The maturity model Security Belts structures activities of the secure software development and, thus, offers development teams a good opportunity to address the topic and to build up necessary competencies to ensure the software security of their products. Thereby, the maturity model supports development teams that are overwhelmed with the duty to take over much more responsibility without having sufficient competencies in the team.

For detailed information on the methodology behind the model, please take a look at our Wiki.

In order to continuously improve the Security Belts model, we appreciate any kind of feedback or content contribution. If you are interested in contributing, please see the document Contributing.

Working on the belts is a continuous effort. Start with the first belt, the white one, and keep working on them, until you achieve the desired belt for your team. Activities of later belts often relate to activities introduced in previous belts. In this case, the previous relevant belt activities will be highlighted for the belt activity.

• White Belt
• Yellow Belt
• Orange Belt
• Green Belt
• Blue Belt
• Purple Belt
• Red Belt
• Brown Belt
• Black Belt

This getting started is primarily aimed at developers.

• Become familiar with our Security Belts concepts such that you can explain them to your colleagues. In the future, we will provide slides to ease this task.
• Identify colleagues (developers, Product Owners, managers) in your company that already want to improve the secure software development. They can discuss with you how to implement security belts in your company. Found the Security Champion Guild with them.
• Persuade your team to start working on the White Belt.

The Security Belts are based on the OWASP DevSecOps Maturity Model and partially inspired by OWASP SAMM

This work is part of the research project "AppSecure.nrw - Security-by-Design of Java-based Applications". The project is funded by the European Regional Development Fund (ERDF-0801379).