Security Champions Without Support: Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce Enterprise

Developer-centered security research has identified a variety of reasons why software developers do not follow recommended security practices: lack of knowledge, outdated information sources, time pressure, and low usability of security mechanisms and tools. Contextual factors play an important role in security, but few studies have investigated security interventions with developers in organizational settings. In this case study, we track the impact of appointing security champions in a large e-commerce company with five software development teams, using the OWASP Security Assurance Maturity Model (OWASP SAMM) to measure the extent to which security practices were adopted. We also elicited the experiences of the security champions and developers in each team in 15 qualitative interviews. The results of the OWASP SAMM assessment show the adoption of secure practices varied widely between the different teams. Results from the interviews revealed different levels of security knowledge and commitment to the role between the security champions - but they agree in their perceived lack of support from company security experts and management. We conclude that secure software development requires more than appointing individuals such as security champions - to transform software development practices requires an organization-wide commitment, including access to resources and support.