OWASP SAMM: Assessing and Improving Enterprise Software Security

OWASP SAMM is a model that helps companies assess their software security posture and implement a strategy to optimize it

The Lace Tempest ransomware group, notorious for using Cl0p for extortion, has staged one of the most notorious and damaging cyberattacks in 2023 by exploiting a vulnerability in MOVEit Transfer software. This solution allows automated file transfers for sensitive data and is used by thousands of companies worldwide. As a result, cybercriminals have managed to attack energy companies, pension funds, insurance companies or public administrations in North America and Europe in sensitive areas such as education or health.

This attack highlights the need for companies and institutions to have an effective security strategy to protect business software throughout its lifecycle.

For this reason, the OWASP Foundation created in 2009 a software assurance maturity model known by its acronym SAMM. This model allows organizations to analyze their software security practices and helps them build a security program to optimize them, thus increasing enterprise software’s protection level.

In the following, we will dissect the keys to OWASP SAMM and how advanced cybersecurity services can help companies improve their software security posture according to the model’s functions, practices, activities and levels.

1. What is OWASP SAMM, and how can it be used

OWASP SAMM is a framework available to all enterprises and public administrations to assess, design and implement a software security strategy. The model has been designed openly to ensure that it can be adapted to any context. Thus, OWASP SAMM is intended to be used by companies that develop software and those that contract or acquire it.

Moreover, it is a tool that can be used if the organization has adopted the DevSecOps approach to secure software from design and throughout its lifecycle.

Through SAMM, small, medium and large companies can analyze their security practices, define an improvement plan and evaluate its implementation. Hence, OWASP points out four practical uses of SAMM:

• Assess an organization’s current software security posture.
• Establish the organization’s security strategy based on the objectives being pursued.
• Design an action plan to achieve the objectives, including the activities to be carried out.
• Advise organizations on the implementation of specific activities.

1.1. Getting started

To start working with SAMM, OWASP recommends following six basic steps:

1. Preparation. In this phase, the target must be established, i.e., whether the aim is to improve the security of a specific application, area, or organization. In addition, it is essential to identify all third-party organizations involved, such as software vendors, and ensure that they are aligned with the security strategy.
2. Assessment. OWASP SAMM is used to assess current security practices and determine the level of maturity sought for each security practice in the model.
3. Establishment of objectives. The third step revolves around establishing the goals to be achieved. To do so, the company must set the security activities to be carried out, considering the coherence between them and the available economic resources, specifying how much the budget destined to optimize the software security strategy amounts to.
4. Planning. It is essential to plan the strategy to improve the organization’s security posture, including phases and deadlines and distributing the activities, considering the available resources and the effort required by each activity.
5. Implementation. In the penultimate phase, the activities are implemented according to the schedule drawn up during planning. Considering their impact on the company’s processes, people, and tools is essential.
6. Deployment. Finally, the measures’ effectiveness and impact on the organization must be measured.

Do all the phases have to be executed? No, it will depend on the intended use of the model. For example, if only OWASP SAMM is used to evaluate the company’s security posture, it will be sufficient to implement the first two steps.

2. Structure of OWASP SAMM

It’s essential to address the structure of the model to understand how SAMM works and how it can be used practically to improve enterprise software security. This work revolves around five major elements:

1. Business functions.
2. Security practices.
3. Flows.
4. Maturity levels.
5. Activities.

2.1. Business functions and security practices

The OWASP SAMM is structured in the form of a tree. The trunk of this tree is made up of five business functions:

1. Governance (G). This function encompasses the processes related to the management of software development activities, their impact on the organization and business processes.
2. Design (D). SAMM’s second function focuses on the actions taken within software development projects, security requirements and application architecture.
3. Implementation (I). It encompasses all the processes related to the construction and deployment of software components, paying particular attention to their defects. The activities that are part of this function are aimed at distributing reliable software with minimum flaws.
4. Verification (V). It revolves around the testing and verification of software throughout its life cycle. In this sense, application security testing plays a fundamental role.
5. Operations (O). The activities of this function must guarantee the confidentiality, integrity and availability of data throughout the life of the applications.

These five functions each have three associated security practices. Thus, OWASP SAMM is a model comprising 15 security practices to be considered when securing enterprise software.

• Strategy and metrics (G).
• Policy and compliance (G).
• Training and guidance (G).
• Threat assessment (D).
• Security requirements (D).
• Security architecture (D).
• Secure construction (I).
• Secure implementation (I).
• Fault management (I).
• Architecture evaluation (V).
• Testing based on requirements (V).
• Security testing (V).
• Incident management (O).
• Environment management (O).
• Operational management (O).

2.2. Flows, maturity levels, and activities to be performed

All the security practices listed above are, in turn, divided into two flows that include three different activities depending on the organization’s maturity level.

For example, the security practice called Secure Implementation is divided into two flows containing three different activities, depending on the level of maturity that the organization is seeking to achieve:

1. Implementation process

• Level 1. Formalize the implementation process and securitize the tools and techniques used.
• Level 2. Automate the implementation process in all its phases and introduce security verification tests.
• Level 3. Automatically verify the integrity of all deployed software, regardless of whether it has been developed internally or externally.

2. Management of secrets

• Level 1. Implement basic protection measures to limit access to software production secrets.
• Level 2. Inject secrets during the deployment process from hardened warehouses and auditing all access to them.
• Level 3. Optimize the life cycle of software secrets, ensuring their proper use.

This structure is repeated with the other 14 security practices. Thus, OWASP SAMM proposes up to 90 activities that can be carried out to improve the software security posture of a company or public administration.

2.2.1. The importance of levels

Does this mean every company must implement a strategy for the 90 activities? No. OWASP SAMM includes maturity levels because not all companies are subject to the same level of cyber exposure and do not face the same risks.

After all, it is clear that a multinational operating in a critical sector such as finance or energy and an SME whose economic activity is not essential in the functioning of society and the market have different resources. Still, they are not obliged to meet the exact regulatory requirements nor have similar security needs and objectives.

For this reason, OWASP included the maturity levels to help companies, regardless of their size or economic sector, to evaluate their security practices and draw up strategies to increase the level of maturity in those critical practices for the organization, according to the resources and budget available.

3. How to assess the security posture and the effectiveness of implemented actions

Assessments are a fundamental element of OWASP SAMM, as the model allows an organization to measure the effectiveness of its current security practices and set a phased roadmap for improving present performance.

Using SAMM to conduct assessments is a straightforward practice based on an interview’s completion.

The model asks one question for each of the 90 activities that make up the model. Each question can be answered with one of four predefined answers. OWASP SAMM includes a set of quality criteria for each question to facilitate the answering task.

For example, the first question in the Governance function is, «Do you know the amount of risk the entire company is willing to take regarding its software applications?». The quality criteria offered as a guide are:

• It’s possible to know the level of risk that the company’s management wants to take.
• The company’s management reviews and approves software risks.
• The main business and technical threats to the company’s assets and data can be identified.
• Risks can be documented and stored in an accessible and secure location.

Using these quality criteria, the person completing the interview can answer:

• No. If the requirements still need to be fully met.
• Yes, general risks are covered.
• Yes, organization-specific risks are covered.
• Yes, risks and opportunities are covered.

3.1. Transforming qualitative responses into quantitative ratings

To carry out the assessments and facilitate the design of a security strategy to improve the security posture of the software, OWASP provides companies with tools in Microsoft Excel and Google Spreadsheet format. In addition, companies can design their online assessment tools or use SAMMY, a solution created by Codific.

These tools facilitate the task of transforming the answers to the 90 OWASP SAMM questions into a score that represents the maturity level of an organization in terms of different security practices and business functions.

Thus, the score can range from 0 to 3, representing the highest maturity level. As we pointed out earlier, not all companies should aim to achieve this score for each security practice, but rather, it should be in line with business needs, objectives and resources.

Therefore, from the initial score, organizations can aim to achieve higher scores in the future by planning the optimization process of the software security strategy. Implementing the activities contemplated in the model in different phases is advisable.

How is it verified that the security program is being implemented in a suitable way and that the objectives of each phase are being met? Redoing the evaluation using OWASP SAMM.

4. Cybersecurity services to protect software throughout its lifecycle

The keys to OWASP SAMM that we have been unpacking in this article highlight the need for companies wishing to strengthen enterprise software security to have advanced cybersecurity services in the five primary business functions and the 15 security practices that comprise them.

4.1 Multiple services to optimize all business functions.

• Governance. Comprehensive cybersecurity advice to effectively manage defensive capabilities, comply with regulatory requirements and train an organization’s professionals to carry out best practices is crucial.
• Design. Conduct threat assessments of in-house software and third-party applications and components and code audits, as well as establish effective security practices and requirements when designing software and managing technology assets.
• Implementation. Monitor software and third-party components continuously to detect vulnerabilities before hostile actors exploit them. Both vulnerability management services and emerging vulnerability detection are critical.
• Verification. Conduct application security testing (DAST, SAST, SCA, SCS…) on an ongoing basis to detect flaws and vulnerabilities that may lead to security incidents.
• Operations. Companies must have security mechanisms to detect incidents and respond to and mitigate malicious actions to ensure business continuity and data protection.

In short, OWASP SAMM is an open methodology that adapts to the context of any organization and serves to assess the security posture of the software and to design an action plan and a roadmap for improvement.

Tarlogic Security provides companies with a portfolio of advanced and comprehensive cybersecurity services to help them design and improve their software security strategies. Services such as code security audit help to optimize security practices and strengthen the protection of enterprise software throughout its lifecycle, in order to prevent security incidents such as supply chain attacks.