Previous Paddle boarding (SUP) event!
Next Spotlight on Essenters - Revathy Umapathy

Securing the Software Development Lifecycle with OWASP SAMM

Inge Mationschek
7 minutes

Over the last few years, energy companies have become a prime target for both cyber criminals and cyberwarfare operations. In 2022, due to this ramp up in attention on the energy sector’s digital infrastructure, the International Energy Forum urged new energy projects to consider cyber resilience from the start.

Here at Essent, one of our core values is that of continuous improvement. We also apply this value to our cyber resilience. A large part of our security posture is determined by our ability to securely develop, deploy and maintain our software. Thus, the first step we took to increasing this resiliency is by measuring how mature the security practices in our software development lifecycle (SDLC) are.

MEASURING MATURITY

To help us measure the maturity of current security practices, and identify less mature ones, we used the Open Web Application Security Project’s Software Assurance Maturity Model’s (OWASP SAMM) assessment. SAMM is an OWASP Foundation flagship project with a strong community that supports and improves the model.

It is composed of 15 security practices that are grouped into five business functions that occur in most larger organizations developing software. Each business function is comprised of three security practices (pictured below). For example, the Governance business function is made up of three security practices – Strategy & Metrics; Policy & Compliance; Education & Guidance.


SAMM version 2.0 – Source OWASP SAMM

Each security practice is organized into two streams that are based on sets of activities that are divided into three maturity levels. Typically, lower maturity level activities (maturity level 1) are easier to execute than the more formalized higher maturity level activities (maturity levels 2 and 3).

Maturity Score Overview


ASSESSMENT RESULTS

Using SAMM’s assessment tools we interviewed 33 people with knowledge of different areas of the SDLC and used their answers to complete several assessments of different technology communities. A technology community provides guidance to its members on best practices for the use of its specific technology, for example, SAP. A more granular and resource-intensive approach would be to interview each team.

In the assessments, the 30 streams across the 15 security practices each received a maturity score from 0-3, and we averaged the score across the assessments to determine what our overall security strengths and areas of improvement are. This allowed us to compare the different technology communities to each other, as well as understand in general where more attention is needed.

These assessments gave us a lot of insight into how security is being practiced across the complex technology landscape, and what our strengths and potential improvement points are. An additional bonus was the insights not directly related to SAMM that we gathered from the many organic conversations that developed on security when talking to the interviewees.

We grouped all these insights according to their maturity level, added an extra group for non-SAMM findings, and the security team gave each one a priority rating of critical, high, medium, or low according to current experiences.

The workflow for conducting the assessments & planning next steps


PLOTTING THE PATH TO OUR GOAL MATURITY LEVEL

Now that we have an idea of which security practices are mature and which might need some attention, the security team is building a secure SDLC roadmap with realistic intermediate goal maturity levels that all the development teams can work towards achieving. We are taking a hybrid approach – prioritizing the security practices important for Essent now, as well as building a strong software assurance foundation according to SAMM. After this, an important step is getting buy-in from stakeholders on the roadmap’s actions and timeline.

At the end of each phase on the roadmap, the SAMM assessment is ideally conducted again to make sure teams have reached the set goals and to spot any potential roadblocks they may have encountered hindering their efforts to improve security practices.

With OWASP SAMM we can take a systematic approach to measuring security practices in our SDLC and helping teams to become more secure over time.

How do you assess the security practices of your team or your organization’s secure SDLC? Is there another framework that you use to help you improve your security practices, or do you have experience working with OWASP SAMM? Let us know via the comment section below!

Inge Mationschek

Security Engineer

Other stories within this topic
Comments on this article
Maarten 03-11-2023 | 10:17 Hi Inge, great stuff!
Blog
To continue, please enter data in the marked fields.
To continue, please enter data in the marked fields.

Om u zo goed mogelijk van dienst te zijn, gebruiken wij cookies.

We maken onderscheid tussen noodzakelijke, relevante en externe cookies. Onze noodzakelijke cookies zorgen ervoor dat de websites goed werken en gebruiken we voor analytische doeleinden. De relevante en externe cookies helpen ons om onze websites, apps, e-mails en online advertenties voor u relevanter te maken. Daarnaast zorgen externe cookies ervoor dat u pagina's kunt delen via social media en u relevante advertenties te zien krijgt op andere websites.

Door op 'Ja, ik accepteer cookies' te drukken, geeft u aan dat u akkoord bent met het gebruik van cookies en de verzameling van informatie op de websites van E.ON groep. Meer weten? In onze privacyverklaring leest u meer over ons privacybeleid. Bij instellingen leest u meer over cookies en past u uw cookievoorkeuren aan.

Deze website maakt gebruik van noodzakelijke cookies, die nodig zijn om deze site zo goed mogelijk te laten werken. Hieronder kunt u aangeven welke cookies u wilt accepteren.

Ik kies cookies die: noodzakelijk relevant extern
Nodig zijn voor de werking van de website      
Voorkomen dat gegevens vaker moeten worden ingevuld      
De website verbeteren op basis van prestaties      
De snelheid van de website monitoren      
Bezoekgedrag registreren voor analyse doeleinden      
Het mogelijk maken om mijn online gedrag te combineren met andere persoonsgegevens om relevante aanbiedingen te ontvangen      
Het mogelijk maken om onze websites, apps en e-mails aan te passen en te personaliseren      
Het mogelijk maken om relevante advertenties van E.ON groep op internet te tonen      
Sociale media-functies mogelijk maken      
  Akkoord Akkoord Akkoord

Deze instellingen slaan we op in een cookie. Verwijdert u uw cookies uit uw browser, dan kunnen we uw keuze niet meer herkennen en informeren we u opnieuw over het gebruik van cookies en vragen we om uw toestemming.

  • Noodzakelijke cookies zijn functionele en statistiek cookies, die nodig zijn om deze websites zo goed mogelijk te laten werken. Zo kunnen wij eenvoudig inloggen faciliteren, bijhouden welke pagina's u bezoekt of welke onderwerpen voor u van belang zijn en uw gegevens bijhouden als u een offerte vraagt, een berekening wilt maken of producten achterlaat in uw winkelmandje.
  • Relevante cookies helpen ons onze websites, apps en e-mails zo relevant mogelijk voor u te maken en binnen de E.ON groep te personaliseren. Bijvoorbeeld door acties en aanbiedingen op onze websites af te stemmen op uw bezoekgedrag.
  • Externe cookies maken de koppeling met sociale media zoals Facebook en Twitter mogelijk en bieden de functionaliteit om bijvoorbeeld informatie te delen op social media of recensies te kunnen lezen. Daarnaast maken deze cookies het mogelijk om online advertenties van E.ON groep buiten onze eigen websites voor u zo relevant mogelijk te maken en te personaliseren.