This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP NZ Day 2020-Training-Bootstrap and Improve Your SDLC with OWASP SAMM

Revision as of 04:08, 18 December 2019 by John dileo (talk | contribs) (Created page with "__NOTOC__ =Bootstrap and Improve Your SDLC with OWASP SAMM= '''One-Day Interactive Training -- OWASP New Zealand Day 2020''' == Abstract == As a mix of lectures and worksh...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Bootstrap and Improve Your SDLC with OWASP SAMM

One-Day Interactive Training -- OWASP New Zealand Day 2020


As a mix of lectures and workshops, this training delivers an in-depth view of and practical implementation of the OWASP Software Assurance Maturity Model (SAMM). SAMM provides an effective and measurable way for organizations to analyze and improve their software security posture.

Course Details

Dates: Thursday, 20 February 2020

Time: 8:45 a.m. to 5:30 pm.

Course Fee: NZ $625.00 (plus EventBrite fees)

Registration Site:

Instructor: John Ellingsworth

Course Outline

  • Part One: SDLC Overview and OWASP SAMM Introduction
    • The 'Application Security Problem'
    • Software Development Lifecycle (SDLC) Overview
    • OWASP SAMM - Vision, History, Structure
    • OWASP SAMM As an Assessment Tool
  • Part Two: Applying OWASP SAMM
    • Methodology
    • Establishing Assessment Scope
    • Assessing Governance
    • Assessing Design
    • Assessing Implementation
    • Assessing Verification
    • Assessing Operations
    • Setting Improvement Targets
  • Part Three: OWASP SAMM Tools
    • Assessment Toolkit
    • Benchmark Project
    • Relationships with Other SAMM Projects and Tools
  • Part Four: OWASP SAMM Best Practices
    • Choosing the Right Starting Points
    • Monitoring and Metrics
    • Achieving Security by Default
    • Critical Success Factors

Course Description

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP SAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

The goal of this one-day training, which is conceived as a mix of presentations and interactive workshops, is for the participants to get a more in-depth view of and practical feel for the OWASP SAMM model. The training is set up in three parts:

  • In the first part, we present an overview of the model, and review the similarities and differences with other models. The five Business Functions - Governance, Design, Implementation, Verification, and Operations - are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
  • Next, approximately half a day will be spent doing an actual SAMM evaluation of your organization (or one that you have worked for). We will go through an evaluation of all the SAMM domains and discuss the results in the group. This will give all participants a good indication of the organization’s maturity in software assurance. In the same effort, we will define a target model for your organization and identify the most important challenges in getting there.
  • The final part of the training will be dedicated to specific questions or challenges that you are facing about secure development in your organization. In this group discussion, experiences will be shared among participants to address these questions.

In case you haven’t started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for the highly effective and applicable treatment of this large domain!

And, in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

Your Instructor

John Ellingsworth - John is a security principal at a Fortune 1000 company where he helps software development teams build and deliver secure enterprise solutions. When not delivering secure software solutions, he can be found hanging out with his family, often outdoors, and probably scaling mountains.