The maturity model Security Belts structures activities of the secure software development and, thus, offers development teams a good opportunity to address the topic and to build up necessary competencies to ensure the software security of their products. Thereby, the maturity model supports development teams that are overwhelmed with the duty to take over much more responsibility without having sufficient competencies in the team.
For detailed information on the methodology behind the model, please take a look at our Wiki.
Working on the belts is a continuous effort. Start with the first belt, the white one, and keep working on them, until you achieve the desired belt for your team. Activities of later belts often relate to activities introduced in previous belts. In this case, the previous relevant belt activities will be highlighted for the belt activity.
This getting started is primarily aimed at developers.
- Become familiar with our Security Belts concepts such that you can explain them to your colleagues. In the future, we will provide slides to ease this task.
- Identify colleagues (developers, Product Owners, managers) in your company that already want to improve the secure software development. They can discuss with you how to implement security belts in your company.
- Convince your Product Owner to spend some time to roughly assess the current security of your product (e.g., collecting all security-related incidents and bugs).
- Persuade your PO and team to start working on the belts by showing the results of your assessment.
- Let your PO be proud: He/She shall report to the top-management that you improve your software security.
Before any team can achieve a specific belt, the Security Champion Guild needs to lay the prerequisites for the teams accordingly.
The Security Belts are based on the OWASP DevSecOps Maturity Model and partially inspired by OWASP SAMM
This work is part of the research project "AppSecure.nrw - Security-by-Design of Java-based Applications". The project is funded by the European Regional Development Fund (ERDF-0801379).