Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp SAMM v1.5


Published on

Presentation from SAMM Webinar on March 1, 2017
Needing to build more secure software, but not sure how to get started or what to focus on? The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing an organization.

Published in: Software
  • Be the first to comment

Owasp SAMM v1.5

  1. 1. OWASP SAMM v1.5
  2. 2. What is SAMM? • The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. • The resources provided by SAMM will aid in: – Evaluating an organization’s existing software security practices. – Building a balanced software security assurance program in well-defined iterations. – Demonstrating concrete improvements to a security assurance program. – Defining and measuring security-related activities throughout an organization.
  3. 3. Using a Maturity Model • Changes must be iterative while working toward long-term goals An organization’s behavior changes slowly over time • A solution must enable risk-based choices tailored to the organization There is no single recipe that works for all organizations • A solution must provide enough details for non-security-people Guidance related to security activities must be prescriptive • OWASP Software Assurance Maturity Model (SAMM) Overall, must be simple, well-defined, and measurable
  4. 4. Why SAMM? ”The most that can be expected from any model is that it can supply a useful approximation to reality: All models are wrong; some models are useful.” – George E. P. Box
  5. 5. Project History OpenSAMM 1.0 OWASP SAMM 1.1 OWASP SAMM 1.5 OWASP SAMM 2.0 OpenSAMMMarch 2009 March 2016 February 2017 2018-2019
  6. 6. SAMM Framework • For each of the four Business Functions, three Security Practices are defined • The security practices cover areas relevant to software security assurance
  7. 7. Example: Education & Guidance 7
  8. 8. Level definitions... • Objective • Activities • Assessment • Results • Success Metrics • Costs • Personnel • Related Levels
  9. 9. Maturity Levels & Assessment Scores Comprehensive mastery at scale Increased efficiency/effectiveness Ad-hoc provision Practice unfulfilled • Transparent view over different levels • Fine-grained improvements are visible No Few/Some At Least Half Many/Most
  10. 10. • Continuous Improvement • Iterative • Small Steps ASSESS questionnaire GOAL gap analysis PLAN roadmap IMPLEMENT OWASP resources SAMM Quick Start
  11. 11. Assess via Worksheet
  12. 12. Assess via Toolbox
  13. 13. Goal • Gap analysis • Demonstrating improvement • Ongoing measurement
  14. 14. Plan • Roadmaps: use the “building blocks” • Templates for typical kinds of organizations • Tune these to your own targets / speed
  15. 15. Implement: 150+ OWASP resources Development Guide Cheat Sheets Quick Reference Guide WebGoat, iGoat, GoatDroid, AppSec Tutorials, Top Ten Education Testing Guide Hackademic Challenges Red Book
  16. 16. SAMM Toolbox – Interview
  17. 17. SAMM Toolbox – Scorecard
  18. 18. SAMM Toolbox – Roadmap
  19. 19. SAMM Toolbox – Roadmap Chart
  20. 20. SAMM Project Roadmap v2.0 (In Progress): • Model revision • More Metrics! • Application to agile • Roadmap effort planning • Benchmarking Build the community: • Grow list of SAMM adopters • Workshops at conferences • Dedicated SAMM Summit • Contribute Anon Results 21
  21. 21. Get involved • Project mailing list / work packages • Use and donate (feed)back! • Donate resources • Sponsor SAMM
  22. 22. Follow OWASP SAMM
  23. 23. Thank you! Questions?