Mathias Tausig
Feb 1, 2022
Maturity assessment for technicians or how I learned to love OWASP SAMM
#1about 5 minutes
The difference between secure coding and secure development
Secure coding skills alone cannot prevent insecure products; a robust development lifecycle is essential to address systemic risks.
#2about 3 minutes
Common security failures beyond individual coding errors
Vulnerabilities in third-party libraries and architectural flaws found late in the process highlight critical gaps in the development lifecycle.
#3about 4 minutes
Introducing the OWASP SAMM framework for maturity assessment
OWASP SAMM provides a structured way to measure the security of your software development process through interviews and granular scoring.
#4about 3 minutes
Understanding the structure of the OWASP SAMM model
The model is organized into five business functions, each containing security practices, streams, and three distinct maturity levels.
#5about 3 minutes
How SAMM maps security issues across the lifecycle
A single issue like a vulnerable dependency or a missing threat model will be reflected across multiple interconnected areas in the SAMM assessment.
#6about 3 minutes
Using SAMM scores to build an improvement roadmap
The granular scores from a SAMM assessment are used to identify blind spots and create a phased roadmap for improvement, not for an overall grade.
#7about 4 minutes
Conducting an effective SAMM assessment interview
An assessment can be conducted by an external expert or as a self-assessment, typically involving a small team over a full day to ensure thoroughness.
#8about 5 minutes
A practical guide to the OWASP SAMM toolbox spreadsheet
The official spreadsheet provides a structured questionnaire for grading, note-taking, and defining a multi-phase improvement roadmap with visual progress charts.
#9about 3 minutes
Common mistakes to avoid when implementing SAMM
Avoid using scores to compare teams or setting rigid, context-free requirements, as this undermines the goal of tailored, meaningful improvement.
#10about 7 minutes
Key steps for getting started with your first assessment
A summary of the process involves selecting a team, using the official toolbox, taking detailed notes, and defining a realistic, obtainable roadmap.
#11about 4 minutes
The modern DevSecOps approach to application security
Shifting left requires integrating security tooling like SCA and SAST directly into the agile development lifecycle to catch vulnerabilities early and reduce costs.
#12about 6 minutes
The risks of open source and indirect dependencies
Software Composition Analysis (SCA) addresses the massive risk surface of open source libraries, where 80% of vulnerabilities are found in indirect dependencies.
#13about 15 minutes
Live demo of exploiting a cross-site scripting vulnerability
A practical demonstration shows how a cross-site scripting (XSS) vulnerability in a third-party library can be exploited and then fixed by upgrading the dependency.
#14about 5 minutes
Automating dependency fixes with SCA tooling
Modern SCA tools can automate vulnerability remediation by creating pull requests to update packages, including support for transitive dependencies.
#15about 8 minutes
Securing containers and infrastructure as code (IAC)
Beyond application code, security scanning must extend to container base images and Infrastructure as Code (IAC) configurations to prevent vulnerabilities and misconfigurations.
#16about 7 minutes
How to advocate for DevSecOps in your organization
Justify investment in security automation by showing the exponential cost increase of fixing vulnerabilities later in the development cycle.
#17about 13 minutes
Building a security culture with champions and training
Foster a proactive security mindset by establishing a security champions program, running internal training sessions, and demonstrating practical exploits to raise awareness.
Related jobs
Jobs that call for the skills explored in this talk.
today
Java / Kotlin Developer in einem Cloud-Native-Stack
PROSOZ Herten GmbH
Herten, Germany
Intermediate
Senior
today
Senior Softwareentwickler (m/w/d)
PROSOZ Herten GmbH
Herten, Germany
Remote
Intermediate
Senior
yesterday
Principal Backend Engineer (Node.js)
Almedia
Berlin, Germany
Senior
