Last week I did a talk at the AIEA Turin Chapter on Software Security in Practice.
I started the talk asking some key questions:
- What is Secure Software?
- How can a Company manages the security of the applications today?
- How can OWASP support the Enterprises to develop, maintain and buy Software ever more secure?
- What is a structured approach to the Governance of Software Security?
What we can say today is that Secure Software does not exist: the vulnerabilities in the software development process are expected. The control of the security bugs and flaws in the software should be considered as part of the process of software development.
I do a summary of the basic principles of software security and how OWASP can help to create a structured approach to the Governance of Software Security.
1) If you do not ask for security, no one will develop "secure software".
- Use the OWASP Software Contract Annex to regulate your outsourcer contracts
2) If you do not know the application threats, you will develop unsecure software.
- Use the OWASP Top 10 for General Awareness
- Use the OWASP CISO Guide for Management’s Awareness
3) Vulnerabilities in the software development process are expected.
- Use the OWASP Building Guide and ESAPI to write more secure software
- Use the OWASP Secure Code Review Guide to review the code
- Use the OWASP Testing Guide to review your application
4) The fixing process is the most important step of the process of software security.
- Retest your application after a bug fixing or a new release to be sure that the right implementations are in place
5) Software Security Governance is the key to have a mature SDLC.
- Use the OWASP SAMM to assess your maturity and to build an Application Security Program to manage the SDLC.
At the end of the presentation I show how the Companies are approaching Software Security today in the real world using OWASP SAMM and BSIMM 6.
You can read the presentation here.