OWASP - User contributions [en]

OWASP SAMM Project

2018-01-24T04:17:05Z

Brianglas: Removed myself as one of the project leads

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

'''2017 OWASP SAMM Summit (12-16 JUNE 2017, London)'''
* Join our 2017 OWASP SAMM Summit near London as part of the [http://owaspsummit.org/ OWASP DevOps Security Summit].<br>
* We organize working sessions in a 5-day sprint to draft SAMM v2.0. Check out the working session details [http://owaspsummit.org/Working-Sessions/SAMM.html online]
* Register online [http://owaspsummit.org/new/buy-ticket.html here]
* Sponsor the SAMM Summit as Platinum or Gold [http://owaspsummit.org/new/sponsors.html sponsor]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 Toolbox
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

Category:OWASP Top Ten Project

2018-01-24T04:15:22Z

Brianglas: Removed myself as one of the project leads

Category:OWASP Top Ten Project

2017-11-06T00:14:00Z

Brianglas: /* News and Events */

=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Top 10 2017 RC2 Released==
RC2 is now [https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf available for download]. In an ongoing effort to be transparent, we are asking for all comments to be made on the project's [https://github.com/OWASP/Top10/issues GitHub issues list].

== OWASP Top 10 2017 - Industry survey open and data call completed==

* A big thank you to all industry professionals who completed this [https://goo.gl/forms/ltbKrdYrp4Qdl7Df2 <u>survey for new vulnerability categories</u>] to help determine up to two items in the 2017 Top 10. The deadline for the survey was <span style="background:yellow;"><b>18 September, 2017</b></span>.
* The data call for the 2017 Top 10 had been reopened, a bit thank you to all the contributors. The [https://goo.gl/forms/tLgyvK9O74r7wMkt2 <u>call for data</u>] is now closed. The deadline for the extended data call was <span style="background:yellow;"><b>18 September, 2017</b></span>.
This [https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html <u>OWASP blog posting</u>] describes the process in detail.

==OWASP Top 10 2017 – RC1 rejected==

During the [https://owaspsummit.org/website/ <u>OWASP Summit 2017</u>], several sessions took place discussing many different aspects of the OWASP Top 10, for example, governance and validation, the data collection process, data assessment and review of the new suggested A7 and A10.
Main [https://owaspsummit.org/Outcomes/Owasp-Top-10-2017/Owasp-Top-10-2017.html <u>outcomes of the OWASP Summit</u>] include:
* RC1 of the OWASP Top 10 2017 has been rejected
* A1, A2, A3, A4, A5, A6, A8, A9 have been left untouched by consensus view
* Requirement to choose two additional items (-> see OWASP Top 10 2017 - Industry survey open and data call reopened)
* Feedback on the mailing list has been moved to the [https://github.com/OWASP/Top10/issues <u>issues list</u>] in GitHub, please continue to contribute feedback there.
* The new OWASP Top 10 2017 is to be released in late November 2017.
* New project leadership put in place.


==OWASP Top 10 Most Critical Web Application Security Risks==

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

==Translation Efforts==

The OWASP Top 10 has been translated to many different languages by numerous volunteers. These translations are available as follows:

* [[Top10#OWASP_Top_10_for_2013 | All versions of the OWASP Top 10 - 2013]]
* [[Top10#OWASP_Top_10_for_2010 | All versions of the OWASP Top 10 - 2010]]
* [[Top10#Translation_Efforts_2 | Information about the various translation teams]]

==Licensing==
The OWASP Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Top 10? ==

The OWASP Top 10 provides:

* '''A list of the 10 Most Critical Web Application Security Risks'''

For each Risk it provides:
* A description
* Example vulnerabilities
* Example attacks
* Guidance on how to avoid
* References to OWASP and other related resources

== Project Leaders ==

* [[User:vanderaj | Andrew van der Stock]]
* [[User:Neil_Smithline | Neil Smithline]]
* [[User:T.Gigler | Torsten Gigler]]
* [[User:Brianglas | Brian Glas]]

== Related Projects ==

* [[OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks | OWASP Mobile Top 10 Risks]]

* [[OWASP_Top_Ten_Cheat_Sheet | OWASP Top 10 Cheat Sheet]]

* [[OWASP_Proactive_Controls | Top 10 Proactive Controls]]

* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Top-10

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==
* [[Media:OWASP_Top_10_2017_RC2_Final.pdf | OWASP Top 10 2017 RC2 - PDF]]
* [[Media:OWASP_Top_10_-_2013.pdf | OWASP Top 10 2013 - PDF]]
* [[Top_10_2013 | OWASP Top 10 2013 - wiki]]
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Covering Each Item in the Top 10 (PPTX)].

== Get Involved ==
* [https://lists.owasp.org/mailman/listinfo/Owasp-topten Project Email List]
* [https://github.com/OWASP/Top10/issues Top 10 Issues on GitHub]

== News and Events ==
* [20 Oct 2017] OWASP Top 10 2017 RC2 Published
* [11 Jul 2017] OWASP Top 10 2017 – The appeal for data and opinions is still open
* [10 Apr 2017] OWAP Top 10 - 2017 Release Candidate Published
* [17 Dec 2016] OWASP Top 10 - 2017 Data Call Data Published
* [20 May 2016] OWASP Top 10 - 2017 Data Call Announced
* [12 Jun 2013] OWASP Top 10 - 2013 Final Released
* [Feb 2013] OWASP Top 10 - 2013 - Release Candidate Published

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= OWASP Top 10 for 2017 Release Candidate 2 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

RC2 is available for download [https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf from GitHub].

We have worked extensively to validate the methodology, obtained a great deal of data on over 114,000 apps, and obtained qualitative data via survey by 550 community members on the two new categories – insecure deserialization and insufficient logging and monitoring.

We strongly urge for any corrections or issues to be made on the project's [https://github.com/OWASP/Top10/issues GitHub issue list].

Through public transparency, we provide traceability and ensure that all voices are heard during this final month before publication.

(We will be reaching out to translators shortly.)

Andrew van der Stock<br/>
Brian Glas<br/>
Neil Smithline<br/>
Torsten Gigler<br/>

==Historical/Outdated Information - for historical reference only==
The 2017 OWASP Top 10 RC1 has been rejected. A [https://goo.gl/forms/ltbKrdYrp4Qdl7Df2 new survey for security professionals] and a [https://goo.gl/forms/tLgyvK9O74r7wMkt2 reopened data call] are now open. More details can be found on [https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html this blog post].

The release candidate for public comment was published 10 April 2017 and can be [https://github.com/OWASP/Top10/raw/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pdf downloaded here.]. OWASP plans to release the final OWASP Top 10 - 2017 in July or August 2017 after a public comment period ending June 30, 2017.

Constructive comments on this [https://github.com/OWASP/Top10/raw/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 - 2017 Release Candidate] should be forwarded via email to the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP Top 10 Project Email List]. Private comments may be sent to [mailto:vanderaj@owasp.org Andrew van der Stock]. Anonymous comments are welcome. All non-private comments will be catalogued and published at the same time as the final public release. Comments recommending changes to the Top 10 should include a complete suggested list of changes, along with a rationale for each change. All comments should indicate the specific relevant page and section.

This release of the OWASP Top 10 marks this project’s fourteenth year of raising awareness of the importance of application security risks. This release follows the 2013 update, whose main change was the addition of 2013-A9 Use of Known Vulnerable Components. We are pleased to see that since the 2013 Top 10 release, a whole ecosystem of both free and commercial tools have emerged to help combat this problem as the use of open source components has continued to rapidly expand across practically every programming language. The data also suggests the use of known vulnerable components is still prevalent, but not as widespread as before. We believe the awareness of this issue the Top 10 - 2013 generated has contributed to both of these changes.

We also noticed that since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has significantly contributed to its decline in prevalence, along with much higher awareness with developers that they must protect against such attacks.

For 2017, the OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are:

* A1 Injection
* A2 Broken Authentication and Session Management
* A3 Cross-Site Scripting (XSS)
* A4 Broken Access Control (As it was in 2004)
* A5 Security Misconfiguration
* A6 Sensitive Data Exposure
* A7 Insufficient Attack Protection (NEW)
* A8 Cross-Site Request Forgery (CSRF)
* A9 Using Components with Known Vulnerabilities
* A10 Underprotected APIs (NEW)

== 2017 Update Data Call Data ==

DATA CALL RESULTS ARE NOW PUBLIC: The [https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true results of this data call have been made public here] as an Excel spreadsheet with 4 tabs. Three of the tabs have raw data as submitted, organized into three vulnerability data size categories: large, small, and none. A 4th tab includes some basic analysis of the large size submissions. The OWASP Top 10 project thanks all the submitters for their input to the OWASP Top 10 - 2017.

On May 20, 2016, the Top 10 project made a public announcement of the data call for the 2017 update to the OWASP Top 10. Contributors filled out the Google form posted here: [https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link OWASP Top 10 - 2017 Data Call], which had the questions listed below.

Page 1 of 5: Submitter Info

* Name of Company/Organization *
* Company/Organization Web Site *
* Point of Contact Name *
* Point of Contact E-Mail *

Page 2 of 5: Background on Applications

* During what year(s) was this data collected? *
** 2014
** 2015
** Both 2014 & 2015
*** If the application vulnerability data you are submitting was extracted from a publicly available report, please provide a link to that report (or reports), and the relevant page number(s)

* How many web applications do the submitted results cover? * We consider web apps, web services, and the server side of mobile apps to all be web apps.

* What were the primary programming languages the applications you reviewed written in? Primary being 5% or more of the supplied results - Check all that apply
** Java
** .NET
** Python
** PHP
** Ruby
** Grails
** Play
** Node.js
** Other:

* Please supply the exact percentage of applications per language checked off above:

* What were the primary industries these applications supported? Primary being 5% or more of the supplied results - Check all that apply
** Financial
** Healthcare
** eCommerce
** Internet/Social Media
** Airline
** Energy
** Entertainment (Games/Music/Movies)
** Government
** Other:

* Where in the world were the application owners primarily? Again - select those where 5% or more of your results came from
** North America
** Europe
** AsiaPac
** South America
** Middle East
** Africa
** Other:

Page 3 of 5: Assessment Team and Detection Approach

* What type of team did the bulk of this work? *
** Internal Assessment Team(s)
** Consulting Organization
** Product Vendor/Service Provider (e.g., SaaS)
** Other:

*What type of analysis tools do they use? * Check all that apply.
** Free/Open Source Static Application Security Testing (SAST) Tools
** Free/Open Source Dynamic Application Security Testing (DAST) Tools
** Free/Open Source Interactive Application Security Testing (IAST) Tools
** Commercial Static Application Security Testing (SAST) Tools
** Commercial Dynamic Application Security Testing (DAST) Tools
** Commercial Interactive Application Security Testing (IAST) Tools
** Commercial DAST/IAST Hybrid Analysis Tools
** Other:

* Which analysis tools do you frequently use? This includes both free, commercial, and custom (in house) tools - List tools by name

* What is your primary assessment methodology? * Primary being the majority of your assessments follow this approach
** Raw (untriaged) output of automated analysis tool results using default rules
** Automated analysis tool results - with manual false positive analysis/elimination
** Output from manually tailored automated analysis tool(s)
** Output from manually tailored automated analysis tool(s) - with manual false positive analysis/elimination
** Manual expert penetration testing (Expected to be tool assisted w/ free DAST tool(s))
** Manual expert penetration testing with commercial DAST tool(s)
** Manual expert code review (Using IDE and other free code review aids)
** Manual expert code review with commercial SAST tool(s)
** Combined manual expert code review and penetration testing with only free tools
** Combined manual expert code review and penetration testing with only commercial tools
** Other:

Page 4 of 5: Application Vulnerability Data

Each question asks the number of vulnerabilities found for a particular type of vulnerability. At the end, is one catch all text question where you can add other types of vulnerabilities and their counts. If you prefer, just send your vulnerability data in a spreadsheet to brian.glas@owasp.org with these columns: CATEGORY NAME, CWE #, COUNT after you submit the rest of your input via this data call. ideally it would come from the email address you specified in the Point of Contact E-Mail question on Page 1 so its easy to correlate the two.

* Number of SQL Injection Vulnerabilities Found (CWE-89)?
* Number of Hibernate Injection Vulnerabilities Found (CW-564)?
* Number of Command Injection Vulnerabilities Found (CWE-77)?
* Number of Authentication Vulnerabilities Found (CWE-287)?
* Number of Session Fixation Vulnerabilities Found (CWE-384)?
* Number of Cross-Site Scripting (XSS) Vulnerabilities Found (CWE-79)?
* Number of DOM-Based XSS Vulnerabilities Found (No CWE)?
* Number of Insecure Direct Object Reference Vulnerabilities Found (CWE-639)?
* Number of Path Traversal Vulnerabilities Found (CWE-22)?
* Number of Missing Authorization Vulnerabilities Found (CWE-285)?
* Number of Security Misconfiguration Vulnerabilities Found (CWE-2)?
* Number of Cleartext Transmission of Sensitive Information Vulnerabilities Found (CWE-319)?
* Number of Cleartext Storage of Sensitive Information Vulnerabilities Found (CWE-312)?
* Number of Weak Encryption Vulnerabilities Found (CWE-326)?
* Number of Cryptographic Vulnerabilities Found (CWEs-310/326/327/etc)?
** You can report them all lumped together in 310 or in their individual categories. However you want.
* Number of Improper (Function Level) Access Control Vulnerabilities Found (CWE-285)?
* Number of Cross-Site Request Forgery (CSRF) Vulnerabilities Found (CWE-352)?
* Number of Use of Known Libraries Found (No CWE)?
* Number of Unchecked Redirect Vulnerabilities Found (CWE-601)?
* Number of Unvalidated Forward Vulnerabilities Found (No CWE)?
* Number of Clickjacking Vulnerabilities Found (No CWE)?
* Number of XML eXternal Entity Injection (XXE) Vulnerabilities Found (CWE-611)?
* Number of Server-Side Request Forgery (SSRF) Vulnerabilities Found (CWE-918)?
* Number of Denial of Service (DOS) Vulnerabilities Found (CWE-400)?
* Number of Expression Language Injection Vulnerabilities Found (CWE-917)?
* Number of Error Handling Vulnerabilities Found (CWE-388)?
* Number of Information Leakage/Disclosure Vulnerabilities Found (CWE-200)?
* Number of Insufficient Anti-automation Vulnerabilities Found (CWE-799)?
* Number of Insufficient Security Logging Vulnerabilities Found (CWE-778)?
* Number of Insufficient Intrusion Detection and Response Vulnerabilities Found (No CWE)?
* Number of Mass Assignment Vulnerabilities Found (CWE-915)?
* What other vulnerabilities did you find?
** Please provide in this format: CATEGORY NAME, CWE #, COUNT (one line per category). Say "No CWE" if there isn't a CWE # for that category. If you plan to send all your vulnerability data in via an email, please state so here so we know to expect it.

Page 5 of 5: Suggestions for the next OWASP Top 10

What do you think we should change?

* Vulnerability types you think should be added to the T10? Because they are an unappreciated risk, widespread, becoming more prevalent, a new type of vulnerability, etc.
* Vulnerability types you think should be removed from the T10?
* Suggested changes to the Top 10 Document/Wiki?
* Suggestions on how to improve this call for data?

== Project Sponsors ==

The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

= OWASP Top 10 for 2013 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.

* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].
* [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)].
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].
* [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German (PDF)]]
* [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF)]
* [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian (PDF)]
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].
* [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)]
* [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian (PDF)]
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].

For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are:

* [[Top_10_2013-A1-Injection | A1 Injection]]
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]

If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!

As you help us spread the word, please emphasize:

*OWASP is reaching out to developers, not just the application security community
*The Top 10 is about managing risk, not just avoiding vulnerabilities
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation

We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.

== Introduction ==

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. The 2013 version was translated into even more languages.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

== Changes between 2010 and 2013 Editions ==

The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:

* A1 Injection
* A2 Broken Authentication and Session Management (was formerly 2010-A3)
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
* A4 Insecure Direct Object References
* A5 Security Misconfiguration (was formerly 2010-A6)
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
* A10 Unvalidated Redirects and Forwards

== Other 2013 Top 10 Docs ==

*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx Focusing on What Changed Since 2010 (PPTX)]

[[File:OWASP_Web_Top_10_for_2013.png]]

== Feedback ==

Please let us know how your organization is using the OWASP Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP!

We hope you find the information in the OWASP Top 10 useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org. Thanks!

To join the OWASP Top 10 mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.]

== Project Sponsors ==

The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}



= OWASP Top 10 for 2010 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009.

*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document]
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]

For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are:

*[[Top_10_2010-A1|A1: Injection]]
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]
*[[Top_10_2010-A6|A6: Security Misconfiguration]]
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]

== Introduction ==

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.

== 2010 Versions ==

2010 Edition:

*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF]
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]

2010 Translations:

*[https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF]
*[[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]]
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]
*[https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]
*[https://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]

2010 Release Candidate:

*[https://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate]
*[https://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [https://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].

Previous versions:

*[https://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF]
*[[Top 10 2007|OWASP Top 10 2007 - wiki]]
*[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here]
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]

= Translation Efforts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

The 2017 RC1 has been rejected. There will be an RC2 coming out shortly. As RC2 may have significant changes from RC1, we suggest that you wait for RC2 before continuing your translation efforts.

If you are interested in helping, please contact the members of the team for the language you are interested in contributing to, or if you don't see your language listed, please email owasp-topten@lists.owasp.org to let us know that you want to help and we'll form a volunteer group for your language.

Here is the original source document for the [https://github.com/OWASP/Top10/raw/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pptx OWASP Top 10 - 2017 '''Release Candidate''' which is in PowerPoint].

2017 Release Candidate Translation Teams:

* French: Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org.
* Chinese: 王颉、包悦忠、Rip、顾凌志、王厚奎、王文君、吴楠、夏天泽、夏玉明、杨天识、袁明坤、张镇(排名不分先后，按姓氏拼音排列) [https://www.owasp.org/images/8/8f/OWASP_Top_10_2017（RC1）中文版（V1.0）.pdf OWASP Top10 2017 RC1 - Chinese PDF]
* Azerbaijanian: Rashad Aliyev (rashad@aliev.info)
* Others to be listed.

2013 Completed Translations:

* Arabic: [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic PDF] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org
* Chinese 2013：中文版2013 [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)]. 项目组长： Rip 王颉，参与人员：陈亮、顾庆林、胡晓斌、李建蒙、王文君、杨天识、张在峰
* Czech 2013: [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)] [https://www.owasp.org/images/0/02/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pptx OWASP Top 10 2013 - Czech (PPTX)] CSIRT.CZ - CZ.NIC, z.s.p.o. (.cz domain registry): Petr Zavodsky: petr.zavodsky@owasp.org, Vaclav Klimes, Zuzana Duracinska, Michal Prokop, Edvard Rejthar, Pavel Basta
*French 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com
* German 2013: [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer
* Hebrew 2013: [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf PDF] Translated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.
* Italian 2013: [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian PDF] Translated by: Michele Saporito: m.saporito7@gmail.com, Paolo Perego: thesp0nge@owasp.org, Matteo Meucci: matteo.meucci@owasp.org, Sara Gallo: sara.gallo@gmail.com, Alessandro Guido: alex@securityaddicted.com, Mirko Guido Spezie: mirko@dayu.it, Giuseppe Di Cesare: giuseppe.dicesare@alice.it, Paco Schiaffella: schiaffella@gmail.com, Gianluca Grasso: giandou@gmail.com, Alessio D'Ospina: alessiodos@gmail.com, Loredana Mancini: loredana.mancini@business-e.it, Alessio Petracca: alessio.petracca@gmail.com, Giuseppe Trotta: giutrotta@gmail.com, Simone Onofri: simone.onofri@gmail.com, Francesco Cossu: hambucker@gmail.com, Marco Lancini: marco.lancini.ml@gmail.com, Stefano Zanero: zanero@elet.polimi.it, Giovanni Schmid: giovanni.schmid@na.icar.cnr.it, Igor Falcomata': koba@sikurezza.org
*Japanese 2013: [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese PDF] Translated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori Nakanowatari
* Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com
*Brazilian Portuguese 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese PDF] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte
*Spanish 2013: [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish PDF] Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org
*Ukrainian 2013: [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian PDF] Kateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich, Bohdan Serednytsky

2010 Completed Translations:

*Korean 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)
*Spanish 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera
*French 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com
*German: [[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer
*Indonesian: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad
*Italian: [https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni
*Japanese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima
*Chinese: [https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东
*Vietnamese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam
*Hebrew: [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew Project]] -- [https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]. Lead by Or Katz, see translation page for list of contributors.

= Project Details =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}

= Some Commercial & OWASP Uses of the Top 10 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (WAF) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective.

;[https://blogs.microsoft.com/microsoftsecure/2008/05/01/sdl-and-the-owasp-top-ten/ Microsoft]
:as a way to measure the coverage of their SDL and improve security

;[https://www.pcisecuritystandards.org/index.shtml PCI Council]
:as part of the Payment Card Industry Data Security Standard (PCI DSS)

;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft]
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"

;[[OWASP_Top_10/Mapping_to_WHID | OWASP]]
:OWASP Top 10 Mapped to the Web Hacking Incident Database

;[[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | OWASP]]
:OWASP Mobile Top 10 Risks

;[[OWASP_Top_Ten_Cheat_Sheet | OWASP]]
:OWASP Top 10 Cheat Sheet

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]][[Category:Popular]][[Category:SAMM-EG-1]]

Category:OWASP Top Ten Project

2017-11-05T23:52:20Z

Brianglas: Updated the text to reflect current status.

=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Top 10 2017 RC2 Released==
RC2 is now [https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf available for download]. In an ongoing effort to be transparent, we are asking for all comments to be made on the project's [https://github.com/OWASP/Top10/issues GitHub issues list].

== OWASP Top 10 2017 - Industry survey open and data call completed==

* A big thank you to all industry professionals who completed this [https://goo.gl/forms/ltbKrdYrp4Qdl7Df2 <u>survey for new vulnerability categories</u>] to help determine up to two items in the 2017 Top 10. The deadline for the survey was <span style="background:yellow;"><b>18 September, 2017</b></span>.
* The data call for the 2017 Top 10 had been reopened, a bit thank you to all the contributors. The [https://goo.gl/forms/tLgyvK9O74r7wMkt2 <u>call for data</u>] is now closed. The deadline for the extended data call was <span style="background:yellow;"><b>18 September, 2017</b></span>.
This [https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html <u>OWASP blog posting</u>] describes the process in detail.

==OWASP Top 10 2017 – RC1 rejected==

During the [https://owaspsummit.org/website/ <u>OWASP Summit 2017</u>], several sessions took place discussing many different aspects of the OWASP Top 10, for example, governance and validation, the data collection process, data assessment and review of the new suggested A7 and A10.
Main [https://owaspsummit.org/Outcomes/Owasp-Top-10-2017/Owasp-Top-10-2017.html <u>outcomes of the OWASP Summit</u>] include:
* RC1 of the OWASP Top 10 2017 has been rejected
* A1, A2, A3, A4, A5, A6, A8, A9 have been left untouched by consensus view
* Requirement to choose two additional items (-> see OWASP Top 10 2017 - Industry survey open and data call reopened)
* Feedback on the mailing list has been moved to the [https://github.com/OWASP/Top10/issues <u>issues list</u>] in GitHub, please continue to contribute feedback there.
* The new OWASP Top 10 2017 is to be released in late November 2017.
* New project leadership put in place.


==OWASP Top 10 Most Critical Web Application Security Risks==

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

==Translation Efforts==

The OWASP Top 10 has been translated to many different languages by numerous volunteers. These translations are available as follows:

* [[Top10#OWASP_Top_10_for_2013 | All versions of the OWASP Top 10 - 2013]]
* [[Top10#OWASP_Top_10_for_2010 | All versions of the OWASP Top 10 - 2010]]
* [[Top10#Translation_Efforts_2 | Information about the various translation teams]]

==Licensing==
The OWASP Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Top 10? ==

The OWASP Top 10 provides:

* '''A list of the 10 Most Critical Web Application Security Risks'''

For each Risk it provides:
* A description
* Example vulnerabilities
* Example attacks
* Guidance on how to avoid
* References to OWASP and other related resources

== Project Leaders ==

* [[User:vanderaj | Andrew van der Stock]]
* [[User:Neil_Smithline | Neil Smithline]]
* [[User:T.Gigler | Torsten Gigler]]
* [[User:Brianglas | Brian Glas]]

== Related Projects ==

* [[OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks | OWASP Mobile Top 10 Risks]]

* [[OWASP_Top_Ten_Cheat_Sheet | OWASP Top 10 Cheat Sheet]]

* [[OWASP_Proactive_Controls | Top 10 Proactive Controls]]

* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Top-10

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==
* [[Media:OWASP_Top_10_2017_RC2_Final.pdf | OWASP Top 10 2017 RC2 - PDF]]
* [[Media:OWASP_Top_10_-_2013.pdf | OWASP Top 10 2013 - PDF]]
* [[Top_10_2013 | OWASP Top 10 2013 - wiki]]
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Covering Each Item in the Top 10 (PPTX)].

== Get Involved ==
* [https://lists.owasp.org/mailman/listinfo/Owasp-topten Project Email List]
* [https://github.com/OWASP/Top10/issues Top 10 Issues on GitHub]

== News and Events ==
* [11 Jul 2017] OWASP Top 10 2017 – The appeal for data and opinions is still open
* [10 Apr 2017] OWAP Top 10 - 2017 Release Candidate Published
* [17 Dec 2016] OWASP Top 10 - 2017 Data Call Data Published
* [20 May 2016] OWASP Top 10 - 2017 Data Call Announced
* [12 Jun 2013] OWASP Top 10 - 2013 Final Released
* [Feb 2013] OWASP Top 10 - 2013 - Release Candidate Published

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= OWASP Top 10 for 2017 Release Candidate 2 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

RC2 is available for download [https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf from GitHub].

We have worked extensively to validate the methodology, obtained a great deal of data on over 114,000 apps, and obtained qualitative data via survey by 550 community members on the two new categories – insecure deserialization and insufficient logging and monitoring.

We strongly urge for any corrections or issues to be made on the project's [https://github.com/OWASP/Top10/issues GitHub issue list].

Through public transparency, we provide traceability and ensure that all voices are heard during this final month before publication.

(We will be reaching out to translators shortly.)

Andrew van der Stock<br/>
Brian Glas<br/>
Neil Smithline<br/>
Torsten Gigler<br/>

==Historical/Outdated Information - for historical reference only==
The 2017 OWASP Top 10 RC1 has been rejected. A [https://goo.gl/forms/ltbKrdYrp4Qdl7Df2 new survey for security professionals] and a [https://goo.gl/forms/tLgyvK9O74r7wMkt2 reopened data call] are now open. More details can be found on [https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html this blog post].

The release candidate for public comment was published 10 April 2017 and can be [https://github.com/OWASP/Top10/raw/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pdf downloaded here.]. OWASP plans to release the final OWASP Top 10 - 2017 in July or August 2017 after a public comment period ending June 30, 2017.

Constructive comments on this [https://github.com/OWASP/Top10/raw/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 - 2017 Release Candidate] should be forwarded via email to the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP Top 10 Project Email List]. Private comments may be sent to [mailto:vanderaj@owasp.org Andrew van der Stock]. Anonymous comments are welcome. All non-private comments will be catalogued and published at the same time as the final public release. Comments recommending changes to the Top 10 should include a complete suggested list of changes, along with a rationale for each change. All comments should indicate the specific relevant page and section.

This release of the OWASP Top 10 marks this project’s fourteenth year of raising awareness of the importance of application security risks. This release follows the 2013 update, whose main change was the addition of 2013-A9 Use of Known Vulnerable Components. We are pleased to see that since the 2013 Top 10 release, a whole ecosystem of both free and commercial tools have emerged to help combat this problem as the use of open source components has continued to rapidly expand across practically every programming language. The data also suggests the use of known vulnerable components is still prevalent, but not as widespread as before. We believe the awareness of this issue the Top 10 - 2013 generated has contributed to both of these changes.

We also noticed that since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has significantly contributed to its decline in prevalence, along with much higher awareness with developers that they must protect against such attacks.

For 2017, the OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are:

* A1 Injection
* A2 Broken Authentication and Session Management
* A3 Cross-Site Scripting (XSS)
* A4 Broken Access Control (As it was in 2004)
* A5 Security Misconfiguration
* A6 Sensitive Data Exposure
* A7 Insufficient Attack Protection (NEW)
* A8 Cross-Site Request Forgery (CSRF)
* A9 Using Components with Known Vulnerabilities
* A10 Underprotected APIs (NEW)

== 2017 Update Data Call Data ==

DATA CALL RESULTS ARE NOW PUBLIC: The [https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true results of this data call have been made public here] as an Excel spreadsheet with 4 tabs. Three of the tabs have raw data as submitted, organized into three vulnerability data size categories: large, small, and none. A 4th tab includes some basic analysis of the large size submissions. The OWASP Top 10 project thanks all the submitters for their input to the OWASP Top 10 - 2017.

On May 20, 2016, the Top 10 project made a public announcement of the data call for the 2017 update to the OWASP Top 10. Contributors filled out the Google form posted here: [https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link OWASP Top 10 - 2017 Data Call], which had the questions listed below.

Page 1 of 5: Submitter Info

* Name of Company/Organization *
* Company/Organization Web Site *
* Point of Contact Name *
* Point of Contact E-Mail *

Page 2 of 5: Background on Applications

* During what year(s) was this data collected? *
** 2014
** 2015
** Both 2014 & 2015
*** If the application vulnerability data you are submitting was extracted from a publicly available report, please provide a link to that report (or reports), and the relevant page number(s)

* How many web applications do the submitted results cover? * We consider web apps, web services, and the server side of mobile apps to all be web apps.

* What were the primary programming languages the applications you reviewed written in? Primary being 5% or more of the supplied results - Check all that apply
** Java
** .NET
** Python
** PHP
** Ruby
** Grails
** Play
** Node.js
** Other:

* Please supply the exact percentage of applications per language checked off above:

* What were the primary industries these applications supported? Primary being 5% or more of the supplied results - Check all that apply
** Financial
** Healthcare
** eCommerce
** Internet/Social Media
** Airline
** Energy
** Entertainment (Games/Music/Movies)
** Government
** Other:

* Where in the world were the application owners primarily? Again - select those where 5% or more of your results came from
** North America
** Europe
** AsiaPac
** South America
** Middle East
** Africa
** Other:

Page 3 of 5: Assessment Team and Detection Approach

* What type of team did the bulk of this work? *
** Internal Assessment Team(s)
** Consulting Organization
** Product Vendor/Service Provider (e.g., SaaS)
** Other:

*What type of analysis tools do they use? * Check all that apply.
** Free/Open Source Static Application Security Testing (SAST) Tools
** Free/Open Source Dynamic Application Security Testing (DAST) Tools
** Free/Open Source Interactive Application Security Testing (IAST) Tools
** Commercial Static Application Security Testing (SAST) Tools
** Commercial Dynamic Application Security Testing (DAST) Tools
** Commercial Interactive Application Security Testing (IAST) Tools
** Commercial DAST/IAST Hybrid Analysis Tools
** Other:

* Which analysis tools do you frequently use? This includes both free, commercial, and custom (in house) tools - List tools by name

* What is your primary assessment methodology? * Primary being the majority of your assessments follow this approach
** Raw (untriaged) output of automated analysis tool results using default rules
** Automated analysis tool results - with manual false positive analysis/elimination
** Output from manually tailored automated analysis tool(s)
** Output from manually tailored automated analysis tool(s) - with manual false positive analysis/elimination
** Manual expert penetration testing (Expected to be tool assisted w/ free DAST tool(s))
** Manual expert penetration testing with commercial DAST tool(s)
** Manual expert code review (Using IDE and other free code review aids)
** Manual expert code review with commercial SAST tool(s)
** Combined manual expert code review and penetration testing with only free tools
** Combined manual expert code review and penetration testing with only commercial tools
** Other:

Page 4 of 5: Application Vulnerability Data

Each question asks the number of vulnerabilities found for a particular type of vulnerability. At the end, is one catch all text question where you can add other types of vulnerabilities and their counts. If you prefer, just send your vulnerability data in a spreadsheet to brian.glas@owasp.org with these columns: CATEGORY NAME, CWE #, COUNT after you submit the rest of your input via this data call. ideally it would come from the email address you specified in the Point of Contact E-Mail question on Page 1 so its easy to correlate the two.

* Number of SQL Injection Vulnerabilities Found (CWE-89)?
* Number of Hibernate Injection Vulnerabilities Found (CW-564)?
* Number of Command Injection Vulnerabilities Found (CWE-77)?
* Number of Authentication Vulnerabilities Found (CWE-287)?
* Number of Session Fixation Vulnerabilities Found (CWE-384)?
* Number of Cross-Site Scripting (XSS) Vulnerabilities Found (CWE-79)?
* Number of DOM-Based XSS Vulnerabilities Found (No CWE)?
* Number of Insecure Direct Object Reference Vulnerabilities Found (CWE-639)?
* Number of Path Traversal Vulnerabilities Found (CWE-22)?
* Number of Missing Authorization Vulnerabilities Found (CWE-285)?
* Number of Security Misconfiguration Vulnerabilities Found (CWE-2)?
* Number of Cleartext Transmission of Sensitive Information Vulnerabilities Found (CWE-319)?
* Number of Cleartext Storage of Sensitive Information Vulnerabilities Found (CWE-312)?
* Number of Weak Encryption Vulnerabilities Found (CWE-326)?
* Number of Cryptographic Vulnerabilities Found (CWEs-310/326/327/etc)?
** You can report them all lumped together in 310 or in their individual categories. However you want.
* Number of Improper (Function Level) Access Control Vulnerabilities Found (CWE-285)?
* Number of Cross-Site Request Forgery (CSRF) Vulnerabilities Found (CWE-352)?
* Number of Use of Known Libraries Found (No CWE)?
* Number of Unchecked Redirect Vulnerabilities Found (CWE-601)?
* Number of Unvalidated Forward Vulnerabilities Found (No CWE)?
* Number of Clickjacking Vulnerabilities Found (No CWE)?
* Number of XML eXternal Entity Injection (XXE) Vulnerabilities Found (CWE-611)?
* Number of Server-Side Request Forgery (SSRF) Vulnerabilities Found (CWE-918)?
* Number of Denial of Service (DOS) Vulnerabilities Found (CWE-400)?
* Number of Expression Language Injection Vulnerabilities Found (CWE-917)?
* Number of Error Handling Vulnerabilities Found (CWE-388)?
* Number of Information Leakage/Disclosure Vulnerabilities Found (CWE-200)?
* Number of Insufficient Anti-automation Vulnerabilities Found (CWE-799)?
* Number of Insufficient Security Logging Vulnerabilities Found (CWE-778)?
* Number of Insufficient Intrusion Detection and Response Vulnerabilities Found (No CWE)?
* Number of Mass Assignment Vulnerabilities Found (CWE-915)?
* What other vulnerabilities did you find?
** Please provide in this format: CATEGORY NAME, CWE #, COUNT (one line per category). Say "No CWE" if there isn't a CWE # for that category. If you plan to send all your vulnerability data in via an email, please state so here so we know to expect it.

Page 5 of 5: Suggestions for the next OWASP Top 10

What do you think we should change?

* Vulnerability types you think should be added to the T10? Because they are an unappreciated risk, widespread, becoming more prevalent, a new type of vulnerability, etc.
* Vulnerability types you think should be removed from the T10?
* Suggested changes to the Top 10 Document/Wiki?
* Suggestions on how to improve this call for data?

== Project Sponsors ==

The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

= OWASP Top 10 for 2013 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.

* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].
* [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)].
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].
* [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German (PDF)]]
* [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF)]
* [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian (PDF)]
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].
* [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)]
* [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian (PDF)]
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].

For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are:

* [[Top_10_2013-A1-Injection | A1 Injection]]
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]

If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!

As you help us spread the word, please emphasize:

*OWASP is reaching out to developers, not just the application security community
*The Top 10 is about managing risk, not just avoiding vulnerabilities
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation

We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.

== Introduction ==

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. The 2013 version was translated into even more languages.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

== Changes between 2010 and 2013 Editions ==

The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:

* A1 Injection
* A2 Broken Authentication and Session Management (was formerly 2010-A3)
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
* A4 Insecure Direct Object References
* A5 Security Misconfiguration (was formerly 2010-A6)
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
* A10 Unvalidated Redirects and Forwards

== Other 2013 Top 10 Docs ==

*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx Focusing on What Changed Since 2010 (PPTX)]

[[File:OWASP_Web_Top_10_for_2013.png]]

== Feedback ==

Please let us know how your organization is using the OWASP Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP!

We hope you find the information in the OWASP Top 10 useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org. Thanks!

To join the OWASP Top 10 mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.]

== Project Sponsors ==

The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}



= OWASP Top 10 for 2010 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009.

*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document]
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]

For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are:

*[[Top_10_2010-A1|A1: Injection]]
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]
*[[Top_10_2010-A6|A6: Security Misconfiguration]]
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]

== Introduction ==

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.

== 2010 Versions ==

2010 Edition:

*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF]
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]

2010 Translations:

*[https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF]
*[[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]]
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]
*[https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]
*[https://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]

2010 Release Candidate:

*[https://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate]
*[https://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [https://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].

Previous versions:

*[https://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF]
*[[Top 10 2007|OWASP Top 10 2007 - wiki]]
*[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here]
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]

= Translation Efforts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

The 2017 RC1 has been rejected. There will be an RC2 coming out shortly. As RC2 may have significant changes from RC1, we suggest that you wait for RC2 before continuing your translation efforts.

If you are interested in helping, please contact the members of the team for the language you are interested in contributing to, or if you don't see your language listed, please email owasp-topten@lists.owasp.org to let us know that you want to help and we'll form a volunteer group for your language.

Here is the original source document for the [https://github.com/OWASP/Top10/raw/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pptx OWASP Top 10 - 2017 '''Release Candidate''' which is in PowerPoint].

2017 Release Candidate Translation Teams:

* French: Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org.
* Chinese: 王颉、包悦忠、Rip、顾凌志、王厚奎、王文君、吴楠、夏天泽、夏玉明、杨天识、袁明坤、张镇(排名不分先后，按姓氏拼音排列) [https://www.owasp.org/images/8/8f/OWASP_Top_10_2017（RC1）中文版（V1.0）.pdf OWASP Top10 2017 RC1 - Chinese PDF]
* Azerbaijanian: Rashad Aliyev (rashad@aliev.info)
* Others to be listed.

2013 Completed Translations:

* Arabic: [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic PDF] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org
* Chinese 2013：中文版2013 [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)]. 项目组长： Rip 王颉，参与人员：陈亮、顾庆林、胡晓斌、李建蒙、王文君、杨天识、张在峰
* Czech 2013: [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)] [https://www.owasp.org/images/0/02/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pptx OWASP Top 10 2013 - Czech (PPTX)] CSIRT.CZ - CZ.NIC, z.s.p.o. (.cz domain registry): Petr Zavodsky: petr.zavodsky@owasp.org, Vaclav Klimes, Zuzana Duracinska, Michal Prokop, Edvard Rejthar, Pavel Basta
*French 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com
* German 2013: [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer
* Hebrew 2013: [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf PDF] Translated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.
* Italian 2013: [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian PDF] Translated by: Michele Saporito: m.saporito7@gmail.com, Paolo Perego: thesp0nge@owasp.org, Matteo Meucci: matteo.meucci@owasp.org, Sara Gallo: sara.gallo@gmail.com, Alessandro Guido: alex@securityaddicted.com, Mirko Guido Spezie: mirko@dayu.it, Giuseppe Di Cesare: giuseppe.dicesare@alice.it, Paco Schiaffella: schiaffella@gmail.com, Gianluca Grasso: giandou@gmail.com, Alessio D'Ospina: alessiodos@gmail.com, Loredana Mancini: loredana.mancini@business-e.it, Alessio Petracca: alessio.petracca@gmail.com, Giuseppe Trotta: giutrotta@gmail.com, Simone Onofri: simone.onofri@gmail.com, Francesco Cossu: hambucker@gmail.com, Marco Lancini: marco.lancini.ml@gmail.com, Stefano Zanero: zanero@elet.polimi.it, Giovanni Schmid: giovanni.schmid@na.icar.cnr.it, Igor Falcomata': koba@sikurezza.org
*Japanese 2013: [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese PDF] Translated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori Nakanowatari
* Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com
*Brazilian Portuguese 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese PDF] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte
*Spanish 2013: [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish PDF] Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org
*Ukrainian 2013: [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian PDF] Kateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich, Bohdan Serednytsky

2010 Completed Translations:

*Korean 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)
*Spanish 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera
*French 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com
*German: [[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer
*Indonesian: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad
*Italian: [https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni
*Japanese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima
*Chinese: [https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东
*Vietnamese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam
*Hebrew: [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew Project]] -- [https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]. Lead by Or Katz, see translation page for list of contributors.

= Project Details =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}

= Some Commercial & OWASP Uses of the Top 10 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (WAF) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective.

;[https://blogs.microsoft.com/microsoftsecure/2008/05/01/sdl-and-the-owasp-top-ten/ Microsoft]
:as a way to measure the coverage of their SDL and improve security

;[https://www.pcisecuritystandards.org/index.shtml PCI Council]
:as part of the Payment Card Industry Data Security Standard (PCI DSS)

;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft]
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"

;[[OWASP_Top_10/Mapping_to_WHID | OWASP]]
:OWASP Top 10 Mapped to the Web Hacking Incident Database

;[[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | OWASP]]
:OWASP Mobile Top 10 Risks

;[[OWASP_Top_Ten_Cheat_Sheet | OWASP]]
:OWASP Top 10 Cheat Sheet

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]][[Category:Popular]][[Category:SAMM-EG-1]]

WASPY Awards 2017

2017-07-06T14:32:59Z

Brianglas: Updated user page for Brian Glas

[[File:WASPY 2017 Banner.jpg]]

==Purpose of the Awards==

Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not.

'''The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.'''

==Timeline==
Call for Nominees Opens June 7, 2017

Call for Nominees Closes June 30, 2017 - CLOSED

Announcement of Nominees per Category July 5, 2017 - DONE

Deadline for Nominee Profile Picture and Bio to be created and added to the Nominees section July 10, 2017

Voting for Board & Staff Members Opens July 17, 2017

Voting for Board & Staff Members Closes July 24, 2017

Winners are Notified July 25, 2017

Announcement of Winners to the Community July 25, 2017

Award Ceremony at AppSecUSA 2017 in Orlando, FL September 21-22, 2017

==Categories==
The WASPYs celebrate the actors in our community who grow OWASP and drive innovation to the safety and security of the world’s software. This year we are excited to offer three categories.
<br>

'''Best Community Supporter''' - The WASPY for COMMUNITY honors members who create dynamic INTERACTION and LEARNING opportunities for the OWASP Community. Nominees to the Community WASPY Award create collaborative and inclusive environments and grow the OWASP Community. WASPYs focus on the unsung heros of the OWASP community. Chapter Leaders and Community Members should especially consider leaders and volunteers who bring something extra to the environment, help the chapter reach out to new attendees, or carry out the tedious and repetitive tasks that make growing an OWASP Chapter possible.
<br>

'''Best Mission Outreach''' - The WASPY for Mission Outreach honors community members who help the community GROW. Growth can happen inside the larger OWASP community or outside it in the broader AppSec and development communities. Leaders and Members should especially consider volunteers who pushed the boundaries of the audience and reach of OWASP to provide new exposure for OWASP’s projects and chapters. New leaders and volunteers who help bring more people to your chapter, project, or actively represent OWASP at non-OWASP events, gatherings, and activities to build an active OWASP community are ideal candidates for the Mission Outreach WASPY award.
<br>

'''Best Innovator''' - The WASPY for Innovation is given to a community member who has contributed to the TECHNICAL advancement of OWASP in the past year. This advancement is usually through an [[:Category:OWASP Project|OWASP Project]] and can be in the form of code, an application, or anything that materially makes the AppSec community better in a unique way. WASPYs focus on the unsung heros of the OWASP community who quietly go about making the world a bit better for their work. Project Leaders and Community Members should especially consider nominating new projects, projects that have recently graduated, and project contributors for this WASPY.

==Rules==
'''Remember the purpose of these awards is to recognize the UNSUNG HEROS out there, that are barely recognized for their contributions to the OWASP Foundation.'''

1. [https://www.owasp.org/index.php/About_OWASP#2015_Global_Board_Members Board members] may not be nominated

2. [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors_of_the_OWASP_Foundation Employees & Contractors] may not be nominated

3. All nominees will remain anonymous until July 3, 2017

4. Anyone can nominate an "unsung hero" who has contributed in some way to OWASP who they feel best fits each category

5. You may only nominate one person per category

=='''And the Nominees Are...'''==
{| border="1" cellpadding="2"
! scope="col" align="center" width="150" |Name
! scope="col" align="center" width="800" |Category & Citation
|-
| align="center" |Aatral Arasu
|'''''Best Community Supporter'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Community Supporter'''''
"Sean has not only worked as a volunteer in the local chapter building community, his code projects are useful to the mission and his outreach efforts have included funding requests for OWASP Foundation to grow its mission. Sean is a great example of a community member."
|-
|Nicole Becher
|<nowiki/>'''''Best Community Supporter'''''

"Nicole has been an amazing chapter leader. She brings knowledge and experience teaching cybersecurity to the Mentor Initiative, WIA Committee, and projects."
|-
|Ken Belva
|<nowiki/>'''''Best Community Supporter'''''

"Ken is a long time chapter leader of the NYC chapter and a former chapter leader of the Brooklyn Chapter. Ken is always willing to step in and volunteer to help with OWASP initiatives and is a frequent participant in OWASP events as both a volunteer and speaker. Ken has spoken at AppSec USA on XSS techniques (<nowiki>https://www.youtube.com/watch?v=G539NwvpL3I</nowiki>) and is the project lead for the Basic Expression and Lexicon Variation Algorithms project (<nowiki>https://www.owasp.org/index.php/OWASP_Basic_Expression_%26_Lexicon_Variation_Algorithms_(BELVA)_Project)</nowiki>."
|-
|Tony Clarke
|<nowiki/>'''''Best Community Supporter'''''
"Tony has selflessly brought the OWASP dublin chapter to great nights. He has nurtured the chapter to be inclusive and open whilst growing the average attendee count to hundreds. He has spread the word across both security industry and developer industry and has also managed to get various organisations to work together such as ISACA, IISF, ISSA and ISC2. He is a great leader and despite detractors has built the chapter and awareness of software security issues in a strong vendor neutral manner to a great place. Tony is a great example of OWASP and industry leadership."
|-
|Dinis Cruz
|<nowiki/>'''''Best Community Supporter'''''
"Diniz is a fantastic innovator and motivator. As the mastermind and organizer behind the OWASP Summit he has managed to re-energize the OWASP community - many interesting projects would not have happened (or at least, not been that successful) without his passionate work. Besides organizing the event, he also consistently supported project leaders with his experience and ideas."

'''2nd Citation:''' Dinis put ridiculous effort (<nowiki>https://github.com/OWASP/owasp-summit-2017/commits?author=DinisCruz</nowiki>) into the OWASP Summit 2017 and didn't tire promoting this event!
|-
|Christian Folini
|'''''Best Community Supporter'''''

"Christian Folini is very active in the Core Rule Set project community. He responds to a ton of questions submitted by newcomers when they are stuck and he answers expert level questions with stunning detail. He joined Chaim and Walter when they revived the project in 2016 and I heard he had the idea for the famous CRS3 release poster <nowiki>https://modsecurity.org/crs/poster</nowiki> that was shared all over the net. I think it's people like him that give OWASP a human face."
|-
|Joaquin Fuentes
|'''''Best Community Supporter'''''
"In 2015, Joaquin took it upon himself to revive the OWASP Phoenix Chapter. He created a meet-up group to gain broader visibility. Since 2015, the meeting attendance has grown from an average of 15 attendees to over 60! Joaquin dedicates a lot of time and effort into scheduling an impressive variety of presentation topics including safe hacking, vulnerability scanner deep dives, hands on web exploitation CTF, video game hacking and more. I learn something new and cool at every event.

More importantly, Joaquin works hard to foster a friendly, inclusive environment. During our hands-on web exploitation session, Joaquin recruited co-works to assist participants with the Security Shephard challenges so no one felt overwhelmed or impossibly stuck. He always takes the time meet and welcome new members. For example, my 17-year-old son attends meetings with me. He looks up to Joaquin as a mentor for a future information security career because Joaquin encourages his learning and offers career guidance.

I highly recommend Joaquin for a WASPY award!! He is a kind, soft spoken person with a passion for sharing information security and helping others!"

'''2nd Citation:''' "He resurrected the Phoenix chapter and has kept it going with great content."

'''3rd Citation:''' "For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''4th Citation:''' "Put simply, due to the efforts of Joaquin Fuentes, the Phoenix chapter has risen from the ashes (some pun intended). Before Joaquin took over the chapter there were consistently between 5-10 persons in attendance, Joaquin himself being one of them, and the chapter only met about every 3 months or so. Since Joaquin took over the chapter, we have had fantastic presenters each month, paid for dinners, along with a collaborative, comfortable, and engaging environment to meet in. Even more impressive the attendance has grown to 60+ consistently. Joaquin isn't even done yet! He is more great ideas and plans for the chapter that will undoubtedly contribute to the continued growth and over all quality of this once fallen chapter. When he speaks of where this chapter has come from and his plans for the future, it is undeniable to all that he does so with the passion that a leader must possess to accomplish that which Joaquin has."

'''5th Citation:''' "I am sure someone else will write in with Joaquin's email, but I felt the need to second his name on the list. The events he puts together are top notch, have excellent speakers, always have things to eat, and are generally excellent. I almost never miss them. He is actually so gracious about the entire chapter that I am sure he does not get the credit he deserves... the whole show is put on by just him, I think. Yay Joaquin!"

'''6th Citation:''' "A few years ago, the Phoenix (AZ) OWASP group was basically defunct. As the leader of the Phoenix OWASP group, not only has Joaquin helped to resurrect the group, but we've had great presentations on reverse engineering, secure coding, a hands-on CTF contest with Security Shepherd, etc. Joaquin is a very visible member of the security community being an employee at Early Warning, which not only hosts the OWASP meetings, but also is a sponsor and makes a strong showing at CactusCon every year, the biggest security conference in Arizona.

Our local OWASP group is not strong, going from being non-existent a few years ago to now getting a regular attendance of 40-80 people. I've gotten to know Joaquin through OWASP meetings and other security events in the area I have crossed paths with him, and he is a fine representative and evangelist for the OWASP organization."

'''7th Citation:''' "Joaquin is the Phoenix OWASP Chapter leader and regularly plans amazing talks with great speakers for the Phoenix Community. Frequently, the Phoenix OWASP talks will have over 50 attendees which Joaquin manages without a problem! Joaquin also pushes for candidates he is interviewing to be familiar with OWASP before their interview."

'''8th Citation:''' "Joaquin is the leader for the Phoenix OWASP, and it is clear that through his leadership the Phoenix OWASP thrives. Joaquin organizes all the meetings, and is constantly working with folks to create an excellent sense of community in the Phoenix area."

'''9th Citation:''' "Joaquin has taken the Phoenix OWASP chapter that had not been managed for years and brought it back to life. We consistently see 50+ members coming to our Meetups to talk about AppSec related topics. Joaquin is well connected to the InfoSec groups and has had great success in pulling in new speakers, we have already had a few speakers who are prepping their BlackHat and DefCon talks by giving their presentations to our local chapter. Finally Joaquin does a great job by reaching out to the local colleges and supporting CTF activities to garner interest in pen-testing and the OWASP community. He is a true community supporter and fully deserves a WASPY for his efforts..."

'''10th Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''11th Citation:''' "As a leader of Phoenix OWASP chapter, Joaquin strives to organize talks and trainings to make people in the valley learn InfoSec and AppSec from experienced individuals. He has always gone a step ahead to conduct OWASP meetings that are informative and hands on. Right from giving Arizona State University (ASU) students an overview of basic InfoSec and career opportunities to organizing a hands on hacking workshop for people in the community, Joaquin has always demonstrated passion and determination to take Phoenix to a better place in the field of Cyber Security."

'''12th Citation:''' "I've attended and participated in three OWASP meetings lead by Joaquin. They are always well organized, offer a great learning experience and considerably contribute to the community. His continuous interest and dedication to the Phoenix chapter do not go unnoticed and are appreciated by all who attend."

'''13th Citation:''' "Joaquin restarted the OWASP chapter in Phoenix/Scottsdale. Chapter meetings have grown significantly to where there were about 65 attendees at the most recent meeting with hundreds more on the mailing list (I was at the meeting, but I've only heard about the mailing list). As someone who works with him, I know how dedicated he is to the work of IT security and he's been able to attract top-notch speakers for OWASP meetings.'

'''14th Citation:''' "Joaquin had successfully revived the Phoenix OWASP Chapter. Since, the chapter has excelled from zero to filled audience bringing security talent from all around to speak and educate to security professionals on the many facets of security domains.

Additionally, this has provided a great forum to network with the many security professionals around the community and share their knowledge and strengthen the security community.

Joaquin has provided his unselfish time as an OWASP Chapter leader, and has breathed new life into the Chapter."

'''15th Citation:''' "Joaquin does a bang up job of running the Phoenix OWASP chapter. He does a great job of raising awareness and bringing folks from the infosec community into the fold."

'''16th Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''17th Citation:''' No citation was submitted
|-
|Brendan Gormley
|'''''Best Community Supporter'''''
"Throughout the Brendan has not only assisted in making the dublin chapter events happen but taken a lead role. Brendan has organised venues and speakers for these events often going above and beyond to ensure success. Brendan has also been involved in some of the outreach programs the Dublin chapter had been involved in. No task is too big or too small for Brendan and without him I don't believe the Dublin chapter would be what it is."
|-
|Tanya Janca
|'''''Best Community Supporter'''''
"Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|Jeremy Long
|'''''Best Community Supporter'''''
"Jeremy is a dedicated security engineer who contributes to the community as a developer, mentor, contributor and leader. He's one of the smartest people I know - and one of the few who has patience with "the rest of us". He is generous with his time and knowledge, helping not only to contribute apps and resources, but to build up the community itself."
|-
|Akash Mahajan
|'''''Best Community Supporter'''''
"Akash has been backbone of OWASP bangalore chapter he has done lot of work for evangelizing OWASP. For more than 7 years now he has been working with the chapter and mentored lot of folks. No wonder he is called "the web app security guy"."
|-
|Dhiraj Mishra
|'''''Best Community Supporter'''''
"Dhiraj Mishra - has been contributed and volunteered to, OWASP Mumbai Student chapter and Mumbai local chapter.

He has endorse students to be part of multiple open community, however been an Sudent Chapter leader for OWASP he has discussed and shared multiple Information Security topics start from the scratch and spreading the idea's and awareness via chapter Meets, he has taken multiple session in NULL as well which runs with OWASP local chapter Mumbai, recently he invited Mozilla Club Mumbai to student chapter so that students can go to their area of interest, he always pushup/boost women in infosec. Apart from this he has taken various sessions in different colleges and have shared knowledge about Cyber Security."
|-
|Denise Murtagh-Dunne
|'''''Best Community Supporter'''''
"Denise has been a hugely active member of the Dublin chapter and has been involved in all chapter meeting throughout the year and is ever keen to role up her sleeves and get stuck into work that others shy away from. This includes everything from setting up the meeting tools, organising venues, working with sponsors, getting speakers and assisting speakers in the run up and during events. She's been a very positively influence on the community and chapter and has encouraged other people to get involved. She's constantly updating and posting content on our social media accounts and making sure our members get relevant and interesting content. While in full time employment, Denise gives up family time to contribute to the chapter and ensure OWASP Dublin remains a vibrant and relevant group that engages the developer and security community locally."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Community Supporter'''''
"Owen Pendlebury has been a key local OWASP volunteer over the last number of years. From being on the local Dublin chapter board to leading the Dublin chapter he regularly hosted and spoke at numerous collaborative and insightful security meetups.

He has also been involved in organising AppSec EU in Rome and more recently co-organised the Belfast conference which was the biggest ever EU conference. As part of organising the conference in Belfast he negotiated that all chapters within Ireland would benefit financially getting a percentage of the conference profits to allow the chapters to bring bigger, better and more collaborative meetings to the Irish OWASP community and grow the communities across the country.

I don’t know where he has found the time but has also been part of the Women in AppSec committee mentoring a number of individuals throughout the year. He took part in the Women in AppSec events in Belfast giving some insightful opinions into how improve attendees career. Owen is an asset that helps to improve Ireland's security community’s capabilities with a real can-do attitude."
|-
|Mick Ryan
|'''''Best Community Supporter'''''
"Mick always assists with chapter meetings and works to ensure we give the community good quality sessions. Mick assists will all areas including reaching out to potential speakers, getting info and bios from them, arranging dates and venues, posting on social media and the logistics of the meetings and ensuring speakers have the right cables, meetings run to time, that speakers are happy with everything, taking photos to promote the chapter on social media, encouraging people to speak, printing the chapter and getting people to events! Thanks Mick for your contribution in 2017!"
|-
|[https://www.owasp.org/index.php/Sriram Sriram]
|'''''Best Community Supporter'''''
"[https://www.owasp.org/index.php/Sriram Sriram] has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone. Sriram has been tremendously supporting the OWASP Chapter by giving trainings to various college student, corporates and various chapters.."
|-
|Michelle Simpson
|'''''Best Community Supporter'''''
"Michelle has done an amazing job with the Belfast chapter and works tirelessly to improve the OWASP community and advocate strong app sec practices. This is very evident from the people attending the chapter events, organisations participating and the very successful AppSecEU conference that was held in Belfast in 2017. Michelle put a huge amount of work and effort into planning and preparation for AppSecEU to ensure the conference was of a high calibre. This was a sustained commitment over the majority of 2017 on top of local chapter commitments. I'd like to nominate Michelle for all the hard work and effort she puts into the chapter. Thanks Michelle!"
|-
|Steve Springett
|'''''Best Community Supporter'''''

"Steve has been a tremendous supporter of the OWASP dependency-check project and leader on the related dependency-track platform. He is quick to respond to community question, answering with insightful and accurate responses assisting the community in their use of the dependency-check suite of tools."
|-
|[https://www.owasp.org/index.php/John_Vargas John Vargas]
|'''''Best Community Supporter'''''

"During the last 9 years John, together with a very small group of volunteers, has been making efforts to keep the chapter of Lima, Peru. Performing activities such as monthly meetings, internal trainings and participating actively in the OWASP Latam Tour. For the chapters in Latin America to keep afloat these activities with few resources is something very complicated and deserves recognition."
|-
|Tara Williams
|'''''Best Community Supporter'''''

"Tara cares about integrity, inclusion and transparency, she is passionate about making OWASP a better place for all members of the community. With her talents in communications, she is getting the word out about OWASP's benefits to community members and attracting new members to chapter meetings, especially identifying successful pathways to transition meetup members to full members."
|-
|Aatral Arasu
|'''''Best Mission Outreach'''''
'''"'''A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Mission Outreach'''''
"Sean mentors, is a speaker, leads projects, is an active chapter leader and chapter Treasurer, participating in meetup events and a great representative at global, regional and external events."
|-
|Tony Clarke
|'''''Best Mission Outreach'''''
"Tony has grown the chapter over the last year to a point where hundreds of people are attending meetings. The meetings are organised in advance now and have a theme. There were some really interesting people speaking at the chapter meetings including Simon Singh, James Lyne, Brian Honan and Jane Franklin. He has also engaged support from local companies with a lot more attending and sponsoring the chapter. There is a real buzz at chapter meetings and they're not just death by PowerPoint which they had been in the past."
|-
|Christopher Frenz
|'''''Best Mission Outreach'''''

'''"'''Christopher Frenz should be nominated for the Best Mission Outreach WASPY for his work as the Project Lead for the OWASP Anti-Ransomware Guide Project and the OWASP Secure Medical Device Deployment Standard Project. In the wake of WannaCry, anti-ransomware guidance has become more pertinent than ever and the project is regularly updated to keep abreast of the latest ransomware adaptations. Chris regularly shares his anti-ransomware knowledge with the security and healthcare communities and is an advocate for organizations conducting mock ransomware incidents. Chris has shared his knowledge of ransomware protections and of pertinent OWASP resources in numerous venues including articles (<nowiki>https://iapp.org/news/a/why-the-wannacry-outbreak-should-be-a-wake-up-call/</nowiki>) and conference presentations at both the local and international level (<nowiki>https://iapp.org/conference/iapp-canada-privacy-symposium/sessions/?id=a191a000000zrqPAAQ</nowiki>). A Spanish version of the guidance is also available. In addition, he has worked to call attention to the need for healthcare facilities to improve the security of their medical device implementations and is responsible for authoring version 1 of the OWASP Secure Medical Device Deployment Standard. The project has really worked to raise awareness of these issues and has been covered by CSO magazine (<nowiki>http://www.csoonline.com/article/3188230/security/how-to-securely-deploy-medical-devices.html</nowiki>) and other news sources. Chris has given interviews on medical device security for the Cloud Security Alliance and others and will be speaking on medical device security at the Defcon BioHacking Village. Chris is always willing to share his knowledge with all who ask and is an active member of the NYC and Brooklyn OWASP chapters."
|-
|Joaquin Fuentes
|'''''Best Mission Outreach'''''
"For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''2nd Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''3rd Citation''': "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''4th Citation''': "My job takes me to many different OWASP Chapters, along with ISSA, CSA, ISACA, etc.
The Phoenix OWASP Chapter was DEAD before Joaquin volunteered to lead the Chapter a few years ago.
It is now consistently one of the BEST ITSec community gatherings, and I go out of my way to be in Phoenix for their meetings.
To put it a different way, at my first Phoenix OWASP meeting there were less than 12 attendees, including myself and the speaker. Last week it was standing room only (75+) *and* there would have been more if Interstate 17 hadn't been closed in both directions at the start of rush-hour.
Part of the reason Joaquin deserves this award is that he is EXTREMELY knowledgeable about AppSec and many other aspects of data security and he is ALWAYS friendly and willing to share. His day-job is no picnic, but he finds the time to put together great meetings and do it in a way that everybody has a good time."
|-
|Tanya Janca
|'''''Best Mission Outreach'''''
"Tanya has been instrumental in outreach in the Ottawa Ontario Canada region building membership and participation in the local OWASP chapter, as well as building bridges with other local organizations (Python user group, Ruby Rails user group, WIA, etc.). Tanya has also been a driver in getting a mentoring program setup via the Ottawa chapter. She has also encouraged participation in local CTF events, presented at local conferences (BSides, etc). Tanya's enthusiasm, support, and interaction is often contagious (in a good way :) ). Lastly, Tanya is a strong advocate or evangelist for OWASP projects, promoting such as appropriate per audience/presentation (including, but not limited to: ZAP, Top 10, SKF)."

'''2nd Citation:''' "Tanya Janca is an excellent ambassador for OWASP. Since her entry into the lead team of the OWASP Ottawa chapter, she has doubled the size of the chapter and developed the chapter into a meeting place for dozens of women interested in Application Security.
Tanya Janca is an energetic speaker who held a fantastic presentation at AppSecEU in Belfast. <nowiki>https://www.youtube.com/watch?v=mPTmuaC2lOI</nowiki> She was subsequently invited to the Swiss Cyberstorm Conference where her addition to the rooster was explained in an admiring blogpost <nowiki>https://swisscyberstorm.com/2017/05/23/Introducing_Tany_Janca.html</nowiki>
Tanya Janca has the ability to talk security to techies and management alike. She is pushing for the adoption of OWASP practices and project by the government of Canada her employer. Having received the Government of Canada’s CIO Award for “Excellent in Security” in 2016 she refused to move into the private sector, but continues to support the security community inside the public sector, where her excellent know-how is very important."

'''3rd Citation:''' "Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|Kitisak Jirawannakool
|'''''Best Mission Outreach'''''

"Web security is notoriously bad in Thailand, so an actives security community is sorely needed. Kitisak is a central figure in that community. He has worked on establishing the OWASP Bangkok chapter for the past six years, organizing meetups, community outreach and engaging with security experts internationally. His work has played a pivotal role in creating IT security awareness in the fast-growing South-East-Asian country."
|-
|James Manico
|'''''Best Mission Outreach'''''
"Jim's influence on OWASP materials (and therefore on application security) is amazing - he's cited on nearly every cheat sheet on OWASP Top 10 document. His name is synonymous with application security."

'''2nd Citation: "'''While Jim may not be the "unsung hero" - he is the first and foremost cheerleader/champion of OWASP. His efforts and contributions are innumerable. As anyone who knows Jim - he is not a reserved individual when touting the resources available via OWASP. He has likely done more then anyone else working with OWASP to bring together, motivate, and get individuals to contribute to OWASP. From the immensely popular checklists to motivating individuals to contribute. OWASP would not be nearly as successful as it has been without Jim."
|-
|Mateo Martinez
|'''''Best Mission Outreach'''''
"Mateo is one of the leaders in Latin America more recognized, during the last years his efforts to join the chapters chapter along with other leaders of Latam made that the community grew and that today the Latam Tour 2017 has more than 15 participating countries. He also managed to spread the spirit of owasp and help establish new chapters in the region.
The effort to maintain more communication between OWASP GLobal and local communities is reflected in each activity that encourages other leaders to ensure that they strive every day to spread Owasp projects and to grow the community."
|-
|Mark Miller
|'''''Best Mission Outreach'''''

"The OWASP Podcast is a effort that is in line with the mission of OWASP raising visability for software security. This is a VERY powerful voice in the community globally and Mark Miller should be applauded for his efforts on this
<nowiki>https://www.owasp.org/index.php/OWASP_Podcast</nowiki>"
|-
|Dhiraj Mishra
|'''''Best Mission Outreach'''''

"Dhiraj was nominated for WASPY 2016, his contribution to the community is from past one 'n half year in various areas, start from the projects, local volunteering and what not, he was also listed in OWASP Hall Of Fame."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Mission Outreach'''''
"Owen is an active participator in OWASP meetings and has been a great inspiration to me.
He has shown himself to be a great leader and OWASP advocate.
Owen has recommended other AppSec communities in which I have become involved in since moving to Dublin. He is an evangelist for women in technology and I have witnessed this first hand.
I don't hesitate to recommend Owen for this award."

'''2nd Citation:''' "Owen has introduced me to the OWASP Community in Ireland and EU. Help me to get involve with Women in AppSec and participate in the AppSec EU event in Belfast. He is a great leader, who enjoys talking about OWASP and the great community behind it.
I've moved to Ireland a couple of months ago, and getting to know Owen and the OWASP community has completely changed my life, both professionally and personally.
So, yes, I would like to nominate Owen Pendlebury because he the proof that Women in AppSec is not just a women matter. :)"
|-
|[https://www.owasp.org/index.php/Sriram Sriram Shyam]
|'''''Best Mission Outreach'''''
"Sriram has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone."
|-
|Noreen Whysell
|'''''Best Mission Outreach'''''

"Noreen is helping each day to improve OWASP members' experiences bringing her expertise and knowledge as a mentor and projects as a Chapter Leader, one member at a time. She understands what members want, how to improve member benefits and is applying that knowledge to improving local and global member experiences from the ground up. Her efforts are multiplied by her sharing of knowledge and grassroots approach creating a membership groundswell."
|-
|Aatral Arasu
|'''''Best Innovator'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Innovator'''''
"Sean leads the BLT Project and is a Team Leader for the Learning Gateway project. He has helped improve the quality of web experiences, including OWASP.org ."
|-
|Glenn & Riccardo ten Cate
|'''''Best Innovator'''''
"I am hereby nominating the brothers Glenn & Riccardo ten Cate from the Netherlands for the WASPY award in this category. They are known for their work on the open-source project SKF (Security Knowledge Framework). These are two guys who are dedicated to spreading security knowledge trough the means OWASP has to offer. You might have encountered them talking at seminars, promoting their project and OWASP, or different companies where they teach development teams how to integrate the OWASP core principles in their workflow using their project. Not only professional development teams but also students of security can only be amazed at the sheer knowledge they gathered and contribute to the global OWASP community trough open source. The sheer effort they put in this project teaches, guides, structures and shows by example how to test and write secure applications by design. There is no other software out there that does this. And that is why they deserve this nomination for best innovator 2017."
|-
|Mark Deenihan
|'''''Best Innovator'''''
"Mark for his constant devotion and work on the OWASP security shepherd project and continuing to develop it and teach people globally about app sec."
|-
|Seba Deleersnyder
|'''''Best Innovator'''''
"One of the main projects to date is SAMM. Seba with the support of project colliders has made this a flagship project of OWASP. The level of maturity and the number of improvements obtained indicates that this project is one of the most mature and a great projection to the future."
|-
|Christopher Frenz
|'''''Best Innovator'''''
"Chris' projects are opening doors for OWASP in the standards development and getting the word out about important IoT with his Medical Device Deployment Standard: <nowiki>https://www.owasp.org/index.php/OWASP_Secure_Medical_Device_Deployment_Standard</nowiki> which already has a Turkish translation and attracted attention from the Turkish public health department. He has delivered presentations at meetups, and presenting to the IDESG, www.idesg.org in July. He has a "soup label" tool that gives simple guidance for the implementation of the OSMDDS. This is not Chris' first project but it is surely one of the best OWASP innovations of the year."
|-
|Joaquin Fuentes
|'''''Best Innovator'''''
"Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''2nd Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."
|-
|[https://www.owasp.org/index.php/User:Brianglas Brian Glas]
|'''''Best Innovator'''''
"Brian has been paramount in 2 very strategic initiatives for OWASP. He is not only a Project Leader for the OWASP SAMM project but he has been instrumental in revamping the call for data and reorganizing the flagship OWASP Top Ten. Brian continues to support and speak about the benefits of supporting OWASP especially projects and participating in the Summit. Please consider Brian Glas as the Best Community Supporter for this year."
|-
|Evin Hernandez
|'''''Best Innovator'''''
"Evins focus on the core of the information security platform with Virtual Village has provided the global community with a place to experiment and leverage for testing... <nowiki>https://www.owasp.org/index.php/OWASP_Virtual_Village_Project</nowiki>"
|-
|Jeremy Long
|'''''Best Innovator'''''
"Considering how often projects have a great start and plateau, we should recognize the ongoing effort and dedication given to one of the Flagship projects in our community.
Jeremy Long has continued to not only maintain the Dependency Check project but develop and improve it each year.
This year he added Improvements in the core dependency-check platform in terms of code quality, achieved 100% for the CII Best Practices for dependency-check, continued to develop the ODC community with several contributors submitting PRs, and over the last several months he's been working on platform maturity and will be releasing 2.0.0 in the first half of July 2017.
After 2.0 is released he has planned work on Python support and expanding the tool by integrating additional data-sources such as Artifactory, Redhat Victim's, OSS-Index, etc."

'''2nd Citation:''' "Jeremy has been an avid contributor/leader for the OWASP dependency-check project. Under his leadership the project has garnered substantial community support in terms of pull requests, improved code quality via Sonarcloud, Coverity, Codacy, and CII Best Practices. While the last six months have been primarily around code quality and bug fixes; these improvements are setting the dependency-check project up for major enhancements over the coming months!"
|-
|Daniel Miessler
|'''''Best Innovator'''''
"Daniel seems to be everywhere at once - despite have a full-time job, he is leading or co-leading several OWASP projects, has created ideas for groups out of thin air, and has performed work in much needed areas.
This year, Daniel has lead or co-lead the Internet of Things security project, completed an IoT: Medical Devices attack surface overview, and created the Game Security project."
|-
|Dhiraj Mishra
|'''''Best Innovator'''''

"Dhiraj is one of the top contributor in OWASP Cheat Sheet Project, which have security guidance in an easy read format, his contribution for SQL Injection WAF Bypass and XSS Evasion - OWASP, was mostly recommended and used by Cyber Security professional, dhiraj has contributed to Benchmark project by contributing SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring and many such projects."
|-
|Bernhard Mueller
|'''''Best Innovator'''''
"During the last 18 months Bernhard has been spearheading the OWASP Mobile Testing Guide Project. He has invested several man-months of writing, editing, reviewing, rallying authors, and pushing the project into new directions. This also resulted in the novel agile book writing process and book production pipeline which enables OWASP to produce a professional tech book. The project has produced a security standard and early-release ebook, and is on track become one of OWASP's main flagship projects."
|-
|Steve Springett
|'''''Best Innovator'''''
"Steve's work on dependency-track is fantastic - he's moved forward to address the next round of issues, with an innovative solution all companies can leverage."
|-
|thc202
|'''''Best Innovator'''''
"Simon Bennets "wingman" in the ZAP project, by now even the top committer in the project! (<nowiki>https://github.com/zaproxy/zaproxy/graphs/contributors</nowiki>) So "unsung of" that I do not even know his real name!"
|}

==Results==
Coming July 25, 2017

==Sponsorship Opportunities==
The support from our sponsors, is what makes these awards truly successful!

Sponsorships coming soon!

==Communication==
# June 7, 2017 Email to the Leaders & Community list. Posted to the OWASP [https://owasp.blogspot.com/2017/06/nominations-are-now-being-accepted-for.html Blog]
# June 30, 2017 Email to the Leaders & Community list.
# July 5, 2017 Email to the Nominees
# July 5, 2017 Email to the Leaders & Community list, and Blog post announcing the nominees have been announced.

=='''Past WASPY Awards'''==
[https://www.owasp.org/index.php/WASPY_Awards_2016 2016]<br>
[https://www.owasp.org/index.php/WASPY_Awards_2015 2015] <br>
[https://www.owasp.org/index.php/WASPY_Awards_2014 2014] <br>
[https://www.owasp.org/index.php/WASPY_Awards_2013 2013] <br>
[https://www.owasp.org/index.php/WASPY_Awards_2012 2012] <br>

User:Brianglas

2017-07-06T14:31:25Z

Brianglas:

[[File:BrianGlas-June2016x96.jpg|thumb|left]]
Brian has worked in IT for over 15 years and Information/Application Security for the last decade. He has worked as a full stack dev, application assessor, technical lead, incident response, anti-malware engineer, application architect, infosec manager, and consultant. Brian has spent the last several years helping clients build AppSec Programs, perform SAMM Assessments, create/update SDLCs, and other related work. He has worked on the Trustworthy Computing team at Microsoft and is currently working at nVisium as a Managing Consultant. Brian is one of the project leads and actively contributing to SAMM v1.1-2.0 and working as a Data Analyst for the OWASP Top 10.

File:BrianGlas-June2016x96.jpg

2017-07-06T14:30:12Z

Brianglas:

Brian Glas Profile

OWASP SAMM Project

2017-07-05T01:22:53Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

'''2017 OWASP SAMM Summit (12-16 JUNE 2017, London)'''
* Join our 2017 OWASP SAMM Summit near London as part of the [http://owaspsummit.org/ OWASP DevOps Security Summit].<br>
* We organize working sessions in a 5-day sprint to draft SAMM v2.0. Check out the working session details [http://owaspsummit.org/Working-Sessions/SAMM.html online]
* Register online [http://owaspsummit.org/new/buy-ticket.html here]
* Sponsor the SAMM Summit as Platinum or Gold [http://owaspsummit.org/new/sponsors.html sponsor]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br /> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 Toolbox
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-07-05T01:20:07Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

'''2017 OWASP SAMM Summit (12-16 JUNE 2017, London)'''
* Join our 2017 OWASP SAMM Summit near London as part of the [http://owaspsummit.org/ OWASP DevOps Security Summit].<br>
* We organize working sessions in a 5-day sprint to draft SAMM v2.0. Check out the working session details [http://owaspsummit.org/Working-Sessions/SAMM.html online]
* Register online [http://owaspsummit.org/new/buy-ticket.html here]
* Sponsor the SAMM Summit as Platinum or Gold [http://owaspsummit.org/new/sponsors.html sponsor]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br /> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-07-05T01:16:14Z

Brianglas: /* Change Log */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

'''2017 OWASP SAMM Summit (12-16 JUNE 2017, London)'''
* Join our 2017 OWASP SAMM Summit near London as part of the [http://owaspsummit.org/ OWASP DevOps Security Summit].<br>
* We organize working sessions in a 5-day sprint to draft SAMM v2.0. Check out the working session details [http://owaspsummit.org/Working-Sessions/SAMM.html online]
* Register online [http://owaspsummit.org/new/buy-ticket.html here]
* Sponsor the SAMM Summit as Platinum or Gold [http://owaspsummit.org/new/sponsors.html sponsor]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br /> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-07-05T01:15:15Z

Brianglas: /* Quick Download v1.1.1 */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

'''2017 OWASP SAMM Summit (12-16 JUNE 2017, London)'''
* Join our 2017 OWASP SAMM Summit near London as part of the [http://owaspsummit.org/ OWASP DevOps Security Summit].<br>
* We organize working sessions in a 5-day sprint to draft SAMM v2.0. Check out the working session details [http://owaspsummit.org/Working-Sessions/SAMM.html online]
* Register online [http://owaspsummit.org/new/buy-ticket.html here]
* Sponsor the SAMM Summit as Platinum or Gold [http://owaspsummit.org/new/sponsors.html sponsor]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br /> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-07-05T01:12:48Z

Brianglas: /* Quick Download v1.5 */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

'''2017 OWASP SAMM Summit (12-16 JUNE 2017, London)'''
* Join our 2017 OWASP SAMM Summit near London as part of the [http://owaspsummit.org/ OWASP DevOps Security Summit].<br>
* We organize working sessions in a 5-day sprint to draft SAMM v2.0. Check out the working session details [http://owaspsummit.org/Working-Sessions/SAMM.html online]
* Register online [http://owaspsummit.org/new/buy-ticket.html here]
* Sponsor the SAMM Summit as Platinum or Gold [http://owaspsummit.org/new/sponsors.html sponsor]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br /> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-03-01T21:14:30Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-03-01T21:12:03Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 ([https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-03-01T21:11:10Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 ([https://www.youtube.com/watch?v=4pKdwRb8fTI Youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-03-01T21:10:26Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (video - [https://www.youtube.com/watch?v=4pKdwRb8fTI here]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-03-01T21:09:41Z

Brianglas: Added webinar

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (video - [https://www.youtube.com/watch?v=4pKdwRb8fTI]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

File:OWASP SAMM v1.5.zip

2017-03-01T12:17:20Z

Brianglas: Brianglas uploaded a new version of "File:OWASP SAMM v1.5.zip"

OWASP SAMM Complete documents and toolbox

File:SAMM Core V1-5 FINAL.pdf

2017-03-01T12:15:41Z

Brianglas: Brianglas uploaded a new version of "File:SAMM Core V1-5 FINAL.pdf"

SAMM v1.5 Core Model Document

OWASP SAMM Project

2017-02-28T18:45:34Z

Brianglas: /* SAMM Adopters */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015

* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T18:42:30Z

Brianglas:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015

* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T18:41:08Z

Brianglas: Minor updates to bring information current

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015

* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T18:40:14Z

Brianglas: content updates

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015

* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T18:38:24Z

Brianglas: /* Talks */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015

* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

Projects/OWASP SAMM Project/Pages/Talks

2017-02-28T18:35:58Z

Brianglas: Updating content

upcoming talks will be listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015

* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

OWASP SAMM Project

2017-02-28T18:25:59Z

Brianglas: Minor updates to bring information current

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! (Feb 28, 2017)
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T18:25:04Z

Brianglas: Updates for v1.5

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!''' (Announcement Coming)

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T03:11:35Z

Brianglas: Updating for v1.5 files

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T03:05:42Z

Brianglas: SAMM v1.5 Files

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://www.owasp.org/images/6/6f/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://www.owasp.org/images/3/30/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://www.owasp.org/images/1/18/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://www.owasp.org/images/9/98/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://www.owasp.org/images/8/84/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [SAMM Core Model] document, explaining the maturity model;
* [How-To Guide] with implementation guidance;
* [Quick-Start Guide] with different steps to improve your secure software practice;
* [SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;
* [SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

File:SAMM Assessment Toolbox v1.5-Example FINAL.xlsx

2017-02-28T03:05:11Z

Brianglas: SAMM Assessment Toolbox v1.5 Example Spreadsheet

SAMM Assessment Toolbox v1.5 Example Spreadsheet

File:SAMM Assessment Toolbox v1.5 FINAL.xlsx

2017-02-28T03:04:25Z

Brianglas: SAMM Assessment Toolbox v1.5 Spreadsheet

SAMM Assessment Toolbox v1.5 Spreadsheet

File:SAMM Quick Start V1-5 FINAL.pdf

2017-02-28T03:03:51Z

Brianglas: SAMM Quick Start Guide for v1.5

SAMM Quick Start Guide for v1.5

File:SAMM How To V1-5 FINAL.pdf

2017-02-28T03:03:14Z

Brianglas: SAMM How To Guide for v1.5

SAMM How To Guide for v1.5

File:SAMM Core V1-5 FINAL.pdf

2017-02-28T03:02:13Z

Brianglas: SAMM v1.5 Core Model Document

SAMM v1.5 Core Model Document

OWASP SAMM Project

2017-02-28T03:01:06Z

Brianglas: Linking SAMM files

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://www.owasp.org/images/8/8d/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [SAMM Core Model] document, explaining the maturity model;
* [How-To Guide] with implementation guidance;
* [Quick-Start Guide] with different steps to improve your secure software practice;
* [SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;
* [SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

File:OWASP SAMM v1.5.zip

2017-02-28T02:57:52Z

Brianglas: OWASP SAMM Complete documents and toolbox

OWASP SAMM Complete documents and toolbox

OWASP SAMM Project

2017-02-28T02:43:47Z

Brianglas: Updating to stub out v1.5 files

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files (.zip) <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [SAMM Core Model] document, explaining the maturity model;
* [How-To Guide] with implementation guidance;
* [Quick-Start Guide] with different steps to improve your secure software practice;
* [SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;
* [SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T02:41:52Z

Brianglas: Minor updates to bring information current

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files (.zip) <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T02:35:41Z

Brianglas: Updated github link

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files (.zip) <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.2 release, updated scoring:
* Recover source and move it to an asciidoctor based document.
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: end of september in time for Appsec USA (October 11, 2016)

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Target release appseceu 2017. Target rc release for samm summit 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T02:34:44Z

Brianglas: /* Main */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files (.zip) <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/opensamm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.2 release, updated scoring:
* Recover source and move it to an asciidoctor based document.
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: end of september in time for Appsec USA (October 11, 2016)

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Target release appseceu 2017. Target rc release for samm summit 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T02:34:11Z

Brianglas: /* Main */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files (.zip) <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/tree/master/v1.5/ OWASP SAMM v1.5 on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/opensamm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.2 release, updated scoring:
* Recover source and move it to an asciidoctor based document.
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: end of september in time for Appsec USA (October 11, 2016)

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Target release appseceu 2017. Target rc release for samm summit 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T02:33:31Z

Brianglas: /* Main */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files (.zip) <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/v1.5/ OWASP SAMM v1.5 on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/opensamm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.2 release, updated scoring:
* Recover source and move it to an asciidoctor based document.
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: end of september in time for Appsec USA (October 11, 2016)

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Target release appseceu 2017. Target rc release for samm summit 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-28T02:32:31Z

Brianglas: Stubbing out v1.5 updates

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
All SAMM files zip <br>
SAMM Core Model <br>
How-To Guide <br>
Quick Start Guide <br>
SAMM Toolbox <br>
SAMM Toolbox Example <br>
[https://github.com/OWASP/samm/v1.5/ OWASP SAMM v1.5 on GitHub]

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/opensamm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.2 release, updated scoring:
* Recover source and move it to an asciidoctor based document.
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: end of september in time for Appsec USA (October 11, 2016)

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Target release appseceu 2017. Target rc release for samm summit 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2017-02-27T03:50:11Z

Brianglas: /* Project Leaders */

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.1 available in the downloads section!''' ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.1.1 ==

[https://www.owasp.org/images/e/ec/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://www.owasp.org/images/2/2c/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://www.owasp.org/images/8/89/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://www.owasp.org/images/e/e3/OpenSAMM_Assessment_Toolbox_v1-1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br/> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win] <br/> [https://www.owasp.org/index.php/User:Brianglas Brian Glas]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/opensamm

Download SAMM v1.1
* [https://www.owasp.org/images/d/d8/OpenSAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://www.owasp.org/images/a/a7/OpenSAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://www.owasp.org/images/3/3f/OpenSAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://www.owasp.org/images/b/b9/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download SAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.1 RC1 toolbox
** download the latest toolbox, including the updated questions [https://github.com/OWASP/opensamm/blob/master/v1.1/OpenSAMM_Assessment_Toolbox_v1-1-RC.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/News | News}}

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM is available in the following languages:'''

* English
* Spanish
* Japanese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.2 release, updated scoring:
* Recover source and move it to an asciidoctor based document.
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: end of september in time for Appsec USA (October 11, 2016)

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Target release appseceu 2017. Target rc release for samm summit 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

==SAMM Adopters==
Current list of [https://www.owasp.org/index.php/OpenSAMM_Adopters OpenSAMM adopters]

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

==== Acknowledgements ====
We would like to thank the following sponsors who donated funds to our project:

[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs />

<br/>
{{OWASP Book|6888083}}
<br/>

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

User:Brianglas

2017-02-21T21:16:43Z

Brianglas: Proper bio, previous was just testing

Brian has worked in IT for over 15 years and Information/Application Security for the last decade. He has worked as a full stack dev, application assessor, technical lead, incident response, anti-malware engineer, application architect, infosec manager, and consultant. Brian has spent the last several years helping clients build AppSec Programs, perform SAMM Assessments, create/update SDLCs, and other related work. He has worked on the Trustworthy Computing team at Microsoft and is currently working at nVisium as a Managing Consultant. Brian is one of the project leads and actively contributing to SAMM v1.1-2.0.