Codific

Main service(s)

Codific is an independent software vendor (ISV) specialising in products with high security and privacy requirements. Codific develops and maintains multiple products, such as Videolab (Ed-tech), SARA (HR-tech) and SAMMY (AppSec).

In this space, we are interested in the Belgian security ecosystem. We will therefore focus on SAMMY, which is the main security product of Codific.

Implementing application security in a structured and effective way

Implementing application security is a complex and difficult task, which can only be achieved using a structured approach.

The OWASP Software Assurance Maturity Model (SAMM) offers such an approach. It is a maturity model (3 maturity levels) which offers a measurable way to assess a secure development lifecycle (so you can score and benchmark). Finally it is technology and process agnostic, which means you can apply it in your pre-existing organisational context.

From personal experience: using OWASP SAMM is a great approach to implement application security in an organisation. The outcome of SAMM is improved security posture, with easy compliance as the byproduct.

Introducing SAMMY

Typically, an OWASP SAMM assessment and implementation starts with tracking in excel, often using the excel template provided by the project itself. This template is very comprehensive and certainly works well, but soon the usual problems with an excel based workflow appear:

• There are multiple versions of the file and these are not kept in sync
• We don’t remember who filled out a certain entry and why.
• It is difficult to track multiple projects and consolidate metrics across projects
• …

Codific built SAMMY as an internal tool when they encountered these problems for their own appsec programs. Noticing that many organisations were asking questions on SAMMY, Codific made the tool available for free on their website (the entry version is still free).

In a nutshell, the core use cases for SAMMY are:

• Evaluate the situation and create a baseline
• Figure out the improvement roadmap
• Work the improvement plan
• Reasses and repeat

Over time, SAMMY adoption kept growing and Codific kept adding features to make it more complete and enterprise ready. As a result, several large organisations now already use SAMMY to manage their appsec program.

Beyond application security

While SAMMY obviously started out as a tool to manage SAMM projects, it has now evolved into a platform that can manage the complete quality management program for organisations.

Codific kept the basic use cases (evaluate, roadmap, improvement, repeat), but added multiple models and frameworks, as well as a mapping between the different frameworks. Currently supported models and frameworks are:

• OWASP SAMM
• NIST SP 800-34
• NIST Secure Software Development Framework (NIST SSDF)
• NIST Cybersecurity Framework (NIST CSF)
• CCB CyberFundamentals framework
• NIST 800-53
• DevSecOps Maturity Model (DSOMM)
• ISO 27001:2022
• IEC 62443-4-1

Typical Codific customers are software builders (including companies in the industrial sector and IoT companies), ranging from small ISV’s to enterprises. Customers usually start with the free tier and become paying customers only after needing more advanced features. A reference customer for SAMMY is Zebra Technologies, a technology company with 10000 employees active in 128 countries.

Key Differentiators

Security first solution

There are many compliance driven approaches where security is, hoped to be, the byproduct of compliance. OWASP SAMM does the opposite, it is a security driven approach where easy compliance is the byproduct of good security.

SAMMY of course follows this philosophy and is built from the start to improve security (and quality) in a continuous process.

Deep subject matter expertise

Codific was founded by researchers from IMEC-DistriNet (the computer science department of the Catholic University of Leuven). Additionally, Aram (the current Codific CEO) is a core contributor to OWASP SAMM.

Codific also has a partnership with Toreon, a consultancy with multiple core OWASP SAMM members.

Future plans and direction

Codific is focusing on further building out its solutions and adding additional customers.

Company history

Codific publishes a great company history on its website.