Implementing SAMM - Zebra Technologies uses SAMMY to implement OWASP SAMM - Graphic of a lock

09

Dec

This is the success story of how Zebra Technologies works with SAMMY and Codific to implement OWASP SAMM

“Spreadsheets are not the way to manage large organizations, you need a solid tool,”

Dr. Jasyn Voshell, director of product security at Zebra Technologies

From logistics to robotics to healthcare, across 8 major industries and in 128 countries, Zebra Technologies is the best in class. Cutting edge technology and smart analytics are core to their business of keeping everything and everyone visible, connected and optimized.

What is OWASP SAMM?

As the readers of this blog now know, OWASP SAMM is the best model to manage your security posture. SAMM covers 5 business functions split over 15 security practices containing a total of 90 security activities. It is an exhaustive and prescriptive list of things you need to do as an organization to measure and improve your application security programme, spread over three maturity levels. Tangible management of your security posture will lay the groundwork for certifications such as ISO27001 and compliance with standards such as NIST SSDF. Under SAMM, the output of the efforts is an improved security posture, the byproduct is compliance. It is the ideal model for executives who want to systematically manage security risk across their organization, rather than the “check boxes and pray” driven compliance approach.

OWASP SAMM

OWASP SAMM: Software Assurance Maturity Model

The executives at Zebra Technologies immediately realized the power of the model. They started implementing it, but soon realized that at a large scale, they need a dedicated tool to manage the process.

What is Codific’s role in OWASP SAMM?

At the OWASP community, the CEO of Codific, Dr. Aram Hovsepyan, is a core member of the intellectual team behind the SAMM model. Meanwhile Codific is working on a free to use OWASP SAMM management tool called SAMMY. Our vision is to leverage the model and turn it into an iterative improvement process with different roles and responsibilities allocated per activity. Zebra was the first major organization to see the power of the SAMMY tool and to provide Codific with suggestions and user stories guiding the product roadmap. Thus the newest dedicated version of the tool became well fitted for the complex environment of large multinational organizations.  

 

We are now a few months down that road, the relationship between Zebra and Codific is blossoming and other large organizations are starting to notice SAMM and SAMMY.

Jasyn Voshell, Zebra Technologies uses SAMMY to implement OWASP SAMM

“Codific’s team goes above and beyond expectations and its intricate expert knowledge of SAMM helps us better understand and implement it.” Dr. Voshell

What are the challenges in implementing OWASP SAMM?

OWASP SAMM is a prescriptive model that is technology, process, and organization agnostic. The model fits any software development process, industry or environment. However thanks to / because of that the prescriptive guidance is very high-level by design. Thus there are two major considerations per activity that the model users need to address in order to set up an efficient application security programme:

  1. How can we practically implement this activity for our environment (by environment we refer to the tech stack, development process, tooling, etc)?
  2. How should we prioritize the different activities and improvements? There are 90 activities in SAMM and trying to boil the ocean is not sensible.

Practical Implementation Guidance for OWASP SAMM 

The OWASP SAMM core team has been discussing the best way to provide practical guidance per activity and per industry. As the possibilities are broad, providing up-to-date guidance for any specific setup is challenging and not even realistic. However there are some relatively high-level guidelines in the works. The guidance is expected to be largely community driven, but curated by the core team. Many of the guidance elements per activity are readily available in other OWASP projects, and those will be mapped to SAMM activities.

On the other hand for many organization-specific details the expertise comes from within the organization. Hence for large organizations the sweet spot is to combine the internal and the external experts. The internal experts know everything about the environments, the external experts are SAMM experts and will help mold the process. Together they can define the practical implementation and the improvement roadmap. The OWASP SAMM project provides a list of practitioners that can assist with SAMM assessments and the implementation of SAMMY. Codific is that external expert for Zebra.

Dr. Voshell: “From a company perspective, Codific is able to pivot quickly to work to our needs at our speed. They do not feel like a vendor but an extension of our team.” 

Implementing SAMM - OWASP SAMM tool SAMMY workflow diagram

The SAMMY workflow.

Prioritization in OWASP SAMM

Prioritization is the second key aspect for the successful implementation of SAMM. No organization should aspire to have the maximum maturity level in all activities. This would be prohibitively expensive. Instead activities are weighted and prioritized based on factors such as risk, impact and cost. To this purpose SAMMY has developed weighted prioritization metrics that help in the structural and consistent prioritization of activities over large and small organizations. This is a core feature of SAMMY that will be further built upon in the future SAMMY roadmap. The experience with Zebra has helped to define the prioritization mechanisms.      

SAMM is the conceptual map on which to draw your risk management strategy. It can visualize where you are and where you want to be. SAMMY is the easiest and most powerful way to implement SAMM.

Dr. Voshell: “SAMMY allows us to have an accurate consistent source of truth.”

Codific, and the other experts in the OWASP community are here to help at every step of the way.

 Dr. Voshell: “Codific is a great company to partner with.” 

The Future of Appsec

What will the future of security management bring?

Zebra is an early adopter in the new world where security management complexity is managed with adequate models and tools. We actually know the future. Not the nitty gritty details, but we do know that the future will bring at least these three things: more threats, more complexity, and more regulations. Excel sheets and compliance checklists will crumble under the increased complexity. There is a shift from compliance driven security management to risk driven security management. The answers to the complex challenges of tomorrow lie in the integration with ecosystems of experts, such as OWASP, who are continuously updating us and our systems with the answers to the latest threats. Those who position themselves early will triumph, those who are late to adapt will scramble putting out fires day after day. Which one do you want to be?

How can we get started with SAMM and SAMMY?

 

If you are entirely new to SAMM, you should start by studying the model. Once you feel ready for your first SAMM assessment you can use the free SAMMY tool to help you in the process. From there you can start using the other process oriented features of SAMMY, such as role assignment, prioritization and roadmaps.

If you are a large organization and you would like a dedicated system with a service levels agreement (SLA) or you want assistance with an assessment or audit, please reach out to us. We are super excited to help more organizations on this journey to build a simple and safe digital future.

Do you have questions?

Check out more success stories!

VideoLab - Secure video sharing

14

Sep
Improving medical education with Videolab - RadboudUMC

Following a successful pilot in 2019, Radboud University Medical Center, the teaching hospital affiliated with the Radboud University Nijmegen, has chosen Codific’s Videolab within their Health Academy programme. They believe this will help in improving medical education.

RadboudUMC Health Academy is the education and training institute for everyone who works in healthcare.  Videolab is a platform for developing soft skills and empathy in healthcare providers during and after their medical education and specialisation education. 

“We aim to be pioneers in shaping the health care of the future. We do this in a person-centered and innovative way. Clinical communication skills training is an important part of the curriculum in medical school. To give interns and residents in practice the opportunity to receive feedback on their clinical communication skills, we have purchased Videolab.” – commented C. Lommen who is a Policy Advisor of the Educational Program at RadboudUMC.

E. Rasenberg, Communication Coordinator of the Educational Program, added that “The system is GDPR compliant from recording to asking and receiving feedback and is very easy to use. This makes the system very suitable for use with large groups of interns and residents”.

E.Rasenberg improving medical education

E. Rasenberg
Communication Coordinator of the Educational Program

Videolab has a proven added value as an effective tool for training, among other things, empathy and communication skills for students and trainees. Our product is a highly end-to-end secured tool designed and developed with privacy and security by design. On top of that Codific has a talented team that is ready to assist our customers with additional customisations, integrations, and above all a premium customer support. Videolab provides the following benefits to RadboudUMC Health Academy, helping to improve their medical education:

  • Simple and safe multimedia recording.
  • Selective multimedia sharing with peers and supervisors.
  • Time-specific fragment feedback.
  • Systematic feedback based on dynamic evaluation forms.
  • Integrations with a Dutch Identity
  • Provider SURFConext and e-portfolio platform Scorion.
  • Military-grade security with end-to-end transport and storage security.
  • Digital Rights Management for the multimedia content enforced by Codific’s Secure Vault.
radboudumc

2224

Medicine (bachelor and master) students

11143

Employees

About Radboud University Medical Center

Radboud University Medical Center specializes in patient care, scientific research, teaching and training in Nijmegen. Its mission is to have a significant impact on health care. They aim to be pioneers in shaping the health care of the future and do this in a person-centered and innovative way. RadboudUMC combines patient care, research, and scientific training. It is one of the largest and leading hospitals of The Netherlands, providing supraregional tertiary care for residents of a large part of the eastern section of The Netherlands. And it is rated in Europe’s top 30 research institutes. There are about 18,000 universities worldwide, with Radboud University ranking among the best of them. According to ARWU (Academic Ranking World Universities Ranking), Radboud University was positioned 104 Worldwide in 2019.

Do you need secure video sharing for your organization?

Check out the success stories of other universities using Videolab to improve their medical education!

VideoLab - Secure video sharing with Videolab

14

Sep

Maastricht University General Practitioner (GP) training program is the stepping stone for any doctor who has completed their fundamental medical training. Within their program they focus a lot on using digitalized student learning processes. This is done through coaching and evaluation using video observation and feedback.

The problem

Due to the sensitive information recorded in the training videos Maastricht University was looking for a safe, robust and closed system. Additionally, this system should allow them to upload, share, and comment upon the uploaded videos.

Before implementing Videolab, the university was using physical data carriers that made the process expensive, slow, prone to human error and most importantly insecure. Moreover the process in place required a certified courier to transport the USB sticks from the GP to the lecturer and back. This made the process not only slow but also for scaling. Therefore, this procedure tampered the ability of the university to use digitalized student learning processes.

Maastricht University was looking for a solution that is highly automated, reliable, fast in its upload speed, easy to use for students and lecturers, and available across the whole university.

Digitalized student learning through Videolab - Maastricht University

“We were looking for a safe way to digitally exchange material between lecturers and GPs without requiring active intervention from our organization at each step.”

The solution

Digitalized student learning through Videolab - Maastricht University

Maastricht University worked along with Codific to integrate Videolab to digitize the process. This overall operating costs by eliminating the need for physical data carries and couriers. This allowed the university to have more affordable and efficient digitalized student learning processes.

Ramona G., professor at the Faculty of Health, Medicine and Life Sciences, is working on streamlining the processes of secure and easy video sharing in Maastricht’s GP training. She was quite excited to share with us that the system is quite intuitive thus requiring no training in order to use.

“Exchanging recordings is fast and safe, requiring the minimal amount of steps. There is also a very practical feature to tag a moment in the recording and annotate feedback.”

Ramona G., Digitalized student learning through Videolab - Maastricht University

Ramona G.- teacher at the Faculty of Health Medicine and Life Sciences at Maastricht University

Update!

Recently, the University of Maastricht chose Codific in a public tender to increase the use of Videolab and Cloudcontrol in it’s organisation. This new deployment will be used much wider across the organization for different training and simulation purposes, as well as being deeply embedded in the skillslab eliminating the need for expensive recording and debriefing hardware. Once again, Codific is helping Maastricht to improve its digitalized student learning.

Read more about it here!

Do you need secure video sharing for your organization?

Check out the success stories of other universities that use digitalized student learning through Videolab!

VideoLab - Secure Video Sharing

14

Sep

Amsterdam UMC is an academic medical centre as part of the department of Universiteit van Amsterdam. The general practitioner (GP) training of Amsterdam UMC trains nearly 100 new GPs every year. The GPs in training (GPIT) learn and work in a local medical center and attend one day of training at AMC per week. Performing patient consultations is a key competence for GPs, that is why GPITs receive intensive training on these skills. Exercise and feedback is a powerful learning method to ensure that the GPITs are trained to the highest standard. To do this GPITs need to be able to share recordings from their consultations with each other, with their mentors and evaluators. For this, secure video sharing is essential due to the strong privacy concerns that exist when dealing with medical patients.

Over 7000 people work here to provide integrated patient care, fundamental and clinical scientific research, and teaching.

2300 medical students, 120 medical informatics students, and hundreds of trainee nurses, paramedics, and other students

secure video sharing

Why is secure video sharing necessary?

“Obviously we want to handle recordings where patients can be seen with impeccable care. That is why we were looking for a system where these recordings can be shared whilst guaranteeing the safety.”

When it comes to file and data management in universities, security is perhaps one of the most important factors to consider when integrating any software system. In the case of Amsterdam UMC, security is a even higher priority, since the university relies heavily on video content for their medical students to learn and practice. These videos often contain sensitive information that must be well-protected. This is where Videolab comes in to ensure secure video sharing.

Adoption process

“What is the one critical success factor of VideoLab for your organisation?“
-“Mainly the trust in the security of the system. And it just has to work.”

The adoption started with the lecturers that were willing to try and has gradually spread across the organization to ultimately become a integral part of the education plan.  The management team of Amsterdam UMC worked with the Codific team to finetune the solution in full alignment with the educational program.

“Videolab has become an integral part of the education”

secure video sharing

Videolab’s success

Judith G is an education advisor on ICT at the Amsterdam UMC, she highlights that Videolab, together with the learning management system, have become core digital infrastructure for the organization. The clear added value of Videolab has convinced everyone, from the early adopters to those most sceptical of change.

Judith G., Secure video sharing with Videolab - Amsterdam UMC

Judith G., Amsterdam UMC
Advisor education and ICT

“I notice that, now that the system is an integral part of our education, the slow adaptors have also gotten used to it. Videolab is a secure system, but nonetheless users still have a responsibility to act with diligence. I recommend that, additional to the technical implementation, respect for privacy be an integral part of organizational culture.”

Do you need secure video sharing for your organization?

Check out the success stories of other universities that use Videolab for secure video sharing!