This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

SAMM - Strategy & Metrics - 2

Revision as of 00:32, 20 April 2015 by David Fern (talk | contribs)

Jump to: navigation, search
250px-OpenSAMM_logo.png For the latest project news and information,
join the mailing list and visit the OpenSAMM website.

SM1.png SM2.png SM3.png


Strategy & Metrics - 2

Objective: Measure relative value of data and software assets and choose risk tolerance


  • Customized assurance plans per project based on core value to the business
  • Organization-wide understanding of security-relevance of data and application assets
  • Better informed stakeholders with respect to understanding and accepting risks

Add’l Success Metrics

  • >90% applications and data assets evaluated for risk classification in past 12 months
  • >80% of staff briefed on relevant application and data risk ratings in past 6 months
  • >80% of staff briefed on relevant assurance program roadmap in past 3 months

Add’l Costs

  • Buildout or license of application and data risk categorization scheme
  • Program overhead from more granular roadmap planning

Add’l Personnel

  • Architects (2 days/yr)
  • Managers (2 days/yr)
  • Business Owners (2 days/yr)
  • Security Auditor (2 days/yr)

Related Levels

  • Policy & Compliance - 2
  • Threat Assessment - 2
  • Design Review - 2


A. Classify data and applications based on business risk

Establish a simple classification system to represent risk-tiers for applications. In its simplest form, this can be a High/Medium/Low categorization. More sophisticated classifications can be used, but there should be no more than seven categories and they should roughly represent a gradient from high to low impact against business risks.

Working from the organization’s business risk profile, create project evaluation criteria that maps each project to one of the risk categories. A similar but separate classification scheme should be created for data assets and each item should be weighted and categorized based on potential impact to business risks.

Evaluate collected information about each application and assign each a risk category based upon overall evaluation criteria and the risk categories of data assets in use. This can be done centrally by a security group or by individual project teams through a customized questionnaire to gather the requisite information.

An ongoing process for application and data asset risk categorization should be established to assign categories to new assets and keep the existing information updated at least biannually.

B. Establish and measure per-classification security goals

With a classification scheme for the organization’s application portfolio in place, direct security goals and assurance program roadmap choices can be made more granular.

The assurance program’s roadmap should be modified to account for each application risk category by specifying emphasis on particular Practices for each category. For each iteration of the assurance program, this would typically take the form of prioritizing more higher-level Objectives on the highest risk application tier and progressively less stringent Objectives for lower/other categories.

This process establishes the organization’s risk tolerance since active decisions must be made as to what specific Objectives are expected of applications in each risk category. By choosing to keep lower risk applications at lower levels of performance with respect to the Security Practices, resources are saved in exchange for acceptance of a weighted risk. However, it is not necessary to arbitrarily build a separate roadmap for each risk category since that can leads to inefficiency in management of the assurance program itself.

Additional Resources