How Left Do You Lean? Security Maturity in the SDLC
By Ross Saunders
There’s something distinctly wrong about waiting for things to go wrong, and then patching and fixing it after the fact. This is something that happens all the time when it comes to security of software applications. All too often, security is considered as an afterthought, or when you’re rolling around to quality assurance, and not when the actual development has taken place.
Mature security starts at the planning stage. This is the whole “shift left” thing that you hear security professionals speak about; moving security further “left” in the sequential process that takes place to deliver software.
How do you measure this?
It’s all fine and well to say that security needs to be included in the development process, but not many folks know where to start aside from looking at the usual OWASP (Open Web Application Security Project) Top 10 or secure practices that have been “passed down through generations of developers”. We see it all too often that security is done “as and when” and not “part and parcel”.
Enter the OWASP Software Assurance Maturity Model (SAMM for short), a maturity model framework for helping companies to assess their current development security, formulate a way forward to improve their maturity, and implement controls for bolstering their security position. SAMM is a set of 15 security practices across functions within the development space, with a breakdown of three different maturity levels.
The functions covered by SAMM are:
Governance - detailing your strategy and metrics, policies, education, and compliance within the development (and organizational) function.
Design - detailing threat assessments, security requirements, and the security architecture required for development.
Implementation - getting security into the build, deployment, and defect management functions of the life cycle.
Verification - Assessing the architecture, requirement testing, and security testing post-development.
Operations - How do you manage incidents, environments, and operations of the organization.
Assessing the current posture allows you to see what maturity level you’re at currently in all aspects, and allows you to develop a strategy going forward for implementing the controls that make sense for your business. Not all businesses need to be at a level 3 (highest) maturity, just as not all processes and functions need to be at the same level. Higher levels of maturity require higher levels of commitment and formalization, and depending on the size and complexity of your business, you may elect to stay on lower levels that align to your risk appetite.
That said, if you do choose to assess your organization using SAMM, you’ll be able to define a clear strategy and roadmap for holistically implementing the controls within your business.
All these controls don’t sound very agile…
Firstly, it’s important to differentiate between actually being Agile, and adhering to the Agile manifesto, and just saying you’re agile, which often means there’s “cowboy development” going on with no documentation!
In the former case of actual Agile processes (written with a capital A), it may seem that SAMM conflicts with the concept of “people over process” or “software over documentation”. Personally, I believe that SAMM compliments the Agile approach, as it most certainly harnesses change for the customer’s competitive advantage, supports sustainable development, and provides continuous attention to technical excellence. SAMM provides you with the assessment of how mature your practices are, while the implementation of your roadmap is designed to fit your processes, sprints, and day-to-day development. It’s continuous integration of security and continuous improvement at its best!
In the latter case of lip service towards agile, not only can SAMM assist in identifying your maturity, but it can help you reign in unnecessary development and bloat by identifying your strategy and development practices. Agile does not mean no processes, it means minimal and streamlined processes, and SAMM can help you identify just that for your business.
How can Bamboo help?
There is nothing stopping you from conducting your own SAMM assessment, however, conducting a SAMM assessment on your development environment and lifecycle while you are actively developing under pressure is an incredibly difficult task. It takes valuable time away from management, business analysts, developers, and engineers. As SAMM Practitioners, Bamboo can conduct a SAMM assessment for you with far less disruption to your core teams, culminating in providing a detailed report and roadmap going forward.
Not only do we help with the assessment, we also have vast experience in working with software development companies in designing and implementing the controls required to advance your maturity. Bamboo’s consultants have experience in privacy and security, as well as software development, and can offer tremendous value in designing controls that work for YOUR unique development lifecycle.
Give us a shout today to find out more about SAMM and how we can assist you in shifting security earlier in your lifecycle, addressing the cause and not the symptom when it comes to software development assurance.
