This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP SAMM Project"

From OWASP

Jump to: navigation, search

Revision as of 14:17, 30 November 2014

Main
Talks
News
Supporters
Browse Online
Languages
Roadmap
Get Involved
Project Sponsors

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:

Evaluate an organization’s existing software security practices
Build a balanced software security assurance program in well-defined iterations
Demonstrate concrete improvements to a security assurance program
Define and measure security-related activities throughout an organization

Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

Want a very quick introduction? See the TBD - Quickstart Guide

For a slightly longer introduction see the latest project presentation.

Browse the SAMM model online here TBD

Share this:

Quick Download

Download OWASP SAMM!

News and Events

Please see the News and Talks tabs

Change Log

Email List

Questions? Please ask on the SAMM Mailing List

Project Leaders

Project Leaders
Seba Deleersnyder Pravir Chandra Kuai Hinojosa Bart De Win

Related Projects

Classifications



C C A-S Alike 3.0

upcoming talks will be listed here:

OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - here) - 2015

OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download presentation) - 2014
AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download presentation, see video) - 2014
AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download presentation) - 2013
OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download presentation) - 2013
AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download presentation) - 2011
AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download presentation) - 2009
Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download presentation) - 2009
Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download presentation) - 2009

Click on any badge to learn more

Strategy & Metrics

Policy & Compliance

Education & Guidance

Threat Assessment

Security Requirements

Secure Architecture

Design Review

Code Review

Security Testing

Vulnerability Management

Environment Hardening

Operational Enablement

SAMM is available in the following languages:

English
Spanish
Japanese
German

You can use Crowdin to help improve these translations or add new ones right now!

Project Roadmap:
Is available via this link

Release 1.1

The major features we are currently working on include:

Add quick start guide
Add tools & OWASP resources
Add use cases, experience
Revamp SAMM wiki

The date and exact items that will be included in 2.0 have not been finalized. The list of requested improvements is here

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

Feature Requests

TBD

Feedback

Please use the Mailing List for feedback:

What do like?
What don't you like?
How can we make SAMM easier to use?
How could SAMM be improved?

Localization

Are you fluent in another language? Can you help translate SAMM into that language?

You can use Crowdin to do that!

Development

If you fancy having a go at adding functionality to ZAP then please get in touch via the zaproxy-develop Google Group.

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

Acknowledgements

We would like to thank the following sponsors who donated funds to our project:

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_SAMM_Project&oldid=186203"

Categories:

Difference between revisions of "OWASP SAMM Project"

Revision as of 14:17, 30 November 2014

Quick Download

News and Events

Change Log

Email List

Project Leaders

Related Projects

Classifications

Click on any badge to learn more

Release 1.1

Feature Requests

Feedback

Localization

Development

Acknowledgements

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 46: / Line 46: @@
 == Project Leaders ==
-Project Leaders<br/>[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] [https://www.owasp.org/index.php/User:Pravir_Chandra Pravir Chandra]
+Project Leaders<br/>[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] [https://www.owasp.org/index.php/User:Pravir_Chandra Pravir Chandra] [https://www.owasp.org/index.php/Kuai_Hinojosa Kuai Hinojosa]  [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]
- [https://www.owasp.org/index.php/Kuai_Hinojosa Kuai Hinojosa]  [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]
 == Related Projects ==
@@ Line 75: / Line 74: @@
 [[Image:zap128x128.png|right]]
 <div style="font-size:120%;border:none;margin: 0;color:#000">
-{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}
+{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}
@@ Line 82: / Line 81: @@
 [[Image:zap128x128.png|right]]
 <div style="font-size:120%;border:none;margin: 0;color:#000">
-{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}
+{{:Projects/OWASP SAMM Project/Pages/News | News}}
 </div>
-= ZAP Gear =
-[[Image:zap128x128.png|right]]
-<div style="font-size:120%;border:none;margin: 0;color:#000">
-Yes, you can now buy ZAP related gear!
-Its your chance to show your support for the project, c/o `CafePress`.
-Click on the tshirt to enter the [http://www.cafepress.com/zaproxy ZAP Gear Store]:
-[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]
-</div>
 = Supporters =
 [[Image:zap128x128.png|right]]
 <div style="font-size:120%;border:none;margin: 0;color:#000">
-ZAP is developed by a worldwide [http://code.google.com/p/zaproxy/people/list team] of volunteers.
+SAMM is developed and maintained by a worldwide team of volunteers.
-But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:
+But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:
 * [http://www.owasp.org OWASP]
-* [http://www.mozilla.org Mozilla]
+* TBD
-* [http://www.sage.co.uk Sage]
-* [http://www.google.com Google]
-* [http://www.microsoft.com Microsoft]
-* [http://www.hacktics.com/ Hacktics, Ernst & Young]
-* [http://www.dinosec.com/ DinoSec]
-* [http://www.denimgroup.com Denim Group]
-* [http://www.aspectsecurity.com/ Aspect Security]
-* [http://secureideas.net SecureIdeas]
-* [http://utilisec.com UtiliSec]
-* [http://www.encription.co.uk/ encription]
-</div>
-= Functionality =
-[[Image:zap128x128.png|right]]
-<div style="font-size:120%;border:none;margin: 0;color:#000">
-'''Some of ZAP's functionality:'''
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsIntercept Intercepting Proxy]
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsAscan Automated scanner]
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPscan Passive scanner]
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsBruteforce Forced browsing]
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsFuzz Fuzzer]
-* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
-* [http://code.google.com/p/zaproxy/wiki/SmartCards Smartcard and Client Digital Certificates support]
-* [http://code.google.com/p/zaproxy/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
-* [http://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
-* [http://code.google.com/p/zaproxy/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
-* Authentication and session support
-* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsApi Powerful REST based API]
-* Automatic updating option
-* [https://code.google.com/p/zap-extensions/ Integrated and growing marketplace of add-ons]
 </div>
-= Features =
-[[Image:zap128x128.png|right]]
-<div style="font-size:120%;border:none;margin: 0;color:#000">
-'''Some of ZAP's features:'''
-* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
+= Browse Online =
-* Cross platform
+===== Click on any badge to learn more =====
-* Easy to install (just requires java 1.7)
-* Completely free (no paid for 'Pro' version)
-* Ease of use a priority
-* [http://code.google.com/p/zaproxy/wiki/HelpIntro Comprehensive help pages]
-* Fully internationalized
-* Translated into over 20 languages
-* Community based, with involvement actively encouraged
-* Under active development by an international team of volunteers
-ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].
+{| cellpadding="1"
+|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
-</div>
+|-
+|align="center"|'''Strategy & Metrics'''
+|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
+|-
+|align="center"|'''Policy & Compliance'''
+|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
+|-
+|align="center"|'''Education & Guidance'''
+|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
+|-
+|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
+|-
+|align="center"|'''Threat Assessment'''
+|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
+|-
+|align="center"|'''Security Requirements'''
+|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
+|-
+|align="center"|'''Secure Architecture'''
+|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
+|-
+|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
+|-
+|align="center"|'''Design Review'''
+|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
+|-
+|align="center"|'''Code Review'''
+|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
+|-
+|align="center"|'''Security Testing'''
+|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
+|-
+|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
+|-
+|align="center"|'''Vulnerability Management'''
+|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
+|-
+|align="center"|'''Environment Hardening'''
+|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
+|-
+|align="center"|'''Operational Enablement'''
+|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
+|-
+|}
 = Languages =
-[[Image:zap128x128.png|right]]
 <div style="font-size:120%;border:none;margin: 0;color:#000">
-'''ZAP supports the following languages:'''
+'''SAMM is available in the following languages:'''
 * English
-* Arabic
+* Spanish
-* Bosnian
+* Japanese
-* Brazilian Portuguese
-* Chinese
-* Danish
-* Filipino
-* French
 * German
-* Greek
-* Indonesian
-* Italian
-* Japanese
-* Korean
-* Persian
-* Polish
-* Russian
-* Sinhala
-* Spanish
-* Urdu
-You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!
+You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!
 </div>
 = Roadmap =
-[[Image:zap128x128.png|right]]
 <div style="font-size:120%;border:none;margin: 0;color:#000">
-==Release 2.3.0==
+'''Project Roadmap:'''<br>
-ZAP 2.3.0 has been released, which includes:
+Is available via this [https://docs.google.com/document/d/1y97loS-JqhDjLqGj8gLZdGLT0GHdp50QpLD59W34wQA/edit link]
-* A ZAP 'lite' version in addition to the existing 'full' version
-* View, intercept, manipulate, resend and fuzz client-side (browser) events
-* Enhanced authentication support
-* Support for non standard apps
-* Input Vector scripts
-* Scan policy - fine grained control
-* Advanced Scan dialog
-* Extended command line options
-* More API support
-* Internationalized help file
-* Keyboard shortcuts
-* New UI options
-* More functionality moved to add-ons
-* New and improved active and passive scanning rules
-For more details see http://code.google.com/p/zaproxy/wiki/HelpReleases2_3_0
-==Release 2.4.0==
+==Release 1.1 ==
 The major features we are currently working on include:
-* Client side scanning
+* Add quick start guide
-* Advanced fuzzing
+* Add tools & OWASP resources
-* Advanced access control testing
+* Add use cases, experience
-* SOAP service scanning
+* Revamp SAMM wiki
-* Sequence scanning
-* Sequence detection
-The date and exact features that will be included in 2.4 have not been finalized.
+The date and exact items that will be included in 2.0 have not been finalized. The list of requested improvements is [https://docs.google.com/document/d/1MPOMjairq6PQbwIt3fGWp0muTY6yfFwkWjo5cgPEK4s/edit here]
 </div>
@@ Line 231: / Line 185: @@
 <div style="font-size:120%;border:none;margin: 0;color:#000">
-Involvement in the development of ZAP is actively encouraged!
+Involvement in the development of SAMM is actively encouraged!
 You do not have to be a security expert in order to contribute.
@@ Line 239: / Line 193: @@
 ==Feature Requests==
-Please raise new feature requests as enhancement requests here: http://code.google.com/p/zaproxy/issues/list
+TBD
-If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.
 ==Feedback==
-Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
+Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
 * What do like?
 * What don't you like?
-* What features could be made easier to use?
+* How can we make SAMM easier to use?
-* How could the help pages be improved?
+* How could SAMM be improved?
-==Log issues==
-Have you had a problem using ZAP?
-If so and its not already been logged then please [http://code.google.com/p/zaproxy/issues/list report it]
 ==Localization==
-Are you fluent in another language? Can you help translate ZAP into that language?
+Are you fluent in another language? Can you help translate SAMM into that language?
-You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!
+You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!
 ==Development==
@@ Line 272: / Line 219: @@
 </div>
+= Project Sponsors =
+==== Acknowledgements ====
+We would like to thank the following sponsors who donated funds to our project:
+[http://www.veracode.com https://www.owasp.org/images/d/d6/Veracode-samm.png]
 __NOTOC__ <headertabs />