- On 23. Apr 2020
On 2020-04-20, the first virtual meeting of the OWASP Vienna chapter took place. I (Thomas Kerbl – SEC Consult) was invited to talk about my experiences with Secure Software Development based on OWASP SAMM, the Security Assurance Maturity Model.
Version 2 of this standard was released in January 2020, and is now even better suited to address modern development methodologies like Agile Development and DevOps.
After giving a brief overview of OWASP SAMM itself, I shared with the community what works in practice and which pitfalls to avoid.
These are some of the key take-aways from my talk:
1) Invest in people. Educate your employees regarding security to demystify it. Building a great security culture is hard, but pays off in the end. Getting the buy-in from everyone involved is crucial, and enabling your employees is the right way to do it.
2) Implementing security activities in your development process with a big bang approach often fails. Instead, take it step by step and build your security posture over time. Measure what you have achieved regularly and correct course if necessary.
3) Define clear and specific security requirements and derive misuse and abuse cases for your application during the design phase. Make sure those are addressed by appropriate security measures throughout the development life-cycle. Design a secure architecture, ensure secure implementation, perform security testing and protect your application during operations. Every single security activity must be driven by an overarching plan, defined in the security requirements.
After more than an hour of content, participants were able to ask their most burning questions in the Q&A session, moderated by the OWASP Vienna chapter team. Many took the opportunity and after everyone got their questions answered, the event came to a close around 8pm.
It’s great to see more and more local OWASP initiatives taking root and I’m already looking forward to the next chapter meetings here in Vienna. And while the virtual edition of this meeting was a success, I’m hoping to meet my colleagues and friends from the local security community face to face again soon. If you want to attend future events as well, check out the OWASP Vienna Meetup Group.
Here you can find my slides of the lecture:
About the author:
DI Thomas Kerbl, MSc
Principal Security Consultant, SEC Consult