Maturing SDLC at a Fortune 500 company based on OWASP SAMM: successes and pitfalls
Dr. Jasyn Voshell
Zebra TechnologiesDirector of product security
Abstract
Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This talk outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated a risk-driven, measurable approach to security. It provided a clear framework for comparison across business units and promoting a shared platform for discussing security concerns. Moreover, the gamification of SAMM scores spurred healthy competition among units, though it raised questions about the focus on risk-based improvements versus score chasing. Ultimately, the correlation between SAMM scores and other quality metrics affirmed the value of a SAMM-driven approach. We have seen a moderate (-0.5) inverse correlation between SAMM scores and risk scores produced by an Application Security Posture Management (ASPM) tool we use internally across all teams. To the best of our knowledge this is the first indication that SAMM scores could reduce risk. Overall, SAMM demonstrated tangible enhancements in application security and broader software development lifecycle processes at Zebra Technologies.
Speaker bio
Dr. Jasyn Voshell, with a career spanning over two decades in the security industry, currently serves as the Director of Products and Solutions Security with Zebra Technologies. In this role, he spearheads the global Product & Solutions Security Program, managing its strategy, planning, and execution, while ensuring the seamless integration of security in products and solutions through collaboration with engineering teams. His background includes impactful positions such as Manager of Sales Engineers and Internal Audit Supervisor, where he notably led the North America Sales Engineer team for wireless sales and managed Internal Audit Global operations. Dr. Voshell’s academic achievements include holding bachelor’s degrees in mathematics and physics, a master’s in applied mathematics and computer information systems, and a doctorate in civil law, underscoring his well-rounded expertise and leadership in the field.