First and foremost, Application Security (AppSec) must be integrated into every step of the development process, including build, release, and operation, not just as a final design step. So, your company is maturing the idea of AppSec and understands the need to expand this culture and take actions and practices. In that case, it is time to seek to implement an application security program.
Understanding the application security program
Based on the practices of the OWASP SAMM (Software Assurance Maturity Model), we executed the project with highly qualified professionals to structure a complete AppSec program in the organization. Within the phases of this project, it is necessary to understand the teams’ maturity in relation to security, what actions are already taken, and how the teams deal with failures, corrections, and prevention. In addition, actions are needed so that the AppSec culture is disseminated in teams and not just through processes, requirements, and tools.
However, few understand that to include application security practices in a company, it is necessary to know that this comes from a culture and that it is necessary to encourage it daily. Cultural change could be one of the biggest challenges you will face without a Security Champions program – the final step of that project.
When discussing secure development, we need to unite the Security and Development teams to show that security within the development cycle is everyone’s responsibility.
Oriented by OWASP SAMM
Throughout the process and mapping of the implementation of this program, we are oriented by the good practices of OWASP SAMM. The model proposes a set of security practices that cover the entire software lifecycle, including development and acquisition. In its 2.0 version, released in January 2020, it brings five domains with their respective practices: Governance, Design, Implementation, Verification, and Operation.
Access the series of contents about OWASP SAMM and its five domains.
From Gap Analysis to building an S-SDLC
Likewise, using the OWASP SAMM model, a Gap Analysis is carried out. An action plan is developed to build an S-SDLC (Secure Software Development Lifecycle) adhering to the organization’s development practices.
This method implies analyzing and understanding the current state of the development processes maintained by the organization, confronting the best practices, and, with this, diagnosing the deficiencies that need to be addressed. Therefore, the result of the study will be an action plan to correct the identified gaps.
The Gap Analysis will be based on data collection and interviews with the development teams. With the data, analyses will be carried out that will result in a report showing the current maturity level and what must be done to reach the maturity level desired by the organization.
As a result, an S-SDLC (Secure Software Development Lifecycle) is built that will allow, through a set of structured security activities, applications to be developed based on the best practices of secure development, which at the end of the process, would deliver a more secure application.
Security Champions
Also, another AppSec Journey deliverable is documentation for structuring the Security Champions program. In this program, a member, preferably from the development team, acts as a focal point in communication with the security team. Part of their activities is dedicated to activities related to application security, participating in actions with said teams, and bringing knowledge to the development team and the practices defined in these actions.
Management through the Conviso Platform
Finally, this entire process can be managed by Conviso Platform. Using the projects area, where you can create each project that is part of this program. Another critical point is that we have the option of attaching the results obtained in each phase to their respective projects so that we can consult these results whenever necessary.
In addition, it is possible to create requirements for the project so that you can know the program’s progress precisely. However, when we talk about the result of the program that is S-SDLC, Conviso Platform can serve in different ways, such as asset management, vulnerability management, threat modeling, and training for developers, among others.
