Maturity assessment for technicians or how I learned to love OWASP SAMM

Secure coding isn't enough to build secure products. Learn how OWASP SAMM provides a measurable roadmap to mature your entire development process.

#1about 5 minutes

The difference between secure coding and secure development

Secure coding skills alone cannot prevent insecure products; a robust development lifecycle is essential to address systemic risks.

#2about 3 minutes

Common security failures beyond individual coding errors

Vulnerabilities in third-party libraries and architectural flaws found late in the process highlight critical gaps in the development lifecycle.

#3about 4 minutes

Introducing the OWASP SAMM framework for maturity assessment

OWASP SAMM provides a structured way to measure the security of your software development process through interviews and granular scoring.

#4about 3 minutes

Understanding the structure of the OWASP SAMM model

The model is organized into five business functions, each containing security practices, streams, and three distinct maturity levels.

#5about 3 minutes

How SAMM maps security issues across the lifecycle

A single issue like a vulnerable dependency or a missing threat model will be reflected across multiple interconnected areas in the SAMM assessment.

#6about 3 minutes

Using SAMM scores to build an improvement roadmap

The granular scores from a SAMM assessment are used to identify blind spots and create a phased roadmap for improvement, not for an overall grade.

#7about 4 minutes

Conducting an effective SAMM assessment interview

An assessment can be conducted by an external expert or as a self-assessment, typically involving a small team over a full day to ensure thoroughness.

#8about 5 minutes

A practical guide to the OWASP SAMM toolbox spreadsheet

The official spreadsheet provides a structured questionnaire for grading, note-taking, and defining a multi-phase improvement roadmap with visual progress charts.

#9about 3 minutes

Common mistakes to avoid when implementing SAMM

Avoid using scores to compare teams or setting rigid, context-free requirements, as this undermines the goal of tailored, meaningful improvement.

#10about 7 minutes

Key steps for getting started with your first assessment

A summary of the process involves selecting a team, using the official toolbox, taking detailed notes, and defining a realistic, obtainable roadmap.

#11about 4 minutes

The modern DevSecOps approach to application security

Shifting left requires integrating security tooling like SCA and SAST directly into the agile development lifecycle to catch vulnerabilities early and reduce costs.

#12about 6 minutes

The risks of open source and indirect dependencies

Software Composition Analysis (SCA) addresses the massive risk surface of open source libraries, where 80% of vulnerabilities are found in indirect dependencies.

#13about 15 minutes

Live demo of exploiting a cross-site scripting vulnerability

A practical demonstration shows how a cross-site scripting (XSS) vulnerability in a third-party library can be exploited and then fixed by upgrading the dependency.

#14about 5 minutes

Automating dependency fixes with SCA tooling

Modern SCA tools can automate vulnerability remediation by creating pull requests to update packages, including support for transitive dependencies.

#15about 8 minutes

Securing containers and infrastructure as code (IAC)

Beyond application code, security scanning must extend to container base images and Infrastructure as Code (IAC) configurations to prevent vulnerabilities and misconfigurations.

#16about 7 minutes

How to advocate for DevSecOps in your organization

Justify investment in security automation by showing the exponential cost increase of fixing vulnerabilities later in the development cycle.

#17about 13 minutes

Building a security culture with champions and training

Foster a proactive security mindset by establishing a security champions program, running internal training sessions, and demonstrating practical exploits to raise awareness.