Connect with us

Hi, what are you looking for?


Application Security

OWASP SwSec 5D Tool Provides SDLC Maturity Ratings, Aids Software Supply Chain

SwSec 5D framework aims to provide a roadmap for secure software development, and its use would help improve security in the software supply chain.

The Open Source Foundation for Application Security (OWASP) announced a five-dimensional secure software development maturity reference framework (SwSec 5D) in May 2023. Its function is to provide a roadmap for secure software development, and its use would help improve security in the software supply chain.

The project lead for the OWASP SwSec 5D is Matteo Meucci, CEO at IMQ Minded Security. The company is an SDLC consulting firm, and Meucci has worked with OWASP since 2002. The five-dimensional approach to SDLC was conceived by IMQ Minded Security, donated to OWASP in 2018, and since then refined for release by OWASP.

“What I saw in our customers,” Meucci told SecurityWeek, “is that many companies’ approach to secure software development is testing, testing and more testing – and that is not enough. While there are software development life cycle (SDLC) models like the Waterfall model and Agile methodology, these traditional models lack a clear focus on security, making them inadequate for addressing software development security issues.” 

This basic observation led Meucci and OWASP to develop a new five-dimensional secure SDLC framework. Meucci believes there are five separate dimensions in secure development, and that all five must be adequately satisfied. 

The five dimensions are processes, testing, team, awareness, and standards. The SwSec 5D model is a framework and tool for meeting and measuring a firm’s maturity in these five dimensions. The framework is described in the OWASP Software Security 5D Framework document (PDF download), and the tool delivering the maturity assessment is an online Google Form. The maturity measurement process can be performed in just a couple of hours, weaknesses highlighted, and improvements implemented.

PROCESSES are those processes used to manage security risks throughout the SDLC, such as risk assessment, security requirements, threat modeling, security design, software acceptance, and security bug fixing.

The TEAM dimension describes the personnel functions required for secure development, such as AppSec managers or CISOs, security champions, AppSec specialists, satellite architects, satellite developers, and satellite auditors.

Advertisement. Scroll to continue reading.

The AWARENESS dimension focuses on the awareness and training of the team members involved in the software development life cycle.

The TESTING dimension focuses on testing and evaluating the software, including the use of tools such as SAST, DAST, IAST and RASP. Manual testing should be provided through a security code review and penetration testing.

The STANDARDS dimension focuses on the use of existing development standards, such as the OWASP SAMM model.

The maturity assessment is delivered through a simple questionnaire and scored by the responses (example question: “Are most of your applications and resources categorized by risk?”). Each response is given a score ranging from 0 to 3, and a fully mature secure SDLC will return a mean value of three.

In its own model testing process, OWASP used the framework on 12 financial institutions and five independent software vendors. The financial institutions consistently scored higher than the ISVs, although neither group achieved a mean score of 3 anywhere. The financials achieved 2.5 in ‘testing’ (ISVs scored 1.6); but only 1.7 in ‘processes’ (ISVs scored 1.5).

This relatively poor performance from the ISVs could be considered concerning given the US National Cybersecurity Strategy’s intention to realign the burden of cybersecurity, and its insistence on ‘security by design’. The implication is that software vendors may increasingly be held responsible for the security of the software they develop and sell. 

Meucci and OWASP believe that an effective secure SDLC requires demonstrable maturity in all five dimensions. The SwSec 5D maturity model will help companies achieve greater security in their own internal developments, but will also aid the software supply chain by quantifying the security maturity of bought-in web applications. Although it is ultimately a check-box exercise, buyers’ insistence on documentary evidence could be an effective solution – and since the process takes only a couple of hours, buying CISOs could sit in on vendors’ use of the OWASP SwSec 5D SDLC evaluation process.

Related: OWASP’s 2023 API Security Top 10 Refines View of API Risks

Related: OWASP Top 10 Updated With Three New Categories

Related: Final Version of 2017 OWASP Top 10 Released

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.