep and provide a comparison of NIST CSF 2.0 and OWASP SAMM frameworks. Key takeaways: Security is a relative concept. Both CSF 2.0 and SAMM are risk-based approaches. Security is everyone’s job and communication is key in both frameworks. CSF and SAMM are focused on security and not compliance. CSF is broad and covers all types of cybersecurity risks an organisation may face. SAMM is […]

Updated: 19 November, 2024 4 May, 2023 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 1 November, 2024 26 April, 2023 OWASP is the Open Worldwide Application Security Project. It is a non-profit foundation that works to improve the security of software. One of its most recognized contributions to the field of application security (AppSec) is the Software Assurance Maturity Model (SAMM). SAMM is an AppSec programme that provides organizations an effective and measurable way to analyze and improve their secure software development lifecycle (SSDLC). This model is divided into five business functions, each of which are subdivided into three security practices. In this blog post we will focus on the OWASP SAMM Policy and Compliance practice of the Governance business function, what it is and how you can evaluate and improve your security posture in this practice, using our management tool, SAMMY. Most importantly, we will include insights from the OWASP SAMM Fundamentals Course which is taught by Aram Hovsepyan. He is the[…]

Updated: 1 November, 2024 23 March, 2023 In the dynamic digital realm, security is not a luxury; it’s an imperative. As software development evolves and applications grow more intricate, the risk of vulnerabilities and cyberattacks escalates. The Secure Software Development Lifecycle (SSDLC) emerges as a systematic approach to embed security into every stage of software development, safeguarding applications and protecting valuable data. This blog aims to shed light on the Secure Software Development Lifecycle (SSDLC), its importance, and how it can be implemented using the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) application security (AppSec) programme. It will also discuss how SAMMY can be utilized to manage the entire process, ensuring a secure and reliable software development lifecycle.   Key Takeaways Integration of security into software development through SSDLC is crucial in the digital era, dramatically reducing vulnerabilities. OWASP SAMM‘s structured framework significantly enhances SSDLC security,[…]

Updated: 1 November, 2024 14 January, 2023 Introduction to the security tool frenzy “Invest in Outcomes, not Tools and Capabilities” – Paul Proctor, Gartner. Security tools are overrated. They are even starting to become part of the problem. Companies are looking to improve their security postures by introducing security tools. Typical DevSecOps security tools (e.g., SCA, SAST, DAST) are great at finding vulnerabilities. One can immediately “see” the added value of these security tools by simply taking a free demo version for a spin. Hence, by bringing them in companies can demonstrate measurable improvements to their security postures. Or do they? In my experience security posture improvements driven by tools has really shaky foundations. It’s like ensuring personal health relying solely on advanced medical equipment (MRI, heart rate monitors, blood test analyzers, etc). First of all, the tools often have quality issues and high false positive rates. Thus we end[…]

Updated: 20 December, 2024 29 December, 2022 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 18 January, 2024 5 September, 2022 Security verification is about validating that a system or application adheres to predefined security requirements or standards. There are many types of security verification activities ranging from penetration testing to vulnerability scans by automated tools. One of the less known types of security verification is the stress testing. Stress testing is part of what Software Assurance Maturity Model (SAMM) calls Misuse/Abuse testing. Misuse/Abuse testing aims to detect unexpected design flaws and implementation bugs by focusing on the so-called negative tests trying to “break” something in the system. Wait, but isn’t stress testing mainly related to testing the scalability of the system? Well, it is! However availability is one of the core security qualities, alongside confidentiality and integrity. Hence, stress testing is an inherent part of security verification testing. In this blog we present our insights in implementing stress testing at Codific. We also[…]

Updated: 1 November, 2024 9 June, 2022 Ever heard the saying “our team is our greatest asset”. I’d dare to say that this is rule number 1 through 10 if you are running a company. Any company! Well, except for a one-man show (where this is self-explanatory and you don’t really need a rule)! Thus security training and organizational culture are the pillars of your SDLC programme. Unless you are just trying to check the boxes this security practice should get the highest priority in your SAMM implementation roadmap. In this blog series, we present how Codific implements OWASP SAMM. In each blog we focus on a specific security practice and highlight the processes and tools we use to achieve a certain maturity level. If you would like to learn more about OWASP SAMM, take our free SAMM training. My journey in application security (AppSec) started almost 20 years ago[…]

Updated: 18 January, 2024 24 May, 2022 Secure architecture in a nutshell The secure architecture practice focuses on security during the architectural design of the software system. The essence of this practice is to leverage proven patterns and principles both in terms of an architectural solution as well as technological implementation. On top of that you should ideally revisit the reference solutions, update them and propagate the changes back to your software systems in production. This practice is an essential step in claiming the security by design principle. In this blog series, we present how Codific implements OWASP SAMM. Obviously describing all details is out of scope especially for this practice. We will however present a high-level overview and describe some of the tools we leverage to achieve a specific maturity level. If you would like to learn more about OWASP SAMM check out our free SAMM training. My journey[…]

Updated: 22 May, 2024 26 April, 2022 Threat modeling yields the highest return on investment when it comes to your Application Security program. Even if your current security posture is close to a zero OWASP SAMM score, you should start by threat modeling first. As opposed to what many might think, threat modeling is not difficult nor time-consuming. It is by far the most underrated security practice out there. Intro In this blog series, we will present how Codific implements OWASP SAMM. We focus on a specific security practice in each blog and highlight the processes and tools we use to achieve a certain maturity level. If you want to learn more about OWASP SAMM consider taking the free SAMM training. Extract from the OWASP SAMM Fundamentals training. My journey in application security (AppSec) started almost 20 years ago at the DistriNet research lab of the University of Leuven. Back[…]

Updated: 18 January, 2024 11 April, 2022 The secure deployment of your software is a central piece in your secure software development life cycle. In this blog series, we present how Codific implements OWASP SAMM. In each blog we focus on a specific security practice and highlight the processes and tools we use to achieve a certain maturity level. If you want to learn more about OWASP SAMM consider taking the free SAMM training. Extract from the OWASP SAMM Training Find out more about all the things the Codific team does at OWASP. My journey in application security (AppSec) started almost 20 years ago at the DistriNet research lab of the University of Leuven. Back in the days secure software development was more of a hobby driven by a handful of experts. AppSec took its place under the spotlight with the release of Microsoft Security Development Lifecycle. However it was[…]

Updated: 11 December, 2024 24 January, 2022 Subscribe to the AppSec Newsletter Email Address *First Name *