Evaluating software security maturity using OWASP SAMM: Different approaches and stakeholders perceptions
This program is tentative and subject to change.
Background: Recent years have seen a surge in cyber-attacks, which can be prevented or mitigated using software security activities. OWASP SAMM is a maturity model providing a versatile way for companies to assess their security posture and plan for improvements. Objective: We perform an initial SAMM assessment in collaboration with a company in the financial domain. Our objective is to assess a holistic inventory of the company security-related activities, focusing on how different roles perform the assessment and how they perceive the instrument used in the process. Methodology: We perform a case study to collect data using SAMM in a lightweight and novel manner through assessment using an online survey with 17 participants and a focus group with seven participants. Results: We show that different roles perceive maturity differently and that the two assessments deviate only for specific practices making the lightweight approach a viable and efficient solution in industrial practice. Our results indicate that the questions included in the SAMM assessment tool are answered easily and confidently across most roles. Discussion: Our results suggest that companies can productively use a lightweight SAMM assessment. We provide nine lessons learned for guiding industrial practitioners in the evaluation of their current security posture as well as for academics wanting to utilize SAMM as a research tool in industrial settings.
This program is tentative and subject to change.
Fri 25 OctDisplayed time zone: Brussels, Copenhagen, Madrid, Paris change
11:00 - 12:30 | Human aspects and stakeholdersESEM Emerging Results, Vision and Reflection Papers Track / ESEM Technical Papers / ESEM Journal-First Papers at Room 2 | ||
11:00 20mFull-paper | An Investigation of How Software Developers Read Machine Learning Code ESEM Technical Papers | ||
11:20 20mFull-paper | What Makes Programmers Laugh? Exploring the Submissions of the Subreddit r/ProgrammerHumor. ESEM Technical Papers Miikka Kuutila Dalhousie University, Leevi Rantala University of Oulu, Junhao Li University of Oulu, Simo Hosio University of Oulu, Mika Mäntylä University of Helsinki and University of Oulu | ||
11:40 20mFull-paper | An Exploratory Study on Soft Skills present in Software Positions in Cyprus: a quasi-Replication Study ESEM Technical Papers Georgia Kapitsaki University of Cyprus, Loukas Chatzivasili University of Cyprus, Maria Papoutsoglou University of Cyprus, Matthias Galster University of Canterbury | ||
12:00 15mVision and Emerging Results | Effective Inclusion of People with Disabilities in Software Development Teams ESEM Emerging Results, Vision and Reflection Papers Track Thayssa Rocha Zup Innovation & UFPA, Cleidson de Souza Federal University of Pará Belém, Luciano Teran Universidade Federal do Pará, Marcelle Mota Universidade Federal do Pará | ||
12:15 15mJournal Early-Feedback | Evaluating software security maturity using OWASP SAMM: Different approaches and stakeholders perceptions ESEM Journal-First Papers Davide Fucci Blekinge Institute of Technology, Emil Alégroth Blekinge Institute of Technology, Michael Felderer German Aerospace Center (DLR) & University of Cologne, Christoffer Johannesson Ericsson AB |