Many of us are very aware of the OWASP Top 10 and use it as a tool to help determine what web application vulnerabilities to prioritize. Too many are using it as an exclusive list for a minimum focus and only training developers on related coding flaws, which doesn't even cover the OWASP Top 10. But this blog is not about the OWASP Top 10. Despite broad awareness of the OWASP Top 10 due to its mention in compliance frameworks, far fewer are aware of all the other helpful guidance provided by OWASP. One of these tools is the OWASP Software Assurance Maturity Model (SAMM). According to OWASP, SAMM offers prescriptive guidance for improving security posture across the complete software lifecycle. It is extensive, but fortunately, it can be used in small digestible chunks to create incremental, measurable improvement. The overall model looks like this:
SAMM model provided by OWASP
These are all activities any software creating and deploying organization would be involved with, and each one shows you how to measure and improve your security maturity in each area. Since the topic of this blog is training, I will focus on the Education & Guidance box in the bottom left corner.
The Education & Guidance area of the model specifies:
"One major theme for improvement across the Objectives is providing training for employees and increasing their security awareness, either through instructor-led sessions or computer-based modules. As an organization progresses, it builds a broad base of training starting with developers and moving to other roles, culminating with the addition of role-based training to ensure applicability and effectiveness."
The key here is that, according to OWASP SAMM, a mature training program includes broad-based training across SDLC functions that is role-based.
If we zoom further into the Training and Awareness box, which is a subsection of Education and Guidance, there are details specified for each of the Maturity Levels that describe what it takes to build a mature training program for Software Assurance. I have excerpted some of the key points below.
Table 1: OWASP SAMM Training and Awareness Maturity Levels
| Maturity Level |
Excerpt from Quality Requirement |
Excerpt from Activity Required |
| Level 1 | “Training includes the latest OWASP Top 10 if appropriate and includes concepts such as Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability” | “Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles.” |
| Level 2 | “Training includes all topics from maturity level 1, and adds more specific tools, techniques, and demonstrations.” “Training is mandatory for all employees and contractors.” |
"Train Product Managers, Developers, Testers, Security Auditors and Security Champions with training “specific to the organization’s roles and technologies.” “The training consists of demonstrations of vulnerability exploitation using intentionally weakened applications…” |
| Level 3 | “A Learning Management System (LMS) is used to track trainings and certifications.” “Training is based on internal standards, policies, and procedures.” |
“Implement a formal training program requiring anyone involved with the software development lifecycle to complete appropriate role and technology-specific training as part of the onboarding process.” |
As you can see, just providing training for developers on how to write code that avoids the OWASP Top 10 would not even meet Maturity Level 1. How immature!
If you have or plan to have a training program to address software security, I highly recommend looking at OWASP SAMM's guidance on Education. It shows you how to build a mature program for software security training and awareness or what you can do to improve your program's maturity.
At Security Innovation, we have a complete set of training modules, labs, and cyber ranges that allow you to go beyond the code to implement a fully-mature software security training program. This will enable you to maximize your investment in training and reduce your software security risk. Security Innovation's unique combination of Courses, multiple types of Labs, and Cyber Ranges – all accessed through our Base Camp platform – can help your software security training program meet all the specifications of SAMM Level 3 for training. We have the most extensive set of training for developers in the industry, and our library is equally expansive for roles across the SDLC. Now isn't that mature!
About Fred Pinkett, Senior Director Product Management
Fred Pinkett is the Senior Director of Product Management for Security Innovation. Prior to this role, he was at Absorb, Security Innovation's learning management system partner. In his second stint with the company, he is the first product manager for Security Innovation's computer-based training. Fred has deep experience in security and cloud storage, including time at RSA, Nasuni, Core Security, and several other startups. He holds an MBA from Boston College and a BS in Computer Science from MIT. Working at both Security Innovation and Absorb, Fred clearly can't stay away from the intersection between application security and learning. Connect with him on LinkedIn.
