From Policy to Proof: Automating Testing for Compliance

Spyros Gasteratos
OWASP, SmithyOpen Source Developer
Abstract
Most organizations track their SAMM and DSOMM progress in spreadsheets, Confluence pages, or endless status meetings. If they’re lucky, they have the budget to get a tool like SAMMY. But when it’s time to prove you’re doing the thing, whether that’s secure code reviews, SAST scans, or release gating, the evidence is scattered across tools, teams, and tribal knowledge.
In this talk, we’ll explore how to turn SAMM and DSOMM requirements into automated, verifiable tests that run as part of your development workflows. We’ll walk through:
- Mapping SAM activities to machine-checkable signals
- Pulling compliance evidence directly from your existing tools
- Detecting gaps before an audit catches them
- Automating release gates to enforce maturity standards in real time
We’ll use realworld examples to show what this looks like in practice, featuring a collection of open-source automations as our reference implementation so you can take the patterns home and adapt them to your own environment. Let’s move from “we think we comply” to “we know we comply and we can prove it”.
Speaker bio
Spyros has almost 20 years of experience in the security world. Since the beginning of his career he has been an avid supporter and contributor of open source software and an OWASP volunteer. Currently he is interested in the harmonization of security tools and information and is currently helping Fintechs setup and automate large parts of their AppSec programmes. He also maintains several Open Source projects including the security automation framework Smithy, and opencre.org, the worlds largest security knowledge graph. Also, he usually doesn’t speak about himself in the third person.