SAMM to Assignments

This mapping connects each SAMM stream to the assignment that leads it and the stakeholders that support it. Use it to identify who in your organization should own and contribute to each security activity.

For each stream, the lead is the role that drives the work. Stakeholders support or collaborate.

Governance

Strategy & Metrics

A: Create and Promote

  • Lead: Product Security Strategy
  • Stakeholders: Organizational Security Strategy, Business Strategy
RationaleProduct security strategy takes the lead, in close collaboration with organizational security strategy. In smaller organizations, these responsibilities often sit in the same role. The larger executive management team needs to be on board for a security initiative to succeed.

B: Measure and Improve

  • Lead: Product Security Strategy
  • Stakeholders: Organizational Security Strategy, Business Strategy
RationaleProduct security strategy and organizational security strategy jointly create the measurement-based improvement approach. Executive management are informed stakeholders.

Policy & Compliance

A: Policy & Standards

  • Lead: Product Security Strategy
  • Stakeholders: Organizational Security Strategy, Architecture, Evangelizing Security
RationalePolicies and standards are defined by product security strategy and signed off by organizational security strategy. Architecture assists in translation to specific product areas, and evangelizing security handles translation to all teams.

B: Compliance Management

  • Lead: Organizational Security Strategy
  • Stakeholders: Cybersecurity Regulatory Compliance, Product Security Strategy, Product Ownership
RationaleOrganizational security strategy leads compliance management, working with cybersecurity regulatory compliance. Product security strategy and product ownership are key stakeholders.

Education & Guidance

A: Training and Awareness

  • Lead: Evangelizing Security
  • Stakeholders: Security Awareness and Training
RationaleEvangelizing security leads the effort on selecting and pushing for secure development and role-specific training, working with security awareness and training to roll it out across the organization.

B: Organization and Culture

  • Lead: Evangelizing Security
  • Stakeholders: Technical Leadership (Dev Lead), Product Security Strategy
RationaleThe evangelizing security lead builds a team of security evangelists and scales the practice, supported by technical leadership and assisted by product security strategy.

Design

Threat Assessment

A: Application Risk Profile

  • Lead: Product Security Strategy
  • Stakeholders: Organizational Security Strategy, Product Ownership, Architecture
RationaleProduct security strategy takes the lead, collaborating with organizational security strategy (which defines the overall risk appetite). Product ownership assists with mapping risk profiles to requirements. Architecture provides technical guidance.

B: Threat Modeling

  • Lead: Architecture
  • Stakeholders: Offensive Security Testing, Product Ownership, Technical Leadership (Dev Lead)
RationaleArchitecture leads the threat modeling practice. Offensive security testing contributes realistic threat scenarios. Product ownership helps define threat risk. Technical leadership plays a supporting role.

Security Requirements

A: Software Requirements

  • Lead: Architecture
  • Stakeholders: Product Ownership, Evangelizing Security, Defensive Security Testing
RationaleArchitecture advises product ownership on security requirements. Evangelizing security helps refine them in the team. Defensive security testing supports from their knowledge domain.

B: Supplier Security

  • Lead: Vendor Management
  • Stakeholders: Cybersecurity Regulatory Compliance, Product Security Strategy
RationaleVendor management has the end assignment, advised on security matters by cybersecurity regulatory compliance and product security strategy.

Secure Architecture

A: Architecture Design

  • Lead: Architecture
  • Stakeholders: Technical Leadership (Dev Lead)
RationaleSecurity is a core component of any architecture. Architecture and technical leadership both need to build up security knowledge as the organization matures.

B: Technology Management

  • Lead: Architecture
  • Stakeholders: Defensive Security Testing, Technical Leadership (Dev Lead)
RationaleTechnology management assesses technological risks, where defensive security testing can help. Architecture remains the lead, with technical leadership involved.

Implementation

Secure Build

A: Build Process

  • Lead: Build System and Automation
  • Stakeholders: Technical Leadership (Dev Lead), Architecture
RationaleBuild system and automation sets up the build and deploy pipelines. Technical leadership is closely involved. Architecture has a secondary role as certain architectural considerations may be essential for CI/CD.

B: Software Dependencies

  • Lead: Build System and Automation
  • Stakeholders: Architecture, Cybersecurity Regulatory Compliance, Technical Leadership (Dev Lead)
RationaleCybersecurity regulatory compliance is included due to licensing impact.

Secure Deployment

A: Deployment Process

  • Lead: Build System and Automation
  • Stakeholders: Architecture, Technical Leadership (Dev Lead)
RationaleBuild system and automation leads the deployment pipelines. Technical leadership is closely involved. Architecture has a secondary role for CI/CD considerations.

B: Secret Management

  • Lead: Build System and Automation
  • Stakeholders: Architecture, Technical Leadership (Dev Lead)
RationaleThe same responsibilities as deployment process, but architecture plays a more essential role due to the interplay between secret management and architectural decisions.

Defect Management

A: Defect Tracking

  • Lead: Technical Leadership (Dev Lead)
  • Stakeholders: Evangelizing Security, Defensive Security Testing
RationaleTechnical leadership is the primary responsible for defect tracking, in close collaboration with evangelizing security. Defensive security testing plays a secondary role.

B: Metrics and Feedback

  • Lead: Evangelizing Security
  • Stakeholders: Product Security Strategy, Technical Leadership (Dev Lead)
RationaleThis is the team-level equivalent of G-SM-B. Evangelizing security functions as the liaison between product security strategy and technical leadership.

Verification

Architecture Assessment

A: Architecture Validation

  • Lead: Defensive Security Testing
  • Stakeholders: Architecture, Technical Leadership (Dev Lead)
RationaleWhile this is in the architecture domain, defensive security testing leads in the verification phase. Technical leadership is closely involved: what their team has built based on the architecture is what gets evaluated.

B: Architecture Mitigation

  • Lead: Offensive Security Testing
  • Stakeholders: Architecture
RationaleThe offensive counterpart of architecture validation.

Requirements Testing

A: Control Verification

  • Lead: Defensive Security Testing
  • Stakeholders: Technical Leadership (Dev Lead)
RationaleDefensive security testing leads manual and automated verification. Technical leadership ensures all requirements translate to security test cases.

B: Misuse/Abuse Testing

  • Lead: Offensive Security Testing
  • Stakeholders: Technical Leadership (Dev Lead)
RationaleThe offensive counterpart of control verification. Offensive security testing leads to ensure realistic abuse test cases are covered, with technical leadership in the loop for full requirement coverage.

Security Testing

A: Scalable Baseline

  • Lead: Defensive Security Testing
  • Stakeholders: Build System and Automation, Product Security Strategy, Technical Leadership (Dev Lead)
RationaleDefensive security testing advises on test tooling and helps with triaging results. Build system and automation integrates the tooling. Product security strategy and technical leadership determine response times and KPIs.

B: Deep Understanding

  • Lead: Offensive Security Testing
  • Stakeholders: Technical Leadership (Dev Lead), Architecture
RationaleOffensive security testing leads maturation of this stream. Technical leadership and architecture define critical components and ensure flagged issues get resolved.

Operations

Incident Management

A: Incident Detection

  • Lead: Security Operations
  • Stakeholders: Infrastructure, Technical Leadership (Dev Lead)
RationaleSecurity operations handles daily incident detection. Infrastructure and technical leadership provide integrations and logging, and are pulled in when incidents are detected.

B: Incident Response

  • Lead: Security Operations
  • Stakeholders: Infrastructure, Technical Leadership (Dev Lead), Organizational Security Strategy
RationaleSecurity operations leads initial incident response. Infrastructure and technical leadership are second-line responders. Organizational security strategy helps define contingency scenarios.

Environment Management

A: Configuration Hardening

  • Lead: Infrastructure
  • Stakeholders: Technical Leadership (Dev Lead), Architecture
RationaleInfrastructure leads configuration hardening. Technical leadership and architecture ensure applications maintain the required level of hardening.

B: Patching and Updating

  • Lead: Infrastructure
  • Stakeholders: Technical Leadership (Dev Lead), Architecture, Security Operations
RationalePatching and updating is carried out by infrastructure. Technical leadership and architecture are involved in planning. Security operations provides threat intelligence.

Operational Management

A: Data Protection

  • Lead: Cybersecurity Regulatory Compliance
  • Stakeholders: Architecture, Technical Leadership (Dev Lead), Infrastructure
RationaleData protection is largely led by legal and compliance. Technical leadership creates and maintains data catalogs. Infrastructure handles backups and their timely destruction.

B: System Decommissioning / Legacy Management

  • Lead: Product Ownership
  • Stakeholders: Technical Leadership (Dev Lead), Infrastructure
RationaleProduct ownership manages the product lifecycle. Technical leadership supports this lifecycle together with infrastructure, which handles upgrades and migrations.