Embed Size (px)
Citation preview
OWASPSAMMv1.5
WhatisSAMM?• TheSoftwareAssuranceMaturityModel(SAMM)isanopenframework
tohelporganizationsformulateandimplementastrategyforsoftwaresecuritythatistailoredtothespecificrisksfacingtheorganization.
• TheresourcesprovidedbySAMMwillaidin:– Evaluatinganorganization’sexistingsoftwaresecuritypractices.– Buildingabalancedsoftwaresecurityassuranceprograminwell-defined
iterations.– Demonstratingconcreteimprovementstoasecurityassuranceprogram.– Definingandmeasuringsecurity-relatedactivitiesthroughoutan
organization.
UsingaMaturityModel• Changesmustbeiterative whileworkingtowardlong-termgoals
Anorganization’sbehaviorchangesslowlyovertime
• Asolutionmustenablerisk-basedchoicestailoredtotheorganization
Thereisnosinglerecipethatworksforallorganizations
• Asolutionmustprovideenoughdetails fornon-security-people
Guidancerelatedtosecurityactivitiesmust
beprescriptive
• OWASPSoftwareAssuranceMaturityModel(SAMM)
Overall,mustbesimple,well-defined,andmeasurable
WhySAMM?”Themostthatcanbeexpectedfromanymodelisthatitcansupplyausefulapproximationtoreality:Allmodelsarewrong;somemodelsareuseful.”– GeorgeE.P.Box
ProjectHistory
OpenSAMM1.0
OWASPSAMM1.1
OWASPSAMM1.5
OWASPSAMM2.0
OpenSAMMMarch2009
March2016 February2017 2018-2019
SAMMFramework• ForeachofthefourBusinessFunctions,threeSecurityPracticesaredefined• Thesecuritypracticescoverareasrelevanttosoftwaresecurityassurance
Example:Education&Guidance
7
Leveldefinitions...• Objective• Activities• Assessment• Results• SuccessMetrics• Costs• Personnel• RelatedLevels
MaturityLevels& AssessmentScoresComprehensivemastery
atscale
Increasedefficiency/effectiveness
Ad-hocprovision
Practiceunfulfilled • Transparentviewoverdifferentlevels• Fine-grainedimprovementsarevisible
No
Few/Some
AtLeastHalfMany/Most
• ContinuousImprovement
• Iterative
• SmallSteps
ASSESSquestionnaire
GOALgapanalysis
PLANroadmap
IMPLEMENTOWASPresources
SAMMQuickStart
AssessviaWorksheet
AssessviaToolbox
Goal• Gapanalysis• Demonstratingimprovement• Ongoingmeasurement
Plan• Roadmaps:usethe“buildingblocks”
• Templatesfortypicalkindsoforganizations
• Tunethesetoyourowntargets/speed
Implement:150+OWASPresources
DevelopmentGuideCheatSheetsQuickReferenceGuide
WebGoat,iGoat,GoatDroid,AppSecTutorials,TopTen Education TestingGuide
HackademicChallengesRedBook
SAMMToolbox– Interview
SAMMToolbox– Scorecard
SAMMToolbox– Roadmap
SAMMToolbox– RoadmapChart
SAMMProjectRoadmapv2.0(InProgress):• Modelrevision• MoreMetrics!• Applicationtoagile• Roadmapeffortplanning• Benchmarking
Buildthecommunity:• GrowlistofSAMMadopters• Workshopsatconferences• DedicatedSAMMSummit• ContributeAnonResults
21
Getinvolved• Projectmailinglist/workpackages• Useanddonate(feed)back!• Donateresources• SponsorSAMM
FollowOWASPSAMM
twitter.com/OwaspSAMM
