OWASP SAMM Train the Trainer

By The SAMM Project Team | November 30, 2021

Expanding awareness of OWASP SAMM

To introduce new users to the OWASP Software Assurance Maturity Model (SAMM), the SAMM project team has presented their one-day overview training class several times each year. These classes often run in conjunction with OWASP’s global and regional conference events. The instructors for that training class - currently titled “Secure Your SDLC using OWASP SAMM - ASAP!” - have usually been the project’s leaders, Sebastien (Seba) Deleersnyder and Bart de Win, or other SAMM team members.

As we considered our goals to expand awareness and enable more software professionals to use SAMM, we realized there’s something we need to help make that happen - more trainers! We need trainers around the world, ready, willing, and able to present SAMM training - whether at security conferences and training events, or within organizations adopting SAMM.

Earlier this year, the SAMM Project received a grant from Motorola Solutions, Inc. (MSI), to develop a two-day SAMM Train the Trainer class. Thanks to MSI’s generous support, we were able to fund the development of course materials, as well as the inaugural presentation of the training class, held in August. MSI’s interest arose from the fact they’re part of a key audience for this training - a large, geographically dispersed organization planning to employ SAMM throughout the enterprise, to assess and improve the AppSec maturity of business units and software product teams. To accomplish such a large-scale rollout, organizations need a number of staff ready and able to present introductory SAMM training where and when it’s needed.

Class purpose and content

The purpose of this new class is as the name implies: preparing people to present the one-day SAMM overview training class. Class content focuses on providing prospective trainers with a deeper understanding of the SAMM model, processes, and tools, coupled with guidance on presenting the course content and workshop exercises. By design, this is not a “how to be a trainer” class, rather it’s intended for experienced trainers seeking guidance on presenting the SAMM content.

A key objective of the SAMM overview training is for attendees to begin applying the model to their own organizations, by identifying an application, team, or business unit they’d like to assess, then taking their first steps toward performing that assessment. In the Train the Trainer class, attendees work through a case study for a hypothetical application and receive specific guidance on leading those exercises in their own training sessions.

SAMM assessment

Training format

The ideal length for a SAMM Train the Trainer event is two days' worth of class time - typically, 13 - 14 hours of instruction. Although face-to-face interaction is always preferable, the class materials are suitable for virtual presentation. Our inaugural class was taught by its developer, John DiLeo; he’s a member of the core SAMM project team, and he lives and works in Auckland, New Zealand. John presented the class in a series of seven (7) two-hour sessions over a two-week period, via Zoom, to Motorola staff located in Canada, Poland, and throughout the United States.

The materials for the SAMM Train the Trainer class are freely available and may be obtained here. Before launching a SAMM Train the Trainer program, however, we recommend prospective instructors attend the SAMM overview class (even if you’re already familiar with SAMM), followed by a Train the Trainer event presented by the SAMM Project team.

Want to learn more?

For more information about upcoming training and events, please visit our events page. To get involved in the community of SAMM users, come chat with us in our Slack channel. And be sure to join us for our monthly project update calls on the second Wednesday of the month at 9:30 p.m. Central European Time / 3:30 p.m. US Eastern Time.