Every organisation, even the well-established businesses face security challenges from the use of software that is either developed in-house or by 3rd parties. There are many security challenges in using software but adversaries gaining access to sensitive data and setting foothold within infrastructure to target other systems or launch future attacks are common examples. These security challenges are caused by software vulnerabilities and can create a significant risk to business.

Software security is no longer an afterthought but an integral part of Information Security and Risk Management.

At Savanti, we have created a 4-stage process to help organisations build secure software by working with both the organisation and the team to define a mature, repeatable model.

Being proactive about software security can protect against attacks from adversaries as well as ensuring legal, regulatory and internal policy/standards compliance.

Savanti approach – SAMM aligned model

Our model is aligned with the Software Assurance Maturity Model (SAMM), developed by the OWASP (Open Web Application Security Project) Foundation. Our approach is application agnostic and is highly customised to suit any type of organisation or team.

1. Assessment of current maturity

At this stage, we work closely with the organisation to understand “Where the organisation is in terms of software assurance”. This is done through a series of Q&A sessions tailored for the specific organisation.

2. Set target maturity level

Once we understand the current maturity level, the next step is to answer, “Where the organisation wants to be?”. This is achieved by working closely with the organisation by recommending the best approaches, practices and understanding the organisation’s priorities.

3. Create roadmap

After setting the target, we try to define “Where the organisation will be at certain time” in order to make sure the software assurance process is working for the organisation. A time-boxed (e.g. 3 months) maturity level will be defined so that the organisation can check the progress.

4. Create implementation plan

After creating and defining the roadmap plan, the final stage is to define “How will the organisation get there?” This will be done by providing a customised work plan consisting of specific activities that the organisation can carry out in order to achieve the target maturity level.

Example/Diagram – Initial maturity scores based on assessment:

 

Example/Diagram – Roadmap plan to improve maturity level of 12 security practices over time:

Service benefits also include:

  • Helps build assurance processes that mature the secure software development methodology over time
  • Ensures the software is less vulnerable from the most common attacks exploited by adversaries
  • Provides traceable requirements that ensure the software development process incorporates legal (e.g. GDPR), Regulations (e.g. PCI-DSS), organisational policies and standards and contractual requirements for compliance

Optional additional services to supplement include:

  • Developer training platform based on OWASP TOP 10, targeted towards mobile and web development teams
  • Software development standards and training guides for the developers
  • A collection of developer resources tailored for your team

If this is right for you or you need further details, please contact info@savanti.co.uk.