As a developer, you play a crucial role in the security of your projects. At the same time, it can be difficult to know if what you’re doing is enough. Luckily, you don’t have to be a security expert to contribute to the security of your projects. Instead, you can use industry standards as a guide for your approach to security.
In this talk, I will introduce you to a framework that is especially accessible to developers, the OWASP DevSecOps Maturity Model, and help you get started with a systematic approach to improving the security of your projects.
One of the leading security principles today is that you should embrace security practices throughout your entire Software Development Lifecycle (SDLC), from design to deployment and maintenance. This means that you, as a developer, have a crucial part to play in keeping your projects secure.
In my talk, I will show you how to do that by introducing you to the OWASP DevSecOps Maturity Model (DSOMM). This model, which is very accessible to anyone familiar with DevOps, allows you to evaluate and improve your security practices. As the model describes the entire Software Development Lifecycle, it also serves as a nice reference framework for industry-standard security practices.
I will start by giving you a high-level overview of the model and the principles behind it. I will also compare the DevSecOps Maturity Model with its older sibling, the OWASP Software Assurance Maturity Model (SAMM). Since it’s important, I will end the first part by going into the difference between having a good security culture and checkbox compliance.
Next, I will take you through the dimensions of the DevSecOps Maturity Model, with a focus on those dimensions that are especially relevant to developers. I will illustrate each dimension with concrete examples of security practices that you can implement yourself today.
Finally, I will talk about the best way to start implementing these practices. This is crucial: For instance, if you suddenly introduce all the tools you can find, chances are that the only thing you’ll learn from the plethora of alerts you’ll get is how to ignore these tools. Since some of us also have to deal with corporate policies and a limited sphere of influence within an organization, I will end with some pointers on how to advocate good security practices from the bottom up.
And, if this all feels a bit overwhelming, remember the big friendly letters in the title: Don’t Panic!