This is part of a series of presentations that i am going to create for explaining an open secure SDLC maturity model, called SAMM aka OpenSAMM. Click here to view the presentation.
Disclaimer — This is NOT an original work. I have taken help from the official presentation and some other articles/presentations available on internet. I regret that because i forgot to keep track of the sources, i cannot credit them properly in the presentation. However, if i get any information about the source, i will update this presentation with the credits. Would request people to get back to me if they have information on the sources.
Although it is generally believed that security should be in-built and not a patch after development, very few companies give it a try for one or more of the reasons:-
- There is little explicit demand (after all, my customers are not saying they want security, why should i bother? If i put some investment and cannot get it back, it’ll be bad for business, won’t it?);
- As a corollary to the above point, clients probably worry that if they demand security, maybe they have to pay for it (in terms of additional efforts and hence cost);
However, with SEC demanding that companies disclose “potential” security breaches (and this usually means that apart from companies to take notice of this fact, us compliance professionals can take little sadistic respite in the fact that we would be in little more demand ;) ), i think companies better start demanding security in their applications (at-least those that come under purview of SEC).
OpenSAMM (or SAMM) is a maturity model that helps gauge the maturity of secure SDLC implementation in an organization. It also provides a benchmark against which similar efforts from different organizations can be judged. In retrospect, isn’t this how ISO propagated (capitalism, anyone?). Business wise, i think it makes perfect sense to demand security from a service provider, and then benchmark it against those of other vendors, makes ROI sense.
I gave this presentation at an OWASP Chapter Meet. Hope to finish the entire series in a couple of months. Watch this space for more!