1. OWASP SAMM:
Understanding Agile in Security

2. Software development is…

3. Agile

4. Security methodologies for Agile

5. MS SDL for Agile
MS Security Development Lifecycle (SDL) is a software
development process that helps developers build more
secure software and address security compliance
requirements while reducing development cost

6. MS SDL for Agile

7. MS SDL for Agile

8. MS SDL for Agile

9. MS SDL is it THAT Agile?
• Needs to be fully implemented
• All functions are necessary
• Doesn’t deal with business restrictions

10. OWASP SAMM
The Software Assurance
Maturity Model (SAMM) is
an open framework to help
organizations formulate and
implement a strategy for
software security that is
tailored to the specific risks
facing the organization

11. OWASP SAMM Framework

12. SAMM. Business function

13. SAMM. Business function
• Objective
• Activities
• Assessment
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels

14. SAMM. Business function assessment

15. SAMM. Assessment via toolbox

16. SAMM. Defining goals

17. SAMM. Defining goals

18. SAMM. Reaching global goals

19. OWASP SAMM:
What is next?

21. Agile to devops toolbox

22. SAMM 2.0. Adjusting to devops
SAMM
Overview
Business
Function
Security
Practices
Software Assurance
Lifecycle
Governance Construction Build & Deploy Verification Operations
Threat
Assessment
Security
Requirements
Secure
Architecture
Strategy
& Metrics
Policy &
Compliance
Education &
Guidance
Issue
Management
Environment
Hardening
Operational
Enablement
Design
Analysis
Implementation
Review
Security
Testing
Secure
Build
Secure
Deployment
Defect
Management

23. SAMM 2.0
SAMM 2.0 is planned to be presented on OWASP 2018
Summer Summit
OWASP SAMM repository:
https://github.com/OWASP/samm/tree/master/v2.0

24. SAMM. Get involved
Special thanks to Yan Kravchenko – one of the SAMM
developers
If you want to contribute to the project or you just have
some interesting opinions – contact OWASP members

25. Q&A