Application Security

Governance According to SAMM: Application Security Education and Guidance

According to SAMM, when we talk about Education and Governance, we refer to the training of the team involved, which comprehends the entire development, security, and operations structure throughout the development lifecycle.

You can also listen to this article:

For this training, it is necessary that all information regarding the applications is properly published and accessible to the ones involved, in order to identify and plan the mitigation of possible weaknesses and vulnerabilities present in this cycle.

Through training, we can foster the growth and development of security awareness, whether with practical training modules, instructors spreading knowledge, publications, and even creating a shared knowledge base, offering both developers and other teams much-improved awareness and understanding of existing scenarios and risks.

In addition, there must also be a planned organization for the storage of information and documentation related to applications through the use of collaborative tools and a better understanding of the technologies involved.

A starting point

Considering the maturity levels proposed by SAMM, we have as a starting point the availability of resources related to development and implementation, offering awareness training to software development teams. Such awareness would promote a leveling of knowledge across the team, increasing the visibility of the inherent risks of the applications. The approach would bring better visibility even to the non-technical public, providing a better understanding of secure design principles, and privileges, among others, including again, standards and policies related to the company’s environment. 

Such topics can be addressed at a high level, thus becoming understandable for all areas of the organization. Once this leveling has been carried out, each area would have a structure designed for its specific activities, not delving into related technologies, but solely and exclusively on what is directly related to the development environment. 

As the evolution of these practices becomes natural to the environment, the creation of a formal program of mandatory training for people involved in the development of applications can be applied, conditioning its execution to an onboarding process. This is necessary for proper access to resources to be granted. 

Within the processes, issues related to standardization must also be addressed, in order to reduce impacts on procedures. For the success of such a plan, its content must also undergo constant revisions and updates, as the technologies and tools of the environment are updated.

The Security Champion’s role

With such practices applied, we can add a Security Champions program, in which a member, preferably from the development team itself, would act as a focal point in communication with the security teams. Part of their activities would be dedicated to the security of applications, participating in actions with the aforementioned teams, for proper analysis of structures and architectures planned for development, and bringing the practices defined in these actions to the knowledge of the developer’s team.

It is also suggested the formalization of practices of excellence in secure coding, in which the standards and best practices of the environment would be defined, such as minimum requirements for acceptance of architectures, ensuring that all teams follow the same development model. Still at this stage, resources are again created to transfer knowledge and train teams.

Part of the role of a Security Champion is also to create communication channels and publications to build a knowledge base. This would promote the evolution of the program and the training of new Security Champions, increasing the awareness needed for an environment that is less susceptible to fragility.

This article is part of a series by Conviso that covers all the practices of the OWASP SAMM Framework. Check out all the content in the series published so far.

Nova call to action
About author

Articles

Graduated in Information Security Technology from FIAP. Acts as an Information Security Analyst, providing consulting in several different environments. Have a long road in different segments in the IT area.
Related posts
Application SecurityCode Fighters

How to integrate Semgrep on CI/CD's and send findings to Conviso Platform

Nowadays a very common practice is to integrate security scans during the continuous integration and…
Read more
Application Security

Negative Impacts Generated by Lack of Logs and Security Monitoring

Logs are records of activities also generated by systems, applications, and network devices. They…
Read more
Application Security

Dockers and Containers

Containers are incredibly popular solutions in the software development industry. They provide an…
Read more

Deixe um comentário