We are excited to announce that each OWASP-SAMM stream now uses OpenCRE.org to link to other standards and guidelines. OpenCRE stands for Open Common Requirement Enumeration, and it aims to provide a common language and framework for mapping and comparing different security standards, guidelines, and frameworks. By linking SAMM to OpenCRE, we’ve made it easier for our users to find relevant and useful resources with every stream, as well as to see how SAMM aligns with other security standards such as NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-53.
When performing a SAMM assessment, should the scope be the whole organization or should it be smaller, like a business unit or even a single team or application? The short answer? Start small. Getting started Start by evaluating your goals. What do you want to achieve? Do you aim to identify and prioritize areas of improvement in your organization’s security posture? Do you seek to establish a baseline for measuring the effectiveness of your security program over time?
October 2022 brought us the third revision of the ISO/IEC 27001 standard. The revisions included simplifying the domains and controls, using more practical language, and introducing new controls. The addition of a separate control for “Secure Coding.” provides an opportunity to highlight how OWASP SAMM and ISO 27001 are complementary standards. In this blog post, we shine light on how they intersect and how, implemented together, you can maximize their effectiveness and value.
The Core Team’s Thoughts Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time. Is it valid to declare an Activity Not Applicable?
The Application Security Challenge The increasing dependence on software in our daily lives has made the challenge of ensuring its security more pressing. Despite being a critical concern, cybersecurity is often not a priority for organizations until there is an incident or breach. This has resulted in the cost of cyber insurance doubling in the past two years and the total cost of cybercrime in 2022 reaching $7 trillion .
Why SAMM Practitioners? We want to adopt OWASP SAMM 2.0 at my workplace. Can you recommend a company to help us do this? SAMM team members get asked this a lot through the different channels of communication like our Slack channel and the contact form on the website. Obviously, we know many companies, organizations, and individuals who can do this. We are a community-driven project and a number of volunteers have contributed to SAMM so it wasn’t an easy answer for us to provide.
It’s that dreaded notification. The one that holds the threat, and later the reality, of many sleepless nights. The newest vulnerability is here and its severity is considered critical. This Log4J vulnerability (CVE-2021-44228) has caused quite the stir, and rightfully so. It’s kept security peeps on our toes for the last few months so it was interesting to see this topic come up during our last SAMM monthly community call.
Expanding awareness of OWASP SAMM To introduce new users to the OWASP Software Assurance Maturity Model (SAMM), the SAMM project team has presented their one-day overview training class several times each year. These classes often run in conjunction with OWASP’s global and regional conference events. The instructors for that training class - currently titled “Secure Your SDLC using OWASP SAMM - ASAP!” - have usually been the project’s leaders, Sebastien (Seba) Deleersnyder and Bart de Win, or other SAMM team members.
Improving the velocity of OWASP SAMM Some years back, SAMM was a typical old school documentation project. Creation of all the documents was a purely manual and error-prone process. We fought a very complicated manual build procedure of the project PDF which only a few people knew how to deal with. Already fixed errors kept reappearing and it was hard to know who actually had the latest version in their mailbox.
What happened in 2020? This was a special year but still a lot happened for SAMM. The team worked hard to continue delivering and adding value for our users. New version, new website, new ways of getting together In 2020 we launched OWASP SAMM v2.0, more than 10 years after OpenSAMM v1.0 was launched on March 25th, 2009 by Pravir Chandra. Throughout 2020 we developed and released a new website and promoted the launch of SAMM v2.