Crowdsourcing is a wonderful, powerful tool. After all, isn't it much easier to trust data gathered from large groups of people who don't stand to gain from the information they're sharing? That logic is what makes the OpenSAMM document, which speaks to the software development maturity model, so great. When industry professionals collaborate to share their knowledge on maintaining security throughout the Software Development Lifecycle (SDLC), everybody wins.
SAMM, which stands for "Software Assurance Maturity Model," is described as "an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization." OWASP's OpenSAMM project is dynamic and open sourced, which means it is constantly growing more robust and useful to firms of all sizes. The project defines four business functions critical to software development and 12 security practices (three per business function) firms can adopt to improve their software development process. For each security practice, it also provides objectives to which firms can aspire as they work toward mastering security.
Taking time to read through and understand OpenSAMM will help you achieve a new level of software security (or, in the best case, assure you that your security is truly top-notch), but there are a few basic takeaways that are worth calling out. Here's a closer look at what independent research suggests for running a secure cyberenterprise:
OpenSAMM on Policy and Compliance
Running a compliant enterprise is no easy task. Depending on your industry and any potential customers and vendors, regulating bodies and their requirements can vary. When it comes to policy and compliance, OpenSAMM offers a few suggestions. These include identifying and keeping a close eye on "external compliance drivers," developing comprehensive guidelines for compliance, building out standards for security and compliance, establishing auditing practices for projects, developing "compliance gates" for each project, and finding a way to collect and store audit data. All that sounds like a lot of work, but it's crucial for developing software that's up to snuff.
Fortunately, leading security software solutions take the headaches out of remaining compliant while saving IT valuable time. Without the need to rewrite policies or constantly monitor policy updates, employees are able to focus their energies on tasks related to growth and development.
OpenSAMM on Code Review
Whether an app is outsourced or built in-house, it should be subject to the same rigorous review and testing. There is no excuse for untested code allowing malicious attacks to succeed, so having a security solution that provides extensive code review is essential to the software development maturity model. OpenSAMM cites three primary objectives for a firm's successful code review process: finding "basic code-level vulnerabilities and other high-risk security issues," automating in-development code review for increased efficiency and accuracy, and requiring a comprehensive code-review process to pinpoint "language-level and application-specific risks."
It probably comes as no surprise that manual code review is inordinately time-consuming, so finding a software security solution that does this automatically is critical to maintaining a secure and efficient enterprise.
OpenSAMM on Vulnerability Management
Just because software was built right and tested during and after development does not mean it's safe. New threats are constantly emerging, and even thoroughly tested programs can be exposed after they have been implemented and used successfully. OpenSAMM's clear-cut objectives where vulnerability management is concerned go a long way in helping firms build out their security strategies. They include understanding, at the highest level, the plan for responding to threats or incidents (this includes defining points of contact and organizing emergency response teams); defining expectations for each step in the response procedure in an effort to make all responses clear, effective and consistent; and improving data collection and analysis processes so that more proactive measures can be taken against vulnerabilities in the future.
This is another area that can save IT departments time, money and energy. Remaining apprised of all existing and developing threats is more than a full-time job, but the right software solution will do it without diverting human resources. Dedicated security software is crowdsourced and constantly updating, which means it's better at identifying and preventing new threats than even the best people are.
The Bottom Line
Understanding OpenSAMM is easy enough — a bunch of smart, independently minded people across software security industries made recommendations about the software development maturity model to help every firm work toward decreasing vulnerabilities. And with a great software security solution, enacting OpenSAMM protocol is easy. Can your enterprise afford to ignore the collected wisdom and security suggestions OpenSAMM is offering for free?