Implementing an Application Security program based on OWASP SAMM

Application security is a very broad topic and generally minimized to testing. Seeking to provide more information on the subject and approach in a structured manner, I will write a series of articles addressing all practices of the OWASP SAMM Framework. Every Monday an article will be released detailing a practice, in total there will be 16 articles, this introduction included.

You can also listen to this article:

1. OWASP SAMM

Initially developed by Pravir Chandra in 2009, the model proposes a set of security practices that meet the entire software lifecycle, including development and acquisition, and is technology and process independent. It is intentionally built to be evolutionary and establishes a 3-level maturity model for each risk-oriented practice.

In its version, 2.0 launched in January 2020 it brings 5 domains with their respective practices:

• Governance: focuses on processes and activities related to how an organization manages software development activities. More specifically, this includes concerns that impact multifunctional groups involved in development, as well as business processes established at the organization level. Practices:
  • Strategy and metrics
  • Policy and Compliance
  • Education and Guidance

• Design: refers to the processes and activities related to how an organization defines and creates software. In general, this includes requirements gathering, high-level architecture specification, and detailed design. Practices:
  • Threat Modeling
  • Secure Requirements
  • Secure Architecture
    
• Implementation: focused on processes and activities related to how an organization creates and deploys software components and their related defects. Implementation activities have the greatest impact on developers’ day-to-day lives. The common goal is to send reliable software with minimal defects. Practices:
  • Secure Build
  • Secure Deploy
  • Defect Management

• Validation: focuses on processes and activities related to how an organization verifies and tests artifacts produced during software development. This typically includes quality assurance work, such as testing, but may also include other review and evaluation activities. Practices:
  • Architecture Assessment
  • Requirements-Oriented Testing
  • Security Testing

• Operations: covers activities necessary to ensure that confidentiality, integrity and availability are maintained throughout the operational life of an application and associated data. Increased maturity in relation to this function provides greater security that the organization is resilient in the face of operational disruptions and responds to change. Practices:
  • Incident Management
  • Environment Management
  • Operational Management

2. Objectives of this series

This series of articles aims to detail and discuss each of the practices serving as a reference for students and professionals who wish to expand on application security practices, going far beyond penetration testing in web applications.

It is not the purpose of this series to detail the Assessment process proposed by SAMM.

Upcoming articles of this series

1. Governance according to SAMM: Strategies and Metrics in Application Security
2. Governance according to SAMM: Policies and Compliance in Application Security
3. Governance according to SAMM: Education and Guidance in Application Security 
4. Design according to SAMM: Threat Modeling in Application Security
5. Design according to SAMM: Secure Requirements in Application Security
6. Design according to SAMM: Secure Architecture in Application Security
7. Implementation according to SAMM: Secure Build in Application Security
8. Implementation according to SAMM: Secure Deploy in Application Security
9. Implementation according to SAMM: Defect management in Application Security
10. Validation according to SAMM: Architecture Assessment in Application Security
11. Validation according to SAMM: Requirements-Oriented Testing in Application Security
12. Validation according to SAMM: Security Testing in Application Security
13. Operations according to SAMM: Incident Management in Application Security
14. Operations according to SAMM: Environment Management  in Application Security
15. Operations according to SAMM: Operational Management in Application Security