Governance According to SAMM: Application Security Education and Guidance

According to SAMM, when we talk about Education and Governance, we refer to the training of the team involved, which comprehends the entire development, security, and operations structure throughout the development lifecycle.

You can also listen to this article:

For this training, it is necessary that all information regarding the applications is properly published and accessible to the ones involved, in order to identify and plan the mitigation of possible weaknesses and vulnerabilities present in this cycle.

Through training, we can foster the growth and development of security awareness, whether with practical training modules, instructors spreading knowledge, publications, and even creating a shared knowledge base, offering both developers and other teams much-improved awareness and understanding of existing scenarios and risks.

In addition, there must also be a planned organization for the storage of information and documentation related to applications through the use of collaborative tools and a better understanding of the technologies involved.

A starting point

Considering the maturity levels proposed by SAMM, we have as a starting point the availability of resources related to development and implementation, offering awareness training to software development teams. Such awareness would promote a leveling of knowledge across the team, increasing the visibility of the inherent risks of the applications. The approach would bring better visibility even to the non-technical public, providing a better understanding of secure design principles, and privileges, among others, including again, standards and policies related to the company’s environment. 

Such topics can be addressed at a high level, thus becoming understandable for all areas of the organization. Once this leveling has been carried out, each area would have a structure designed for its specific activities, not delving into related technologies, but solely and exclusively on what is directly related to the development environment. 

As the evolution of these practices becomes natural to the environment, the creation of a formal program of mandatory training for people involved in the development of applications can be applied, conditioning its execution to an onboarding process. This is necessary for proper access to resources to be granted. 

Within the processes, issues related to standardization must also be addressed, in order to reduce impacts on procedures. For the success of such a plan, its content must also undergo constant revisions and updates, as the technologies and tools of the environment are updated.

The Security Champion’s role

With such practices applied, we can add a Security Champions program, in which a member, preferably from the development team itself, would act as a focal point in communication with the security teams. Part of their activities would be dedicated to the security of applications, participating in actions with the aforementioned teams, for proper analysis of structures and architectures planned for development, and bringing the practices defined in these actions to the knowledge of the developer’s team.

It is also suggested the formalization of practices of excellence in secure coding, in which the standards and best practices of the environment would be defined, such as minimum requirements for acceptance of architectures, ensuring that all teams follow the same development model. Still at this stage, resources are again created to transfer knowledge and train teams.

Part of the role of a Security Champion is also to create communication channels and publications to build a knowledge base. This would promote the evolution of the program and the training of new Security Champions, increasing the awareness needed for an environment that is less susceptible to fragility.

This article is part of a series by Conviso that covers all the practices of the OWASP SAMM Framework. Check out all the content in the series published so far.

SAMM article series

1. Governance according to SAMM: Strategy and Metrics in Application Security
2. Governance according to SAMM: Policies and Conformities in Application Security
3. Governance According to SAMM: Application Security Education and Guidance
4. Design according to SAMM: Threat Modeling in Application Security
5. Design According to SAMM: Security Requirements in AppSec
6. Design according to SAMM – Secure Architecture in Application Security
7. Implementation according to SAMM: Secure Build in Application Security
8. Implementation according to SAMM: Secure Deployment in Application Security
9. Implementation According to SAMM: Defect Management in AppSec
10. Verification according to SAMM: Application Security Architecture Analysis
11. Verification according to SAMM: Requirements-Driven Testing in Application Security
12. Verification according to SAMM: Security Tests in Application Security
13. Operations according to SAMM: Application Security Incident Management
14. Operations according to SAMM: Environment Management and Application Security
15. Operations according to SAMM: Operational Management in Application Security