Help Irongeek.com pay for bandwidth and research equipment:
OWASP SAMM - Hardik Parekh (BSides Tampa 2020) (Hacking Illustrated Series InfoSec Tutorial Videos)
BSides Tampa 2020
Abstract: OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company risk profile, organizational structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organization.
OWASP Software Assurance Maturity Model (SAMM) gives you an effective and measurable way for all types of organizations to analyze and improve their software security posture in 3 levels of maturity - thus creating a step-by-step software assurance navigation plan. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today?s development practices. We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was setup to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.
Hardik Parekh is recognized thought leader and executive in
security/privacy domain with contributions to SANS CWE Top 25,
OWASP SAMM, BSIMM 1.0 to BSIMM 9; and SAFECode. Hardik is part of
the core team which developed OWASP SAMM 2.0.
Hardik has 16+ years of security leadership experience with a track record of developing
and maturing security programs in consumer and enterprise companies
RSA/EMC, Intuit, Amazon, and Splunk. Hardik has built security programs
in dynamic, fast-paced environments while leading highly technical
globally distributed security teams focused on application security,
hardware security, security operations, threat and vulnerability
management, security architecture, AWS security, and tools development.
Hardik has transformed DevOps organization to DevSecOps by integrating
security engineering tools in CICD pipeline and delivered security at
scale and speed in the journey to AWS migration.
Hardik was invited to speak at Global AppSec conference 2019.
Hardik also serves on advisory board of several security start ups and CompTIA.