First Virtual OWASP Vienna Chapter Meeting: Secure Software Development With OWASP SAMM

news SSDLC

On 2020-04-20, the first virtual meeting of the OWASP Vienna chapter took place. I (Thomas Kerbl – SEC Consult) was invited to talk about my experiences with Secure Software Development based on OWASP SAMM, the Security Assurance Maturity Model.

First Virtual OWASP Vienna Chapter Meeting header image - SEC Consult

Version 2 of this standard was released in January 2020, and is now even better suited to address modern development methodologies like Agile Development and DevOps.

After giving a brief overview of OWASP SAMM itself, I shared with the community what works in practice and which pitfalls to avoid. 

 

These are some of the key take-aways from my talk:

1) Invest in people. Educate your employees regarding security to demystify it. Building a great security culture is hard, but pays off in the end. Getting the buy-in from everyone involved is crucial, and enabling your employees is the right way to do it.

2) Implementing security activities in your development process with a big bang approach often fails. Instead, take it step by step and build your security posture over time. Measure what you have achieved regularly and correct course if necessary.

3) Define clear and specific security requirements and derive misuse and abuse cases for your application during the design phase. Make sure those are addressed by appropriate security measures throughout the development life-cycle. Design a secure architecture, ensure secure implementation, perform security testing and protect your application during operations. Every single security activity must be driven by an overarching plan, defined in the security requirements.

After more than an hour of content, participants were able to ask their most burning questions in the Q&A session, moderated by the OWASP Vienna chapter team. Many took the opportunity and after everyone got their questions answered, the event came to a close around 8pm.

It’s great to see more and more local OWASP initiatives taking root and I’m already looking forward to the next chapter meetings here in Vienna. And while the virtual edition of this meeting was a success, I’m hoping to meet my colleagues and friends from the local security community face to face again soon. If you want to attend future events as well, check out the OWASP Vienna Meetup Group.

Here you can find my slides of the lecture

 

About the author

Thomas Kerbl
Thomas Kerbl
SEC Consult Group
Principal Security Consultant

Thomas has worked as a security consultant at SEC Consult for over 15 years. In his role as principal security consultant and team leader, he does not only lead a team of experts, but is also still involved in customer projects hands-on. Currently he is engaged in projects concerning “Secure Software Development” and “Security Architecture” where he incorporates his experiences as a former penetration tester and security requirements engineer.