SAMMY UI is optimized for resolutions with a width 1024px and higher.
Maturity Level 1
Maturity Level 2
Maturity Level 3
Train all stakeholders for awareness
G-EG-A-1: Do you require employees involved with application development to take SDLC training?
  • Training is repeatable, consistent, and available to anyone involved with software development lifecycle
  • Training includes the latest OWASP Top 10 if appropriate and includes concepts such as Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability
  • Training requires a sign-off or an acknowledgement from attendees
  • You have updated the training in the last 12 months
  • Training is required during employees' onboarding process
Coverage
- None: There is no coverage for this activity or not all quality criteria have been fulfilled.
- Some: You perform this activity across some portion of your applications, to a certain extend, or review it on an ad-hoc basis, while making sure that all quality criteria are fulfilled.
- Half: You perform this activity across half of your applications, to a larger extent or review it at regular times (though not very often), while making sure that all quality criteria are fulfilled.
- Most/All: You perform this activity across most / all of your applications, to a full extent or review it at regular times at most once a year, while making sure that all quality criteria are fulfilled.
Description

Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option.

Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level.

Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization.

Endorsed Solutions for Mastering Training and Awareness
vendor logo Become a Recommended Vendor for Training and Awareness!

Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Training and Awareness? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!

Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading...
Loading, please wait.
Community guidance

This guidance is based on the approved community submissions.

Loading...
Loading, please wait.