This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

SAMM - Education & Guidance - 1

Jump to: navigation, search
250px-OpenSAMM_logo.png For the latest project news and information,
join the mailing list and visit the OpenSAMM website.

EG1.png EG2.png EG3.png


Education & Guidance - 1

Objective: Offer development staff access to resources around the topics of secure programming and deployment


  • Increased developer awareness on the most common problems at the code level
  • Maintain software with rudimentary security best-practices in place
  • Set baseline for security know-how among technical staff
  • Enable qualitative security checks for baseline security knowledge

Success Metrics

  • >50% development staff briefed on security issues within past 1 year
  • >75% senior development/architect staff briefed on security issues within past 1 year
  • Launch technical guidance within 3 months of first training


  • Training course buildout or license
  • Ongoing maintenance of technical guidance


  • Developers (1-2 days/yr)
  • Architects (1-2 days/yr)

Related Levels

  • Policy & Compliance - 2
  • Security Requirements - 1
  • Secure Architecture - 1


A. Conduct technical security awareness training

Either internally or externally sourced, conduct security training for technical staff that covers the basic tenets of application security. Generally, this can be accomplished via instructor-led training in 1-2 days or via computer-based training with modules taking about the same amount of time per developer.

Course content should cover both conceptual and technical information. Appropriate topics include high-level best practices surrounding input validation, output encoding, error handling, logging, authentication, authorization. Additional coverage of commonplace software vulnerabilities is also desirable such as a Top 10 list appropriate to the software being developed (web applications, embedded devices, client-server applications, back-end transaction systems, etc.). Wherever possible, use code samples and lab exercises in the specific programming language(s) that applies.

To rollout such training, it is recommended to mandate annual security training and then hold courses (either instructor-led or computer-based) as often as required based on development head-count.

B. Build and maintain technical guidelines

For development staff, assemble a list of approved documents, web pages, and technical notes that provide technology-specific security advice. These references can be assembled from many publicly available resources on the Internet. In cases where very specialized or proprietary technologies permeate the development environment, utilize senior, security-savvy staff to build security notes over time to create such a knowledge base in an ad hoc fashion.

Ensure management is aware of the resources and briefs oncoming staff about their expected usage. Try to keep the guidelines lightweight and up-to-date to avoid clutter and irrelevance. Once a comfort-level has been established, they can be used as a qualitative checklist to ensure that the guidelines have been read, understood, and followed in the development process.

Additional Resources