Implementing OWASP SAMM at Unico: Towards More Secure Products

In an increasingly digital world susceptible to cyber threats, Unico recognized the necessity to address the security of its solutions with seriousness and proactivity. Integrating security practices into software development has become a priority to ensure the protection of our customers’ data and the reliability of our products. However, facing this challenge often resulted in difficulties in measuring and quantifying the effectiveness of preventive actions, such as implementing the “shift left” concept. So, we decided to adopt the OWASP Software Assurance Maturity Model (SAMM). This framework provides us with a structured basis to assess the maturity of our security practices and develop concrete actions to promote them. Based on the assessment provided by SAMM, we implemented individualized actions focused on each product, ensuring that security measures were adapted to the specific needs of each solution. This customized approach allowed us to address vulnerabilities in a targeted way, improving security on various fronts. With SAMM, we seek not only to increase security in our products but also to cultivate a culture of collaboration between application security and engineering teams, transforming security into a strategic ally in innovation.

What is OWASP SAMM?

OWASP SAMM is a maturity model that allows companies to assess and improve their software security practices. It is structured in five essential areas: Governance, Design, Implementation, Verification, and Operation, each one focused on different aspects of the Software Development Life Cycle (SDLC). In addition, SAMM organizes the evolution of security into three maturity levels, allowing organizations to advance progressively and structurally.

The Five Areas of SAMM

1. ​Governance​: Establishes security policies and ensures compliance with regulations.
2. ​Design​: Integrates security practices from the initial phases of development.
3. ​Implementation​: Applies techniques and tools to test software security.
4. ​Verification​: Implements processes to monitor and respond to security events.
5. ​Operation​: Ensures the team is aware of security best practices.

Why Implement SAMM?

Until early 2024, the only way we had to assess the security of our products was the number of vulnerabilities. With the aim of being more proactive, we decided to scale our security efforts and use OWASP SAMM as a guide. With this, we seek to improve our practices and ensure that each product undergoes an individualized assessment.

Expected Benefits

Implementing SAMM brought several benefits to Unico:

• ​Performance Indicators​: Provided valuable insights into areas that needed specific improvements.
• ​Compliance​: Ensured that our practices were aligned with relevant legislation.
• ​Continuous Improvement​: Conducted periodic assessments to monitor our progress and adjust our security strategies.

Results Achieved

Before the implementation of OWASP SAMM, our average product security maturity was still in an initial stage, which reflected the urgent need for improvements. We conducted a benchmarking, based on data provided by OWASP SAMM, which revealed that the average maturity of the companies analyzed was at a higher level than ours. Based on this data, we set challenging goals and developed a concrete action plan in the areas outlined by the framework, aiming to raise our security level and align it with the best market practices.

The actions included:

• ​Governance​: Adjusted processes and disclosed security policies.
• ​Design​: Established secure development standards.
• ​Implementation​: Ensured security in the pipelines.
• ​Verification​: Conducted architecture analysis and exploitation tests.
• ​Operation​: Integrated incident management with development teams.

The good news? We exceeded our expectations and reached a maturity level that puts us very close to the second stage of OWASP SAMM, which is divided into three levels. While the first level represents initial and ad-hoc practices, the second stage is characterized by more consistent and repeatable processes. With our recent result, we are practically at level 2, demonstrating that our security maturity is above the benchmark provided by OWASP. This reflects the engagement and commitment of our security and engineering teams, who have advanced significantly in the assessment of our security practices and reaffirm our commitment to continuously raising the protection of our products.

Conclusion

Implementing OWASP SAMM was a significant step in Unico’s journey towards a robust and efficient security culture. The results obtained reflect our commitment to ensuring that each product we develop is aligned with the best market practices. We will continue to improve, always seeking maximum protection and the trust of our customers. Security here is not just a priority; it is the essence of our work.