Difference between revisions of "OWASP SAMM Project"

Upcoming SAMM Meetings

We now have weekly SAMM - summit preparation calls on Wednesdays at 21h30 CEST / 3:30pm ET.

The current DRAFT SAMM schedule is available here: https://open-security-summit.org/tracks/owaspsamm/

Preparation notes: https://docs.google.com/document/d/1piN4De5FGVUqpC-Q_wabRxWfAbjfaF90bYYzugtJM3k/edit#

The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST.
Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661
The call is open for everybody interested in SAMM or who wants to work on SAMM.

Previous SAMM Meetings

• 26 April 2017 - https://docs.google.com/document/d/1kWYlVoOY99W4MUyEimWXSV-wi77LaESxmTb6DEHf0mE/edit
• 12 April 2017 - https://docs.google.com/document/d/1nigqGPCfAeJ67_INkRrD0bZ80qN8479l3QgDBQrxNUw/edit
• 26 October 2016 - https://docs.google.com/document/d/1D1sQqJPk3ED6U1-5A26Ikr41g-RF-rtzmr8NfJlGAn0/edit (SAMMv2 call Policy&Compliance)
• 12 October 2016 - https://docs.google.com/document/d/1Yunexfvb9x49v3pyzhgmFaNffAL_UJGPgMYYCVBsnMc/edit
• 28 September 2016 - https://docs.google.com/document/d/1dWa8z-qVYGiOQBto5eOL03I4LqAVmK9r-2lnJiDm-vw/edit (SAMMv2 call Strategy&Metrics)
• 17 September 2016 - https://docs.google.com/document/d/1RR0M2Xc8y--KaxyhBsHXtpDDJz2zkDujXn4ZTC_E8KE/edit
• 31 August 2016 - https://docs.google.com/document/d/1uzWZ66xf6A478GxyYJiyfwq9FfWA_kOsj45Sqi9It5A/edit
• 10 August 2016 - https://docs.google.com/document/d/17yS1aP8wgsxkVeK9wcqLJMNA8eheLKptwZI7T6vAAqA/edit
• 13 July 2016 - https://docs.google.com/document/d/1WueehfPZpt4vpaRf5N1nNghSXNAH8gyQWQwgxd2t1Nw/edit
• 8 June 2016 - https://docs.google.com/document/d/1Yr8ihsI136hMTlbpoUIl12nrRSDTo1f-PiBlFu57o5U/edit
• 18 May 2016 - https://docs.google.com/document/d/1mUNj7P0lyFK9GEcInQ-2ozsi5awmQUtDbeC1A_wasg8/edit
• 11 May 2016 - https://docs.google.com/document/d/1R1AYXEsE5wmnfqnXEruJVqDxffl7qCT7ilcVxp0E3Ls/edit
• 13 April 2016 - https://docs.google.com/document/d/12MF3FzgXtiPC_MkTQfa5lUZJjfQGvRmh2viGa_wonBU/edit
• 6 April 2016 - https://docs.google.com/document/d/1dIZSXrEWYTH1-RXioyrJEuitehSsESjm1XPSRUCWKLE/edit
• 9 March 2016 - https://docs.google.com/document/d/1Idm7VqKVRU1gQE785WIyCb-ZRQrFwDCGj-ws_5jpISY/edit
• 17 February 2016 - https://docs.google.com/document/d/1YU3LATRFvBLUacpkpOGwpTHME_TeJhF5LzwCcaPYG7Y/edit
• 14 January 2016 - https://docs.google.com/document/d/1hCQRst1sUaXMmstTDJUzx-EPWtbkw7m4sE0GqbIBwJM/edit
• 9 December 2015 - https://docs.google.com/document/d/15qvefQpSOzsKoXKtIdOqgpp71vAMrcA_cSjEdjslVWk/edit
• 11 November 2015 - https://docs.google.com/document/d/1Bni3mWHM3wNcX8HpRVIcg5nRoe6Jos8k6Qqlr297PUY/edit
• 21 October 2015 - https://docs.google.com/document/d/1fNJav_2DPluaEPL7-CGSKU9WgXp_yxnhoUWvxuC1LYU/edit
• 7 October 2015 - https://docs.google.com/document/d/1bO_L30fk7MQtlcdFM5sqOyRWN6WcYZ2PMkppQMeXDnM/edit
• 23 September 2015 - https://docs.google.com/document/d/1unkouIo8DIY8ovvfB9bJwuRIoJvjIoLZevt3YtvJy80/edit
• 26 August 2015 - https://docs.google.com/document/d/1scQdHSv1sEOJrP43tz6vDl0GF1STClJbbYdm0YfpUAI/edit
• 12 August 2015 - https://docs.google.com/document/d/1GQBBfNVzBdMzFEjtT4VhtD4V4WYTbOLnpE2casrNA5o/edit
• 23 July 2015 - https://docs.google.com/document/d/1zf7Owyg-QByPcx8uylX_uImfLRcD7EZZ8A39IenHmUo/edit
• 15 July 2015 - https://docs.google.com/document/d/1GS-qHqhXQoHhQLmeDjeUO-bvgDZE174w6qUXq8wZjow/edit
• 17 June - https://docs.google.com/document/d/1oDKPwMXJNAJIqeuDCnPhuKpVhZTx2xfBcguHHwSnkDg/edit
• 10 June - https://docs.google.com/document/d/1vWMkdQe1HN2qU3GVZE5fvCfg-5j5XgMgHCOZEwNgkm8/edit
• 13 May - https://docs.google.com/document/d/1qaUqig6ucPb_kB0mSJ1Tmv7oJc9LF1Mem-oJrs-5XPM/edit
• 29 Apr 2015 - https://docs.google.com/document/d/1NwOZlX7dL-ADMTYZzN17qopmWCpwzbsqp47BxpLOiQw/edit
• 22 Apr 2015 - https://docs.google.com/document/d/1HNjIp6fBfhE72u8sOIkXpOmEoI7DlWKm_jUQ-ukIOvs/edit
• 15 Apr 2015 - https://docs.google.com/document/d/12uGomNwIMU_-WP5DRHv9KeOMufUNehULj_6cITv_rmM/edit
• 8 Apr 2015 - https://docs.google.com/document/d/1R2feB6u1tqMBx516GpTwfFssnnduOxeBwEsUrPoCvwI/edit
• 11 Mar 2015 - https://docs.google.com/document/d/1MKTbOsqtPRDBF4ghr-8UP_wmzYSlZXq8zZAN61B9nZY/edit
• 18 Feb 2015 - https://docs.google.com/document/d/1KnZDB2-0f2bYS4fwETEzCLP5y4FPS-TiHAnbCkO2hD0/edit
• 14 Jan 2015 - https://docs.google.com/document/d/1hTko3Bi56vI5DLj7BqjRsEwUw5QCGId4l1kg7htmVZM/edit
• 10 Dec 2014 - https://docs.google.com/document/d/1599hkupNaEquVIk-VbN1qGDOzfq1Rwo1zhXLmWmRUFA/edit
• 12 Nov 2014 - https://docs.google.com/document/d/1GbDmwYyymxw_IZYNSh8aI9tyvl0MhxMO5ErFPN8hNKg/edit

Upcoming talks featuring SAMM are listed here:

• OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
• OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
• InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

• OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - youtube) - 2017
• OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - here) - 2015
• OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download presentation) - 2014
• AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download presentation, see video) - 2014
• AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download presentation) - 2013
• OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download presentation) - 2013
• AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download presentation) - 2011
• AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download presentation) - 2009
• Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download presentation) - 2009
• Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download presentation) - 2009

Latest News on SAMM

• OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
• OWASP SAMM v1.5 Released!
• SAMM Summit 2016 read the wrap-up here
• OWASP SAMM v1.1 Released! See the Press Release.
• OpenSAMM v1.1 RC - available for review

SAMM v1.0 is available in the following languages:

• English
• Spanish
• Japanese
• Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the presentation. Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download here.

You can use Crowdin to help improve these translations or add new ones right now!

Updated roadmap: Next 1.5 release, updated scoring:

• Clarification of maturity levels (syntactic changes to keep the text consistent)
• Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
• Show improvements with every activity introduced
• Adapt for the new scoring method
• Update questions for 4-tiers
• Review and where necessary clarify current questions
• Consider v1.1 remarks that were not withheld for the previous release

Targeted completion date: February 28, 2017

SAMM version 2.0

• Core model changed
• Visualisations + flavours for a few development methodologies
• Update quickstart guide, TB, HTG.
• Success metrics: How well does the model work: Linked to the benchmarking project.

Timing: Workshops as part of OWASP Project Summit June 2017

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

Feedback

Please use the Mailing List for feedback:

• What do like?
• What don't you like?
• How can we make SAMM easier to use?
• How could SAMM be improved?

Localization

Are you fluent in another language? Can you help translate SAMM into that language?

You can use Crowdin to do that!

SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.

SAMM Adopters

SAMM is the premier open source software assurance framework. You can find a list of SAMM adopters online.

Call for SAMM2 Sponsors

OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists.

We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.

By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the OWASP Summit 2018) and recognition on the OWASP SAMM project web site and the next release of SAMM (version 2.0).

For more information: Download our SAMM2 sponsorship brochure.

Contact seba@owasp.org to activate your sponsorship.

Acknowledgements

We would like to thank the following sponsors who donated funds to our project: