SAMM Scoring: Percent to Target and Progress to Date Metrics

SAMM Scoring: Percent to Target and Progress to Date Metrics

Introduction: the “not applicable” answer

A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness. While an activity may not apply today, it could become relevant later. This leaves organizations with two unsatisfactory choices:

Continue reading

OWASP SAMM now connects to OpenCRE

We are excited to announce that each OWASP-SAMM stream now uses OpenCRE.org to link to other standards and guidelines. OpenCRE stands for Open Common Requirement Enumeration, and it aims to provide a common language and framework for mapping and comparing different security standards, guidelines, and frameworks. By linking SAMM to OpenCRE, we’ve made it easier for our users to find relevant and useful resources with every stream, as well as to see how SAMM aligns with other security standards such as NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-53.

Continue reading

Determining scope when implementing SAMM

When performing a SAMM assessment, should the scope be the whole organization or should it be smaller, like a business unit or even a single team or application?

The short answer? Start small.

Getting started

Start by evaluating your goals. What do you want to achieve?

• Do you aim to identify and prioritize areas of improvement in your organization’s security posture?
• Do you seek to establish a baseline for measuring the effectiveness of your security program over time?
• Do you want to demonstrate compliance with industry standards and regulations?

Defining your goals clearly ensures that your assessment is focused and effective, and that the resulting roadmap is aligned with your organization’s overall security strategy. Involve all relevant stakeholders in this process, including business leaders, development teams, security professionals, and other key personnel, to guarantee the assessment is comprehensive and aligned with the organization’s broader goals and priorities.

Continue reading

How ISO and SAMM complement each other

October 2022 brought us the third revision of the ISO/IEC 27001 standard.

The revisions included simplifying the domains and controls, using more practical language, and introducing new controls. The addition of a separate control for “Secure Coding.” provides an opportunity to highlight how OWASP SAMM and ISO 27001 are complementary standards.

In this blog post, we shine light on how they intersect and how, implemented together, you can maximize their effectiveness and value.

Continue reading

The "Not Applicable" Question

The Core Team’s Thoughts

Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time.

Is it valid to declare an Activity Not Applicable?

Yes, it is – strictly speaking – valid to declare an Activity not applicable to the current assessment’s scope. But…we contend it’s very rarely true. Consider a couple common scenarios:

Continue reading