Maturing SDLC at a Fortune 500 company based on OWASP SAMM: successes and pitfalls
Sunny Sharma
Zebra TechnologiesPrincipal Information Security Engineer for Products and Solutions
Abstract
Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This talk outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated a risk-driven, measurable approach to security. It provided a clear framework for comparison across business units and promoting a shared platform for discussing security concerns. Moreover, the gamification of SAMM scores spurred healthy competition among units, though it raised questions about the focus on risk-based improvements versus score chasing. Ultimately, the correlation between SAMM scores and other quality metrics affirmed the value of a SAMM-driven approach. We have seen a moderate (-0.5) inverse correlation between SAMM scores and risk scores produced by an Application Security Posture Management (ASPM) tool we use internally across all teams. To the best of our knowledge this is the first indication that SAMM scores could reduce risk. Overall, SAMM demonstrated tangible enhancements in application security and broader software development lifecycle processes at Zebra Technologies.
Speaker bio
Sunny Sharma, with over a decade of experience in security industry, currently serves as the Principal Information Security Engineer for Product and Solutions Security at Zebra Technologies. In this role, Sunny leads the strategic integration of security measures into Zebra’s products and solutions, managing the overall strategy, planning, and execution of the company’s security initiatives. He works closely with engineering teams to ensure that security protocols are seamlessly embedded throughout the product development lifecycle. Sunny’s extensive background encompasses a wide range of domains, including DevOps, DevSecOps, Product & Solutions Security, Cloud Security, Architecture, and Engineering. His expertise effectively bridges the gap between development and security, ensuring comprehensive security considerations are integrated from the ground up. This collaborative approach has been instrumental in enhancing the robustness and reliability of Zebra’s technological offerings. His diverse experience equips him with a comprehensive view of the complexities and challenges within the industry, making him an asset to any organization committed to maintaining high security standards. Sunny holds a bachelor’s degree in information technologies and informatics, underscoring his technical proficiency and commitment to the field. His leadership and innovative approach continue to drive excellence in product and solutions security, advancing Zebra Technologies’ mission to deliver secure and reliable products to a global clientele.