- You have a list of the most important technologies used in, or in support of, each application
- You identify and track technological risks
- You ensure the risks to these technologies are in line with the organizational baseline
Description
People often take the path of least resistance in developing, deploying or operating a software solution. New technologies are often included when they can facilitate or speed up the effort or enable the solution to scale better. These new technologies might, however, introduce new risks to the organization that you need to manage.
Identify the most important technologies, frameworks, tools and integrations being used for each application. Use the knowledge of the architect to study the development and operating environment as well as artefacts. Then evaluate them for their security quality and raise important findings to be managed.
Endorsed Solutions for Mastering Technology Management
Become a Recommended Vendor for Technology Management! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Technology Management? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- The list is based on technologies used in the software portfolio
- Lead architects and developers review and approve the list
- You share the list across the organization
- You review and update the list at least yearly
Description
Identify commonly used technologies, frameworks and tools in use across software projects in the organization, whereby you focus on capturing the high-level technologies.
Create a list and share it across the development organization as recommended technologies. When selecting them, consider incident history, track record for responding to vulnerabilities, appropriateness of functionality for the organization, excessive complexity in usage of the third-party component, and sufficient knowledge within the organization.
Senior developers and architects create this list, including input from managers and security auditors. Share this list of recommended components with the development organization. Ultimately, the goal is to provide well-known defaults for project teams. Perform a periodic review of these technologies for security and appropriateness.
Endorsed Solutions for Mastering Technology Management
Become a Recommended Vendor for Technology Management! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Technology Management? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You monitor applications regularly for the correct use of the recommended technologies
- You solve violations against the list accoranding to organizational policies
- You take action if the number of violations falls outside the yearly objectives
Description
For all proprietary development (in-house or acquired), impose and monitor the use of standardized technology. Depending on your organization, either implement these restrictions into build or deployment tools, by means of after-the-fact automated analysis of application artefacts (e.g., source code, configuration files or deployment artefacts), or periodically review focusing on the correct use of these frameworks.
Verify several factors with project teams. Identify use of non-recommended technologies to determine if there are gaps in recommendations versus the organization's needs. Examine unused or incorrectly used design patterns and reference platform modules to determine if updates are needed. Additionally, implement functionality in the reference platforms as the organization evolves and project teams request it.
Endorsed Solutions for Mastering Technology Management
Become a Recommended Vendor for Technology Management! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Technology Management? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.