The end goal of security for any organization is to secure customer digital assets. The goal we are going to discuss here is how to define organization-level phased goals for security assurance programs and DevSecOps.

The Open Web Application Security Project (OWASP) and Software Assurance Maturity Model (SAMM) governance define three key areas when considering an organization security goal:

• Strategy and metrics: Establishes the framework for a software security assurance program
• Policy and compliance: Focused on ensuring external legal or regulatory compliance (such as GDPR or ISO 27001) is met
• Education and guidance: This is for security awareness training and role-specific security capabilities in order to perform DevOps

Here are some typical DevSecOps security practices to be aligned with the business objective. The goal of DevSecOps may be subject to...

The security goal of a development team is to deliver secure design and implementation. Based on OWASP SAMM practices, there are three key aspects to consider during the construction phase:

• Threat assessment
• Security requirements
• Secure architecture

Although design and implementation review is normally also part of the development team's activities, we will take these into consideration in further discussions.

To have an effective threat assessment, the following guideline or templates are suggested for the project team:

In this stage of verification, the role of QA is to assess software security-related issues, code-level vulnerabilities, misconfigurations, or logical errors that lead to critical security risks, and so on. OWASP SAMM-defined key security activities in the verification phases include design review, implementation review, and security testing. As we will discuss software security verification details in later chapters, here we highlight some of the key practices in this phase.

In practice, the security design review can be considered as low-level threat modeling. The following are suggested during design review:

• Security compliance checklist
• Security requirement checklist (OWASP ASVS)
• Top 10 security...

Based on the SAMM, operational goals can be categorized into three functions: are issue management, environmental hardening, and operational enablement. Let's discuss some of the best practices in each function.

Issue management here means how security incidents, vulnerability issues, or security breaches are handled. There should be a vulnerability process in place that involves both the DevOps and Dev team.

In an organization-level security assurance program, it's a must to define security incident and vulnerability response processes and also root cause analysis templates. NIST SP800-61 is a good reference for an organization to establish a security incident response process...

In this chapter, we discussed security practices from different perspectives based on the OWASP SAMM framework. We discussed security activities in different roles such as security management, development, QA, and operation teams.

First, from the security management perspective, there are organization goals, policies, and education. We use GDPR compliance as an example to show what can be planned in security management.

For a development team, key security activities include threat assessment, security requirements, and secure architecture and coding. Although secure coding is also considered critical in the development stage, we moved the discussion to the secure code verification phase. In terms of threat assessment, we introduced some industry tools, best practices, and even card games. We used GDPR privacy assessment as an example to explain how to execute the PIA...

1. Does OWASP SAMM stand for Software Assurance Maturity Model?
2. Which of the following are defined in OWASP security governance?
   1. Strategy and metrics
   2. Policy and compliance
   3. Education and guidance
   4. All of the above
3. According to OWASP SAMM, what should be considered during the construction phase?
   1. Security architecture
   2. Threat assessment
   3. Security requirements
   4. All of the above
4. Which of the following is not a tool or technique for threat modeling?
   1. CAPEC
   2. ATT&CK
   3. OWASP Cornucopia
   4. GDPR
5. In GDPR, what security practices may we apply to do a privacy assessment?
   1. PIA Privacy Impact Analysis
   2. Penetration testing
   3. Issue Management
   4. ISO 27001

• GDPR Privacy Impact Assessment: https://gdpr-info.eu/issues/privacy-impact-assessment/
• Adversarial Tactics, Techniques & Common Knowledge: https://attack.mitre.org/wiki/Main_Page
• SDL Threat Modeling Tool: https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx
• Elevation of Privilege (EoP) Card Game: https://www.microsoft.com/en-us/sdl/adopt/eop.aspx
• SP 800-100 Information Security Handbook: A Guide for Managers https://csrc.nist.gov/publications/detail/sp/800-100/final
• Software assurance marketplace: https://www.mir-swamp.org/
• NIST Resources from the Software Assurance Reference Dataset: https://samate.nist.gov/SARD/around.php
• NIST Test Suites: https://samate.nist.gov/SARD/testsuite.php
• NIST Security Recommendations for Hypervisor Deployment on Servers: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125A.pdf
• NIST Protecting Controlled...