Blogs

The "Not Applicable" Question

By The SAMM Project Team in assessment

February 28, 2023

The Core Team’s Thoughts Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time. Is it valid to declare an Activity Not Applicable?

Continue reading

Tackling App Security with SAMM-NIST SSDF Mapping

By The SAMM Project Team in mapping

February 6, 2023

The Application Security Challenge The increasing dependence on software in our daily lives has made the challenge of ensuring its security more pressing. Despite being a critical concern, cybersecurity is often not a priority for organizations until there is an incident or breach. This has resulted in the cost of cyber insurance doubling in the past two years and the total cost of cybercrime in 2022 reaching $7 trillion .

Continue reading

Introducing SAMM Practitioners

By The SAMM Project Team in community

December 5, 2022

Why SAMM Practitioners? We want to adopt OWASP SAMM 2.0 at my workplace. Can you recommend a company to help us do this? SAMM team members get asked this a lot through the different channels of communication like our Slack channel and the contact form on the website. Obviously, we know many companies, organizations, and individuals who can do this. We are a community-driven project and a number of volunteers have contributed to SAMM so it wasn’t an easy answer for us to provide.

Continue reading

Addressing Log4J vulnerabilities with SAMM

By The SAMM Project Team in guidance

February 7, 2022

It’s that dreaded notification. The one that holds the threat, and later the reality, of many sleepless nights. The newest vulnerability is here and its severity is considered critical. This Log4J vulnerability (CVE-2021-44228) has caused quite the stir, and rightfully so. It’s kept security peeps on our toes for the last few months so it was interesting to see this topic come up during our last SAMM monthly community call.

Continue reading

OWASP SAMM Train the Trainer

By The SAMM Project Team in training

November 30, 2021

Expanding awareness of OWASP SAMM To introduce new users to the OWASP Software Assurance Maturity Model (SAMM), the SAMM project team has presented their one-day overview training class several times each year. These classes often run in conjunction with OWASP’s global and regional conference events. The instructors for that training class - currently titled “Secure Your SDLC using OWASP SAMM - ASAP!” - have usually been the project’s leaders, Sebastien (Seba) Deleersnyder and Bart de Win, or other SAMM team members.

Continue reading

Towards a well-governed SAMM Suite

By The SAMM Project Team in SAMM project

March 23, 2021

Improving the velocity of OWASP SAMM Some years back, SAMM was a typical old school documentation project. Creation of all the documents was a purely manual and error-prone process. We fought a very complicated manual build procedure of the project PDF which only a few people knew how to deal with. Already fixed errors kept reappearing and it was hard to know who actually had the latest version in their mailbox.

Continue reading

OWASP SAMM Roadmap

By The SAMM Project Team in SAMM project

February 9, 2021

What happened in 2020? This was a special year but still a lot happened for SAMM. The team worked hard to continue delivering and adding value for our users. New version, new website, new ways of getting together In 2020 we launched OWASP SAMM v2.0, more than 10 years after OpenSAMM v1.0 was launched on March 25th, 2009 by Pravir Chandra. Throughout 2020 we developed and released a new website and promoted the launch of SAMM v2.

Continue reading

Comparing BSIMM & SAMM

By Brian Glas in guidance

October 29, 2020

Building Security In Maturity Model (BSIMM) compared to Software Assurance Maturity Model (SAMM) A common origin BSIMM (Building Security In Maturity Model) and SAMM (Software Assurance Maturity Model) have similar origins dating back to a common origin back in 2008-2009. I’m frequently asked about what is similar and what is different between the two models, so I wrote up this comparison to help organizations understand which of these two models may be a better fit for their needs.

Continue reading

SAMM is doing CI/CD

By The SAMM Project Team in SAMM project

March 31, 2020

What version 2 brought along A significant change that happened behind the scenes for SAMM 2.0 was the addition of a CI/CD pipeline, the automated version of all the steps we need to deliver SAMM. It has enhanced our productivity, providing standardization and enabling faster iterations. At the core of Continuous Integration and Continuous Delivery are speed of delivery, reliability, and visibility. This process encourages frequent updates, allows quick fixes, and ensures a set of checks before deployment.

Continue reading

OWASP SAMM version 2 - public release

By The SAMM Project Team in SAMM project

January 31, 2020

After three years of preparation, our SAMM project team has delivered version 2 of SAMM! OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement, through our self-assessment model, a strategy for software security they can integrate into their existing Software Development Lifecycle (SDLC). The new SAMM v2 consists of the following components: The SAMM Model overview and introduction, explaining the maturity model in detail A Quick-start Guide with different steps to improve your secure software practice An updated SAMM Toolbox to perform SAMM assessments and create SAMM roadmaps A new SAMM Benchmark initiative to compare your maturity and progress with other similar organizations and teams What’s changed with SAMM v2?

Continue reading

Search

Categories

Tags