- Training is repeatable, consistent, and available to anyone involved with software development lifecycle
- Training includes relevant content from the latest OWASP Top 10 and includes concepts such as Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability
- Training requires a sign-off or an acknowledgement from attendees
- You have reviewed the training content within the last 12 months, and have completed any required updates
- All new covered staff are required to complete training during their onboarding process
- Existing covered staff are required to complete training when content is added/revised, or complete refresher training at least every 24 months, whichever comes first
Description
Benefit
Basic security awareness for all relevant employees
Activity
Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option.
Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level.
Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization.
Recommended vendor for Training and Awareness
Secure Code Warrior’s platform offers interactive, gamified training that makes learning engaging and effective. Developers can participate in hands-on coding challenges, tournaments, and real-time coaching, all tailored to their preferred programming languages and frameworks. This personalized and enjoyable learning experience fosters a culture of security-conscious developers who are empowered to write secure code from the start, reducing vulnerabilities and enhancing overall software quality.
Why we like Secure Code Warrior: We love Secure Code Warrior for its unmatched breadth of content, covering every coding language you can think of and more. What truly sets it apart is its metric-driven approach to learning, featuring benchmark scores that let you compare your organization’s performance to others. Secure Code Warrior not only equips teams with essential secure coding skills but also provides the insights needed to track and improve proficiency over time.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- Training includes all topics from maturity level 1, and adds more specific tools, techniques, and demonstrations
- Training is mandatory for all employees and contractors
- Training includes input from in-house SMEs and trainees
- Training includes demonstrations of tools and techniques developed in-house
- You use feedback to enhance and make future training more relevant
Description
Benefit
Relevant employee roles trained according to their specific role
Activity
Conduct instructor-led or CBT security training specific to the organization's roles and technologies, starting with the core development team. The organization customizes training for product managers, software developers, testers, and security auditors, based on each group's technical needs.
- Product managers train on topics related to SAMM business functions and security practices, with emphasis on security requirements, threat modeling, and defect tracking.
- Developers train on coding standards and best practices for the technologies they work with to ensure the training directly benefits application security. They have a solid technical understanding of the OWASP Top 10 vulnerabilities, or similar weaknesses relevant to the technologies and frameworks used (e.g. mobile), and the most common remediation strategies for each issue.
- Testers train on the different testing tools and best practices for technologies used in the organization, and in tools that identify security defects.
- Security auditors train on the software development lifecycle, application security mechanisms used in the organization, and the process for submitting security defects for remediation.
- Security Champions train on security topics from various phases of the SDLC. They receive the same training as developers and testers, but also understand threat modeling and secure design, as well as security tools and technologies that can be integrated into the build environment.
Include all training content from the Maturity Level 1 activities of this stream and additional role-specific and technology-specific content. Eliminate unnecessary aspects of the training.
Ideally, identify a subject-matter expert in each technology to assist with procuring or developing the training content and updating it regularly. The training consists of demonstrations of vulnerability exploitation using intentionally weakened applications, such as WebGoat or Juice Shop. Include results of the previous penetration as examples of vulnerabilities and implemented remediation strategies. Ask a penetration tester to assist with developing examples of vulnerability exploitation demonstrations.
Training is mandatory for all employees and contractors involved with software development, and includes an auditable sign-off to demonstrate compliance. Whenever possible, training should also include a test to ensure understanding, not just compliance. Update and deliver training annually to include changes in the organization, technology, and trends. Poll training participants to evaluate the quality and relevance of the training. Gather suggestions of other information relevant to their work or environments.
Recommended vendor for Training and Awareness
Secure Code Warrior’s platform offers interactive, gamified training that makes learning engaging and effective. Developers can participate in hands-on coding challenges, tournaments, and real-time coaching, all tailored to their preferred programming languages and frameworks. This personalized and enjoyable learning experience fosters a culture of security-conscious developers who are empowered to write secure code from the start, reducing vulnerabilities and enhancing overall software quality.
Why we like Secure Code Warrior: We love Secure Code Warrior for its unmatched breadth of content, covering every coding language you can think of and more. What truly sets it apart is its metric-driven approach to learning, featuring benchmark scores that let you compare your organization’s performance to others. Secure Code Warrior not only equips teams with essential secure coding skills but also provides the insights needed to track and improve proficiency over time.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- A Learning Management System (LMS) is used to track trainings and certifications
- Training is based on internal standards, policies, and procedures
- You use certification programs or attendance records to determine access to development systems and resources
Description
Benefit
Adequate security knowledge of all employees ensured prior to working on critical tasks
Activity
Implement a formal training program requiring anyone involved with the software development lifecycle to complete appropriate role and technology-specific training as part of the onboarding process. Based on the criticality of the application and user's role, consider restricting access until the onboarding training has been completed. While the organization may source some modules externally, the program is facilitated and managed in-house and includes content specific to the organization going beyond general security best practices. The program has a defined curriculum, checks participation, and tests understanding and competence. The training consists of a combination of industry best practices and organization's internal standards, including training on specific systems used by the organization.
In addition to issues directly related to security, the organization includes other standards to the program, such as code complexity, code documentation, naming convention, and other process-related disciplines. This training minimizes issues resulting from employees following practices incorporated outside the organization and ensures continuity in the style and competency of the code.
To facilitate progress monitoring and successful completion of each training module the organization has a learning management platform or another centralized portal with similar functionality. Employees can monitor their progress and have access to all training resources even after they complete initial training.
Review issues resulting from employees not following established standards, policies, procedures, or security best practices at least annually to gauge the effectiveness of the training and ensure it covers all issues relevant to the organization. Update the training periodically and train employees on any changes and most prevalent security deficiencies.
Recommended vendor for Training and Awareness
Secure Code Warrior’s platform offers interactive, gamified training that makes learning engaging and effective. Developers can participate in hands-on coding challenges, tournaments, and real-time coaching, all tailored to their preferred programming languages and frameworks. This personalized and enjoyable learning experience fosters a culture of security-conscious developers who are empowered to write secure code from the start, reducing vulnerabilities and enhancing overall software quality.
Why we like Secure Code Warrior: We love Secure Code Warrior for its unmatched breadth of content, covering every coding language you can think of and more. What truly sets it apart is its metric-driven approach to learning, featuring benchmark scores that let you compare your organization’s performance to others. Secure Code Warrior not only equips teams with essential secure coding skills but also provides the insights needed to track and improve proficiency over time.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.