Over the last few years, energy companies have become a prime target for both cyber criminals and cyberwarfare operations. In 2022, due to this ramp up in attention on the energy sector’s digital infrastructure, the International Energy Forum urged new energy projects to consider cyber resilience from the start.
Here at Essent, one of our core values is that of continuous improvement. We also apply this value to our cyber resilience. A large part of our security posture is determined by our ability to securely develop, deploy and maintain our software. Thus, the first step we took to increasing this resiliency is by measuring how mature the security practices in our software development lifecycle (SDLC) are.
To help us measure the maturity of current security practices, and identify less mature ones, we used the Open Web Application Security Project’s Software Assurance Maturity Model’s (OWASP SAMM) assessment. SAMM is an OWASP Foundation flagship project with a strong community that supports and improves the model.
It is composed of 15 security practices that are grouped into five business functions that occur in most larger organizations developing software. Each business function is comprised of three security practices (pictured below). For example, the Governance business function is made up of three security practices – Strategy & Metrics; Policy & Compliance; Education & Guidance.
SAMM version 2.0 – Source OWASP SAMM
Each security practice is organized into two streams that are based on sets of activities that are divided into three maturity levels. Typically, lower maturity level activities (maturity level 1) are easier to execute than the more formalized higher maturity level activities (maturity levels 2 and 3).
Maturity Score Overview
Using SAMM’s assessment tools we interviewed 33 people with knowledge of different areas of the SDLC and used their answers to complete several assessments of different technology communities. A technology community provides guidance to its members on best practices for the use of its specific technology, for example, SAP. A more granular and resource-intensive approach would be to interview each team.
In the assessments, the 30 streams across the 15 security practices each received a maturity score from 0-3, and we averaged the score across the assessments to determine what our overall security strengths and areas of improvement are. This allowed us to compare the different technology communities to each other, as well as understand in general where more attention is needed.
These assessments gave us a lot of insight into how security is being practiced across the complex technology landscape, and what our strengths and potential improvement points are. An additional bonus was the insights not directly related to SAMM that we gathered from the many organic conversations that developed on security when talking to the interviewees.
We grouped all these insights according to their maturity level, added an extra group for non-SAMM findings, and the security team gave each one a priority rating of critical, high, medium, or low according to current experiences.
The workflow for conducting the assessments & planning next steps
PLOTTING THE PATH TO OUR GOAL MATURITY LEVEL
Now that we have an idea of which security practices are mature and which might need some attention, the security team is building a secure SDLC roadmap with realistic intermediate goal maturity levels that all the development teams can work towards achieving. We are taking a hybrid approach – prioritizing the security practices important for Essent now, as well as building a strong software assurance foundation according to SAMM. After this, an important step is getting buy-in from stakeholders on the roadmap’s actions and timeline.
At the end of each phase on the roadmap, the SAMM assessment is ideally conducted again to make sure teams have reached the set goals and to spot any potential roadblocks they may have encountered hindering their efforts to improve security practices.
With OWASP SAMM we can take a systematic approach to measuring security practices in our SDLC and helping teams to become more secure over time.
How do you assess the security practices of your team or your organization’s secure SDLC? Is there another framework that you use to help you improve your security practices, or do you have experience working with OWASP SAMM? Let us know via the comment section below!