The Open Source Foundation for Application Security (OWASP) announced a five-dimensional secure software development maturity reference framework (SwSec 5D) in May 2023. Its function is to provide a roadmap for secure software development, and its use would help improve security in the software supply chain.
The project lead for the OWASP SwSec 5D is Matteo Meucci, CEO at IMQ Minded Security. The company is an SDLC consulting firm, and Meucci has worked with OWASP since 2002. The five-dimensional approach to SDLC was conceived by IMQ Minded Security, donated to OWASP in 2018, and since then refined for release by OWASP.
“What I saw in our customers,” Meucci told SecurityWeek, “is that many companies’ approach to secure software development is testing, testing and more testing – and that is not enough. While there are software development life cycle (SDLC) models like the Waterfall model and Agile methodology, these traditional models lack a clear focus on security, making them inadequate for addressing software development security issues.”
This basic observation led Meucci and OWASP to develop a new five-dimensional secure SDLC framework. Meucci believes there are five separate dimensions in secure development, and that all five must be adequately satisfied.
The five dimensions are processes, testing, team, awareness, and standards. The SwSec 5D model is a framework and tool for meeting and measuring a firm’s maturity in these five dimensions. The framework is described in the OWASP Software Security 5D Framework document (PDF download), and the tool delivering the maturity assessment is an online Google Form. The maturity measurement process can be performed in just a couple of hours, weaknesses highlighted, and improvements implemented.
PROCESSES are those processes used to manage security risks throughout the SDLC, such as risk assessment, security requirements, threat modeling, security design, software acceptance, and security bug fixing.
The TEAM dimension describes the personnel functions required for secure development, such as AppSec managers or CISOs, security champions, AppSec specialists, satellite architects, satellite developers, and satellite auditors.
The AWARENESS dimension focuses on the awareness and training of the team members involved in the software development life cycle.
The TESTING dimension focuses on testing and evaluating the software, including the use of tools such as SAST, DAST, IAST and RASP. Manual testing should be provided through a security code review and penetration testing.
The STANDARDS dimension focuses on the use of existing development standards, such as the OWASP SAMM model.
The maturity assessment is delivered through a simple questionnaire and scored by the responses (example question: “Are most of your applications and resources categorized by risk?”). Each response is given a score ranging from 0 to 3, and a fully mature secure SDLC will return a mean value of three.
In its own model testing process, OWASP used the framework on 12 financial institutions and five independent software vendors. The financial institutions consistently scored higher than the ISVs, although neither group achieved a mean score of 3 anywhere. The financials achieved 2.5 in ‘testing’ (ISVs scored 1.6); but only 1.7 in ‘processes’ (ISVs scored 1.5).
This relatively poor performance from the ISVs could be considered concerning given the US National Cybersecurity Strategy’s intention to realign the burden of cybersecurity, and its insistence on ‘security by design’. The implication is that software vendors may increasingly be held responsible for the security of the software they develop and sell.
Meucci and OWASP believe that an effective secure SDLC requires demonstrable maturity in all five dimensions. The SwSec 5D maturity model will help companies achieve greater security in their own internal developments, but will also aid the software supply chain by quantifying the security maturity of bought-in web applications. Although it is ultimately a check-box exercise, buyers’ insistence on documentary evidence could be an effective solution – and since the process takes only a couple of hours, buying CISOs could sit in on vendors’ use of the OWASP SwSec 5D SDLC evaluation process.
Related: OWASP’s 2023 API Security Top 10 Refines View of API Risks
