This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "SAMM - Strategy & Metrics - 1"

Jump to: navigation, search
Line 62: Line 62:
===Additional Resources===
===Additional Resources===
Line 68: Line 68:

Latest revision as of 10:55, 8 March 2015

250px-OpenSAMM_logo.png For the latest project news and information,
join the mailing list and visit the OpenSAMM website.

SM1.png SM2.png SM3.png


Strategy & Metrics - 1

Objective: Establish unified strategic roadmap for software security within the organization


  • Concrete list of the most critical business-level risks caused by software
  • Tailored roadmap that addresses the security needs for your organization with minimal overhead
  • Organization-wide understanding of how the assurance program will grow over time

Success Metrics

  • >80% of stakeholders briefed on business risk profile in past 6 months
  • >80% of staff briefed on assurance program roadmap in past 3 months
  • >1 assurance program strategy session in past 3 months


  • Buildout and maintenance of business risk profile
  • Quarterly evaluation of assurance program


  • Developers (1 day/yr)
  • Architects (4 days/yr)
  • Managers (4 days/yr)
  • Business Owners (4 days/yr)
  • QA Testers (1 day/yr)
  • Security Auditor (4 days/yr)

Related Levels

  • Policy & Compliance - 1
  • Threat Assessment - 1
  • Security Requirements - 2


A. Estimate overall business risk profile

Interview business owners and stakeholders and create a list of worst-case scenarios across the organization’s various application and data assets. Based on the way in which your organization builds, uses, or sells software, the list of worst-case scenarios can vary widely, but common issues include data theft or corruption, service outages, monetary loss, reverse engineering, account compromise, etc.

After broadly capturing worst-case scenario ideas, collate and select the most important based on collected information and knowledge about the core business. Any number can be selected, but aim for at least 3 and no more than 7 to make efficient use of time and keep the exercise focused.

Elaborate a description of each of the selected items and document details of contributing worst-case scenarios, potential contributing factors, and potential mitigating factors for the organization. The final business risk profile should be reviewed with business owners and other stakeholders for understanding.

B. Build and maintain assurance program roadmap

Understanding the main business risks to the organization, evaluate the current performance of the organization against each the twelve Practices. Assign a score for each Practice from 1, 2, or 3 based on the corresponding Objective if the organization passes all the cumulative success metrics. If no success metrics are being met, assign a score of 0 to the Practice.

Once a good understanding of current status is obtained, the next goal is to identify the Practices that will be improved in the next iteration. Select them based on business risk profile, other business drivers, compliance requirements, budget tolerance, etc. Once Practices are selected, the goals of the iteration are to achieve the next Objective under each.

Iterations of improvement on the assurance program should be approximately 3-6 months, but an assurance strategy session should take place at least every 3 months to review progress on activities, performance against success metrics and other business drivers that may require program changes.

Additional Resources