This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP SAMM Project

From OWASP

Revision as of 16:02, 10 January 2016 by Sdeleersnyder (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Main
Browse Online
Downloads
Community
Summit
Talks
News
Languages
Roadmap
Get Involved
Project Sponsors

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:

Evaluate an organization’s existing software security practices
Build a balanced software security assurance program in well-defined iterations
Demonstrate concrete improvements to a security assurance program
Define and measure security-related activities throughout an organization

Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

Share this:

Quick Download

Download OWASP SAMM!

News and Events

Please see the News and Talks tabs

Change Log

OpenSAMM v1.1 RC - available for review

Email List

Questions? Please ask on the SAMM Mailing List

Project Leaders

Project Leaders
Seba Deleersnyder Pravir Chandra Kuai Hinojosa Bart De Win

Related Projects

Classifications



C C A-S Alike 3.0

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

Click on any badge to learn more

Strategy & Metrics

Policy & Compliance

Education & Guidance

Threat Assessment

Security Requirements

Secure Architecture

Design Review

Code Review

Security Testing

Vulnerability Management

Environment Hardening

Operational Enablement

Download SAMM v1.0:

in English - PDF, English - XML
in Spanish - PDF, Spanish - XML
in Japanese - PDF, not available as XML

Trainings:

Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
- Slide deck download here
- Training description download here

Assessments:

SAMM v1.1 RC1 toolbox
- download the latest toolbox, including the updated questions here TBD
Assessment Interview Template by Nick Coblentz for SAMM V1.0
- This spreadsheet breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.

Mappings:

BSIMM-V mapping to SAMM activities:
- Spreadsheet download here
- Presentation with start of analysis download here
BSIMM mapping to SAMM during the 2011 Summit:
- This spreadsheet contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:

- Javascript visualization framework for SAMM on github

Upcoming SAMM Meetings

We now have weekly SAMM - summit preparation calls on Wednesdays at 21h30 CEST / 3:30pm ET.

The current DRAFT SAMM schedule is available here: https://open-security-summit.org/tracks/owaspsamm/

Preparation notes: https://docs.google.com/document/d/1piN4De5FGVUqpC-Q_wabRxWfAbjfaF90bYYzugtJM3k/edit#

The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST.
Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661
The call is open for everybody interested in SAMM or who wants to work on SAMM.

Previous SAMM Meetings

26 April 2017 - https://docs.google.com/document/d/1kWYlVoOY99W4MUyEimWXSV-wi77LaESxmTb6DEHf0mE/edit
12 April 2017 - https://docs.google.com/document/d/1nigqGPCfAeJ67_INkRrD0bZ80qN8479l3QgDBQrxNUw/edit
26 October 2016 - https://docs.google.com/document/d/1D1sQqJPk3ED6U1-5A26Ikr41g-RF-rtzmr8NfJlGAn0/edit (SAMMv2 call Policy&Compliance)
12 October 2016 - https://docs.google.com/document/d/1Yunexfvb9x49v3pyzhgmFaNffAL_UJGPgMYYCVBsnMc/edit
28 September 2016 - https://docs.google.com/document/d/1dWa8z-qVYGiOQBto5eOL03I4LqAVmK9r-2lnJiDm-vw/edit (SAMMv2 call Strategy&Metrics)
17 September 2016 - https://docs.google.com/document/d/1RR0M2Xc8y--KaxyhBsHXtpDDJz2zkDujXn4ZTC_E8KE/edit
31 August 2016 - https://docs.google.com/document/d/1uzWZ66xf6A478GxyYJiyfwq9FfWA_kOsj45Sqi9It5A/edit
10 August 2016 - https://docs.google.com/document/d/17yS1aP8wgsxkVeK9wcqLJMNA8eheLKptwZI7T6vAAqA/edit
13 July 2016 - https://docs.google.com/document/d/1WueehfPZpt4vpaRf5N1nNghSXNAH8gyQWQwgxd2t1Nw/edit
8 June 2016 - https://docs.google.com/document/d/1Yr8ihsI136hMTlbpoUIl12nrRSDTo1f-PiBlFu57o5U/edit
18 May 2016 - https://docs.google.com/document/d/1mUNj7P0lyFK9GEcInQ-2ozsi5awmQUtDbeC1A_wasg8/edit
11 May 2016 - https://docs.google.com/document/d/1R1AYXEsE5wmnfqnXEruJVqDxffl7qCT7ilcVxp0E3Ls/edit
13 April 2016 - https://docs.google.com/document/d/12MF3FzgXtiPC_MkTQfa5lUZJjfQGvRmh2viGa_wonBU/edit
6 April 2016 - https://docs.google.com/document/d/1dIZSXrEWYTH1-RXioyrJEuitehSsESjm1XPSRUCWKLE/edit
9 March 2016 - https://docs.google.com/document/d/1Idm7VqKVRU1gQE785WIyCb-ZRQrFwDCGj-ws_5jpISY/edit
17 February 2016 - https://docs.google.com/document/d/1YU3LATRFvBLUacpkpOGwpTHME_TeJhF5LzwCcaPYG7Y/edit
14 January 2016 - https://docs.google.com/document/d/1hCQRst1sUaXMmstTDJUzx-EPWtbkw7m4sE0GqbIBwJM/edit
9 December 2015 - https://docs.google.com/document/d/15qvefQpSOzsKoXKtIdOqgpp71vAMrcA_cSjEdjslVWk/edit
11 November 2015 - https://docs.google.com/document/d/1Bni3mWHM3wNcX8HpRVIcg5nRoe6Jos8k6Qqlr297PUY/edit
21 October 2015 - https://docs.google.com/document/d/1fNJav_2DPluaEPL7-CGSKU9WgXp_yxnhoUWvxuC1LYU/edit
7 October 2015 - https://docs.google.com/document/d/1bO_L30fk7MQtlcdFM5sqOyRWN6WcYZ2PMkppQMeXDnM/edit
23 September 2015 - https://docs.google.com/document/d/1unkouIo8DIY8ovvfB9bJwuRIoJvjIoLZevt3YtvJy80/edit
26 August 2015 - https://docs.google.com/document/d/1scQdHSv1sEOJrP43tz6vDl0GF1STClJbbYdm0YfpUAI/edit
12 August 2015 - https://docs.google.com/document/d/1GQBBfNVzBdMzFEjtT4VhtD4V4WYTbOLnpE2casrNA5o/edit
23 July 2015 - https://docs.google.com/document/d/1zf7Owyg-QByPcx8uylX_uImfLRcD7EZZ8A39IenHmUo/edit
15 July 2015 - https://docs.google.com/document/d/1GS-qHqhXQoHhQLmeDjeUO-bvgDZE174w6qUXq8wZjow/edit
17 June - https://docs.google.com/document/d/1oDKPwMXJNAJIqeuDCnPhuKpVhZTx2xfBcguHHwSnkDg/edit
10 June - https://docs.google.com/document/d/1vWMkdQe1HN2qU3GVZE5fvCfg-5j5XgMgHCOZEwNgkm8/edit
13 May - https://docs.google.com/document/d/1qaUqig6ucPb_kB0mSJ1Tmv7oJc9LF1Mem-oJrs-5XPM/edit
29 Apr 2015 - https://docs.google.com/document/d/1NwOZlX7dL-ADMTYZzN17qopmWCpwzbsqp47BxpLOiQw/edit
22 Apr 2015 - https://docs.google.com/document/d/1HNjIp6fBfhE72u8sOIkXpOmEoI7DlWKm_jUQ-ukIOvs/edit
15 Apr 2015 - https://docs.google.com/document/d/12uGomNwIMU_-WP5DRHv9KeOMufUNehULj_6cITv_rmM/edit
8 Apr 2015 - https://docs.google.com/document/d/1R2feB6u1tqMBx516GpTwfFssnnduOxeBwEsUrPoCvwI/edit
11 Mar 2015 - https://docs.google.com/document/d/1MKTbOsqtPRDBF4ghr-8UP_wmzYSlZXq8zZAN61B9nZY/edit
18 Feb 2015 - https://docs.google.com/document/d/1KnZDB2-0f2bYS4fwETEzCLP5y4FPS-TiHAnbCkO2hD0/edit
14 Jan 2015 - https://docs.google.com/document/d/1hTko3Bi56vI5DLj7BqjRsEwUw5QCGId4l1kg7htmVZM/edit
10 Dec 2014 - https://docs.google.com/document/d/1599hkupNaEquVIk-VbN1qGDOzfq1Rwo1zhXLmWmRUFA/edit
12 Nov 2014 - https://docs.google.com/document/d/1GbDmwYyymxw_IZYNSh8aI9tyvl0MhxMO5ErFPN8hNKg/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details >here< !!

Summit Notes:

28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
Summit outcome is described here

"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers." Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).

The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available here.

Previous workshop notes:

The notes for the SAMM Workshop in New York on 21-Nov-2013 are available here.
The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available here.

upcoming talks will be listed here:

OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - here) - 2015

OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download presentation) - 2014
AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download presentation, see video) - 2014
AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download presentation) - 2013
OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download presentation) - 2013
AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download presentation) - 2011
AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download presentation) - 2009
Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download presentation) - 2009
Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download presentation) - 2009