OWASP Global AppSec Lisbon 2024

Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This talk outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated a risk-driven, measurable approach to security. It provided a clear framework for comparison across business units and promoting a shared platform for discussing security concerns. Moreover, the gamification of SAMM scores spurred healthy competition among units, though it raised questions about the focus on risk-based improvements versus score chasing. Ultimately, the correlation between SAMM scores and other quality metrics affirmed the value of a SAMM-driven approach. We have seen a moderate (-0.5) inverse correlation between SAMM scores and risk scores produced by an Application Security Posture Management (ASPM) tool we use internally across all teams. To the best of our knowledge this is the first indication that SAMM scores could reduce risk. Overall, SAMM demonstrated tangible enhancements in application security and broader software development lifecycle processes at Zebra Technologies.