OWASP Developer Guide

Security Culture

8.1 Security Culture

Most organizations have an application development lifecycle in place with security activities built into it, this goes a long way to reducing the security issues present in applications and systems. The OWASP Security Culture project is a guide that considers security at each stage of the application security development lifecycle, with the aim of creating and nurturing secure development practices throughout the lifecycle.

The Security Culture guide is an OWASP incubator project and version 1.0 is available as a web document.

What is the OWASP Security Culture project

The OWASP Security Culture project is a collection of explanations and practical advice arranged under various topic headings.

The OWASP Security Culture project is focused on establishing/persisting a positive security posture within the application development lifecycle and references other OWASP projects in a similar way to the OWASP Developer Guide.

Encouraging a Security Culture

The philosophy of a security culture is as important as the technical aspects; the application development teams need to be onboard to adopt a good security posture. The Security Culture project recognizes this and devotes a section to the importance of building security into the development lifecycle.

As well as onboard development teams there has to be buy-in from the higher management: without this any security champion program is certain to fail and the security culture of the organization will suffer. The Security Culture project provides information on goals, metrics and maturity models that are a necessary prerequisite for management approval of security activities. In addition the Security Culture project highlights the importance of security teams, management and development teams all working together - all are necessary for a good security culture.

Security Champions are an important way of encouraging security within an organization - an organization can have a healthy security culture without security champions but it is a lot easier with a security champion program in place. Selecting and nurturing security champions has to be tailored to the individual organisation, no security champion program will be the same as another one and close reference should be made to the Security Champions Playbook.

Threat modelling is an activity that in itself is important within an organization, and it also has the benefit of helping communication between the security teams and development teams. Security testing (such as SAST, DAST and IAST) is another area where close collaboration is required within the organization: management, security, development and pipeline teams will all be involved. This has the added benefit, as with threat modeling, of promoting a good security culture / awareness within the organization - and can be a good indicator of where the security culture is succeeding.

Metrics are important for a healthy security culture to persist and grow with an organization. Without metrics to show the benefits of the security culture then interest and buy-in from the various teams involved will wane, leading to a decline in the culture and leading in turn to a poor security posture. Metrics will provide the justification for investment and nurturing of a good security culture.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.