DevOps Assurance with OWASP SAMM

Today we’re going to discuss OWASP. More specifically, we’ll focus on SAMM and how it pairs with DevOps.

If you’re not familiar with OWASP or SAMM v2 (software assurance maturity model), everything can be found at https://owasp.org, along with some of the flagship projects.

There are several DevOps maturity models; however, they are exclusively for DevOps. SAMM v2 aims to add security to the development lifecycle, in other words, it adds a secured layer to the development operations.

Useful for organizations small or big, SAMM adds assurance to the DevOps process.

Sponsorships Available

Sponsorships Available

Sponsorships Available

In this All Day DevOps talk, Seba Deleersnyder (@sebadele) introduces SAMM v2 and walks us through the new features added in this version of the model, how it integrates into the DevOps workflow, and how it differentiates itself from other maturity models.

Why Do I Need a Maturity Model?

Before we get ahead of ourselves, you might be wondering why you need a maturity model.

Adding a security layer to the development lifecycle isn’t easy. A maturity model like SAMM helps you with this by adding security levels in an iterative way, rather than in a “big bang” approach. SAMM is something you need to adapt to your development process. It’s not a silver bullet for your day-to-day operation processes, and it must be adapted to your unique development target.

A good maturity model provides enough details to the users while being simple, well-defined, and measurable.

What’s SAMM All About?

SAMM is, fundamentally, a set of security practices organized in five main business functions:

1. Governance
2. Design
3. Implementation
4. Verification
5. Operations

Previously familiar users will see a new item: the implementation security practice. This includes:

• Secure build
• Secure deployment
• Defect management

The new version incorporates these features given their increase in importance over the past years.

Defect (Read more...)