Secure software development with SAMM: Secure Build

The secure deployment of your software is a central piece in your secure software development life cycle.

In this blog series, we will present how Codific implements OWASP SAMM. In each blog we focus on a specific security practice and highlight the processes and tools we use to achieve a certain maturity level.

My journey in application security (AppSec) started almost 20 years ago at the DistriNet research lab of the University of Leuven. Back in the days secure software development was more of a hobby driven by a handful of experts. AppSec took its place under the spotlight with the release of Microsoft Security Development Lifecycle. However it was the Open Web Application Security Project (OWASP) that pushed secure software development into the mainstream. 2 decades later there are currently over 100 active OWASP projects that include code, software, reference material, documentation, tools and community all working to secure the world’s software. One of these projects is the Software Assurance Maturity Model (SAMM). SAMM is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM is the map and the itinerary in your security journey.

OWASP SAMM
OWASP Software Assurance Maturity Model

Implementing SAMM Secure Build

In this blog I will discuss how Codific implements the low hanging fruits in SAMM, namely the Secure Build practice. The Secure Build (SB) practice emphasises the importance of building software in a standardised, repeatable manner, and of doing so using secure components, including 3rd party software dependencies. SB consists of two streams:

  • Build Process advocates fully automating the build process and adding automated security checks such as SAST and DAST to gain further assurance and flag security regressions early by failing the build, for example.
  • Software Dependencies stream acknowledges the prevalence of software dependencies in modern applications. It aims to identify them and track their security status in order to contain the impact of their insecurity on an otherwise secure application.

Implementing both streams is largely supported by tools that are relatively easy to integrate in our secure software development process. The tools we leverage are Gitlab CI/CD, SonarCloud, Debricked and SAMMY.

Secure Build -> Build Process

Our build process is fully automated using Gitlab’s CI/CD. After approving a merge request in our code repository Gitlab’s CI/CD is automatically triggered and it starts by running in parallel the SonarCloud SAST tool and a set of regression unit tests. SonarCloud analyses the source code and can detect a very broad spectrum of code quality issues. Depending on the severity of these issues SonarCloud can issue warnings or even fail the build pipeline. The regression unit tests include various security tests typically from the OWASP Top 10 Broken Access Control, Injection and Identification and Authentication Failures categories.

Use Gitlab CI/CD
Our CI-CD with security checks

Secure Build -> Software Dependencies

Debricked is an SBOM / SCA tool that creates a list of dependencies used by the web application we are developing. We have integrated Debricked in our CI/CD pipeline as well. Vulnerabilities having a high score fail the build pipeline. In addition to security vulnerabilities, Debricked also analyses the dependencies for license risks.

SCA tool, Secure Software Development
SCA with Debricked

Manage your SAMM using the SAMMY tool

SAMMY is a SAMM management tool that is developed by Codific. We use SAMMY to manage our SAMM posture and plan the improvements in term of application security.

Secure Software Development with SAMMY
SAMMY tool dashboard

Summary

In this blog we have presented how Codific implements the Secure Build practice. Secure Build is relatively easy to implement if you are developing web applications. It largely boils down to using the right set of tools. We leverage the Gitlab CI/CD, SonarCloud, Debricked to tackle both Secure Build streams. We also leverage SAMMY – our own SAMM management tool – to track each security practice in a systematic way.

What are the things we build with SAMM and SAMMY?

Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.

Videolab is used by top universities, academies and hospitals to put the care in healthcare. Communication skills, empathy and other soft skills are trained by sharing patient interviews recordings for feedback.

SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.

SAMMY Is a Software Assurance Maturity Model management tool. It helps your organization assess and improve its security posture. That way other companies can help us build a simple and safe digital future. And we off course use it ourselves in all our application, including SAMMY.

We believe in collaboration and open innovation, we would love to hear about your projects and see how we can contribute in developing secure software and privacy by design architecture. Contact us.

April 2022