This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP SAMM Summit 2015

Jump to: navigation, search

Welcome to OWASP SAMM Summit 2015

The outcome of this first OpenSAMM Summit is described here:

Confirmed speakers, trainers and round table chairs are:

  • Pravir Chandra, Bloomberg
  • Michael Craigue, HP
  • Justin Clarke, Gotham Digital Science
  • John Dickson, Denim Group
  • Yan Kravchenko, NetSPI
  • Sebastien Deleersnyder, Toreon
  • Bart De Win, PWC
  • Kuai Hinojosa, McAfee Foundstone
  • Jerry Hoff, WhiteHat Security

Friday 27-March – User Day

  • Talks
  • Training
  • Topic roundtables

Registration is open now!

Saturday 28-March – Project Day

  • Publish SAMM v1.1
  • Workshops
  • Road map

Max Registrations: 40 People

Price: 150 EUR + VAT (21%).

Venue is

The Venue is The Gibson Hotel.

The Gibson Hotel is located at Point Village Dublin 1, Ireland.

For more details:

Parking & roadmap:

Opening Hours:
Monday - Saturday: 7am to Midnight
Sunday:  9am to Midnight

(Ignore info on Point Village Car Park)
There is a negotiated rate of

€10 per day for delegates. This is payable directly to the car park on
departure. Overnight parking is

available at €14 to 15.00 hrs the following day. Access to the car park is
to the rear of the hotel

Booking Accomodation

Important: Make an early booking if accommodation is required.

Make a reservation on the Gibson Hotel's website:

Or call to book: 01 681 5000

Subject to availability, have a look at below list of hotels nearby if you can't find a place to stay at The Gibson Hotel.

Hotels nearby:


Dublin, The Gibson Hotel.


User Day - March 27, 2015
Track 1: Alhambra 1 Track 2: Alhambra 2
08:00-09:00 Registration
09:00-09:15 Welcome

SAMM project leaders

09:15-10:00 OpenSAMM at HP (download presentation)

Michael Craigue, HP

10:00-10:45 Application Security? There is a metric for that! (download presentation)

Yan Kravchenko, NetSPI

10:45-11:00 Break
11:00-12:30 SAMM Introduction (download slides)

Bart De Win, PWC & Sebastien Deleersnyder, Toreon

SAMM Round Table 1

Kuai Hinojosa, McAfee/Foundstone

12:30-13:30 Lunch
13:30-15:00 SAMM Hands-On(download slides)

Bart De Win, PWC & Sebastien Deleersnyder, Toreon

SAMM Round Table 2

Jerry Hoff, WhiteHat Security

15:00-15:15 Break
15:15-16:00 OpenSAMM for the Masses: A Case for Cooperation (download presentation)

Justin Clarke, Gotham Digital Science & John Dickson, Denim Group

16:00-16:45 SAMM Evolutions

Pravir Chandra, Bloomberg

16:45-17:00 User Day Wrap-Up

SAMM Project Leaders

OpenSAMM at HP, by Michael Craigue (HP)

HP uses OpenSAMM to assess the completeness of the security activities in development groups, both in IT and in the business groups that create our products. HP's internal Product Security group has developed the SAMM Self-Assessment Tool, an implementation of the OpenSAMM process wrapped into a portable ASP.Net MVC Razor application. Its aim is to simplify the measurement of your organization against OpenSAMM, to assist in the construction of a roadmap, and in the subsequent tracking of progress down that roadmap. The tool is undergoing internal legal review for release to the public, and we hope it will be ready for release prior to the OpenSAMM summit. Mike will explain the motivation for the tool and its capabilities, and will brag a bit about the contributors who created it.

Mike serves as Information Security Officer (ISO) for HP’s Enterprise Group-IT. He also works with the EG business group which IT supports. Prior to joining HP, he worked at Dell for 14 years, most recently as the Director of Security Consulting and Portfolio Governance. He holds a PhD from the University of Texas at Austin in Higher Education Administration / Finance, and the CISSP and CSSLP certifications from (ISC)². He’s been a contributor to the Cloud Security Alliance’s Controls Matrix project, and a speaker at OWASP and RSA conferences. His primary areas of focus are professional development, software security, and information security policy development. In his spare time, he taught Database Management and Business Intelligence / Knowledge Management at St. Edward's University in their MBA / MS CIS programs. He also enjoys cycling, cooking, and learning the cello.

Application Security? There is a metric for that!, by Yan Kravchenko (NetSPI)

More and more, organizations’ security postures are defined by their growing application portfolios, shifting the emphasis away from more traditional security perimeters. The answer to virtually every business problem large or small is “There is an app for that”, and the nature of these apps range anywhere from simple workflow enablement tools through large enterprise-grade applications. Managing security across all applications is quickly becoming one of the biggest blind spots for organization’s security programs, making it difficult to measure and report metrics related to application security.
Over the past year, Yan has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, Yan developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, Yan will provide a detailed walk-through of the overall methodology. We will provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.

Yan Kravchenko has over 18 years of IT and information security consulting experience, the last seven with NetSPI. Before that, Yan served as the Director of IT for a large agriculture company, and before that Yan spent seven years performing Security Assessments, IT Audits, and assisted creating Business Continuity and Disaster Recovery Plans. In addition to a strong understanding of security and compliance, Yan has a deep technical background, which helps better evaluate and understand security risks, as well as provide meaningful and practical risk remediation advice. The last year, Yan has been focused on developing a new methodology for companies to manage application security, and improving information security metrics.

OpenSAMM for the Masses: A Case for Cooperation, by Justin Clarke (Gotham Digital Science) & John Dickson (Denim Group)

We all know that behind every breach story in the press is an organization that probably should have done more to build secure software. Yet, organizations struggle mightily to focus resources on building software securely from the outset and, as a result, software security remains an after the fact “nice to do” and not a “have to do” activity in many organizations. How can organizations determine the right sets of activities or appropriate resource allocation levels that it should undertake to adequately address software risk? Organizations can make these determinations by benchmarking via OWASP’s Open Software Assurance Maturity Model (OpenSAMM) framework. Yet organizations looking to step up their software security game have encountered hurdles standing in the way of fully utilizing the power of OpenSAMM as a benchmarking tool. Justin and John will detail a broad industry effort to address some of the hurdles by redefining certain aspects of the data schema around OpenSAMM and providing more comparative data that will open up this benchmarking tool for broader use throughout industry.

Justin Clarke is director and Co-Founder of Gotham Digital Science. Security consultant with extensive international Big 4 risk management, security consulting and security testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand.
Lead author/technical editor of "SQL Injection Attacks and Defenses” (Syngress 2009 & 2012), coauthor of "Network Security Tools” (O’Reilly 2005), contributor to "Network Security Assessment, 2nd Edition” (O’Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.

SAMM Introduction and Hands-On, by Bart De Win (PWC) & Sebastien Deleersnyder (Toreon)

The goal of this 2 session training, which is conceived as a mix of training and workshop, is for the participants to get an in-depth view on and practical feeling of the OpenSAMM model.
In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. The different domains (governance, construction, verification, deployment), their activities and relations are explained.
In the after-lunch session we will do an actual OpenSAMM evaluation of a selected organisation.

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium. He has extensive project experience in software testing and in assisting companies improving their secure software development practices.
Bart is member of the OWASP Belgium Chapter board and he is a co-leader of the OpenSAMM Software Assurance Model. Bart is SABSA, Prince 2 and CSSLP certified.
Sebastien Deleersnyder is Co-founder & managing partner application security at Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the OpenSAMM project, served on the OWASP Foundation Board member (2007-2013) and performed several presentations and trainings on Web Application, Mobile and Web Services Security. Furthermore Sebastien co-organizes the yearly BruCON conference in Ghent (Belgium).

SAMM Round Tables, by Kuai Hinojosa (McAfee/Foundstone) & Jerry Hoff (WhiteHat Security)

During the SAMM round table sessions, we will exchange our experience and lessons learned from using OpenSAMM. Topics will include

  • Best practices in performing SAMM self assessments
  • SAMM, now what? How do we build internal support and enthusiasm for security
  • Has 2015 and the recent spate of new attacks introduced any new challenges that are not addressed by SAMM?
  • Building an educational strategy - can we just force developers to go through training or is there a better way?

Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University's CAIT program, and the microcomputer program at University of Missouri in St. Louis.
Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.
Kuai Hinojosa - TBD


Dublin, Gibson Hotel


This project day will focus on the OWASP project in "Summit Mode".

Project Day - March 28, 2015
Track 1: Alhambra 1 Track 2: Alhambra 2
09:00-09:30 Project Day organisation

SAMM project leaders

09:30-10:45 Finalizing OpenSAMM v1.1


10:45-11:00 Break
11:00-12:30 Analysis templates / tooling


SAMM model improvements


12:30-13:30 Lunch
13:30-15:00 Project 71 follow-up (benchmark repository)




15:00-15:15 Break
15:15-16:30 What to put in next release / roadmap


16:30-17:00 Project Day Wrap-Up

SAMM Project Leaders

Topics that will be covered during the day are:

  • Analysis templates / tooling
  • SAMM model improvements
  • What to put in next release / roadmap
  • Finalizing / publishing OpenSAMM v1.1
  • Project 71 follow-up (benchmark repository)
  • website - next steps

We will end each session with defined outputs including action plans, responsible and timing

For each of the sessions we will have one topic leader and one note taker to capture the proceedings, decisions and next steps (with owners & timing)

Bar sammsummit.jpg

The social event is on Friday the 27th of March.

We have reserved the Cocktail / Winter Garden at Fade Street Social at 6PM.

Food is a set menu for €35 or €50 (not included in the registration)

Fade Street Social
6 Fade Street,
Dublin 2

Made possible by our Sponsors

Belgium Chapter.PNG London Chapter.PNG

Aspectsecurity.png Astech Consulting logo.png Denim Group logo.jpg Gotham Digital Science logo.jpg

300px90px       NetSPI logo.png SI Logo Stacked Application Security.jpg LogoToreon.jpg Veracode-samm.png