What should be the organizational scope of an OWASP SAMM assessment?
Discussion around what should be the scope of an OWASP SAMM assessment. It can range from one dev team to the whole organisation and anything in between. My understanding is that one application team is assessed but there are a lot of aspects like in the Governance business function or also the Operations business function that will be defined in a wider scope e.g., organisation-wide, for one division of a larger organisation, for a subsidiary, or for a country representation of a company. The discussion here should be around how assessments can be combined between application development teams and aggregated on a higher level.
Questions to discuss can include
- Should application team assessment include the whole scope of an OWASP SAMM assessment or only the parts that an application team can talk about with authority? Should strategy & metrics be excluded when performing an assessment with an application team?
- Also, if several or all application development teams are assessed, should their results be aggregated and averaged out to get an assessment of the whole software development organisation?
The result of this discussion can be a proposal how to combine assessments in a large organisation. This workshop also ties in with my other suggestion about the roles in an organisation to respond to questions of an OWASP SAMM assessment.
Carsten has over 10 years of experience in application security. He has carried out numerous AppSec program rollouts and deployments as a professional services consultant at HP and Fortify Software before becoming the practice principal of the Fortify professional services team in EMEA and managing a team of up to about eight software security consultants.
When joining Checkmarx in 2016, Carsten initially worked as the first Technical Account Manager (TAM) at Checkmarx in EMEA, handling some of the largest accounts of Checkmarx. After about 1.5 years in this role Carsten started building the team of technical account managers around him and a year later also the AppSec advisor team. Carsten has contributed to the OWASP SAMM project and has presented at various application security conferences.