Blogs

The "Not Applicable" Question

The Core Team’s Thoughts

Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time.

Is it valid to declare an Activity Not Applicable?

Yes, it is – strictly speaking – valid to declare an Activity not applicable to the current assessment’s scope. But…we contend it’s very rarely true. Consider a couple common scenarios:

Continue reading

Tackling App Security with SAMM-NIST SSDF Mapping

The Application Security Challenge

The increasing dependence on software in our daily lives has made the challenge of ensuring its security more pressing. Despite being a critical concern, cybersecurity is often not a priority for organizations until there is an incident or breach. This has resulted in the cost of cyber insurance doubling in the past two years and the total cost of cybercrime in 2022 reaching $7 trillion . To address this challenge, organizations are increasing their cyber budgets but are still struggling to adopt an effective security program that can provide a return on investment. The need for a comprehensive and effective security program is more important than ever to maintain the protection of sensitive information and the stability of digital infrastructure.

Continue reading

Introducing SAMM Practitioners

Why SAMM Practitioners?

SAMM team members get asked this a lot through the different channels of communication like our Slack channel and the contact form on the website.

Obviously, we know many companies, organizations, and individuals who can do this. We are a community-driven project and a number of volunteers have contributed to SAMM so it wasn’t an easy answer for us to provide. We needed to do this in a way that is useful to the community, that points to quality services, and is not biased.

Continue reading

Addressing Log4J vulnerabilities with SAMM

It’s that dreaded notification. The one that holds the threat, and later the reality, of many sleepless nights. The newest vulnerability is here and its severity is considered critical.

This Log4J vulnerability (CVE-2021-44228) has caused quite the stir, and rightfully so. It’s kept security peeps on our toes for the last few months so it was interesting to see this topic come up during our last SAMM monthly community call. One participant asked the very relevant question:

Continue reading

OWASP SAMM Train the Trainer

Expanding awareness of OWASP SAMM

To introduce new users to the OWASP Software Assurance Maturity Model (SAMM), the SAMM project team has presented their one-day overview training class several times each year. These classes often run in conjunction with OWASP’s global and regional conference events. The instructors for that training class - currently titled “Secure Your SDLC using OWASP SAMM - ASAP!” - have usually been the project’s leaders, Sebastien (Seba) Deleersnyder and Bart de Win, or other SAMM team members.

Continue reading

Towards a well-governed SAMM Suite

Improving the velocity of OWASP SAMM

Some years back, SAMM was a typical old school documentation project. Creation of all the documents was a purely manual and error-prone process. We fought a very complicated manual build procedure of the project PDF which only a few people knew how to deal with. Already fixed errors kept reappearing and it was hard to know who actually had the latest version in their mailbox.

Continue reading

OWASP SAMM Roadmap

What happened in 2020?

This was a special year but still a lot happened for SAMM. The team worked hard to continue delivering and adding value for our users.

New version, new website, new ways of getting together

In 2020 we launched OWASP SAMM v2.0, more than 10 years after OpenSAMM v1.0 was launched on March 25th, 2009 by Pravir Chandra.

Throughout 2020 we developed and released a new website and promoted the launch of SAMM v2.0 to our community. We had a dynamic and rewarding online SAMM User Day on 16th of June 2020.

Continue reading

Comparing BSIMM & SAMM

Building Security In Maturity Model (BSIMM) compared to Software Assurance Maturity Model (SAMM)

A common origin

BSIMM (Building Security In Maturity Model) and SAMM (Software Assurance Maturity Model) have similar origins dating back to a common origin back in 2008-2009. I’m frequently asked about what is similar and what is different between the two models, so I wrote up this comparison to help organizations understand which of these two models may be a better fit for their needs.

Continue reading

SAMM is doing CI/CD

What version 2 brought along

A significant change that happened behind the scenes for SAMM 2.0 was the addition of a CI/CD pipeline, the automated version of all the steps we need to deliver SAMM. It has enhanced our productivity, providing standardization and enabling faster iterations. At the core of Continuous Integration and Continuous Delivery are speed of delivery, reliability, and visibility. This process encourages frequent updates, allows quick fixes, and ensures a set of checks before deployment. It increases visibility, since every team member can see what is going on with the code.

Continue reading

OWASP SAMM version 2 - public release

After three years of preparation, our SAMM project team has delivered version 2 of SAMM!

OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement, through our self-assessment model, a strategy for software security they can integrate into their existing Software Development Lifecycle (SDLC).

The new SAMM v2 consists of the following components:

• The SAMM Model overview and introduction, explaining the maturity model in detail
• A Quick-start Guide with different steps to improve your secure software practice
• An updated SAMM Toolbox to perform SAMM assessments and create SAMM roadmaps
• A new SAMM Benchmark initiative to compare your maturity and progress with other similar organizations and teams

What’s changed with SAMM v2?

For those organizations using earlier versions of SAMM, it’s important to take the time to understand how the framework has evolved in favor of automation and better alignment with development teams. Organizationally, some important changes worth noting:

Continue reading