Secure SDLC Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Background =

This cheat sheet provides a quick reference on the most important initiatives to build security into multiple parts of software development processes. This cheat sheet is based on the OWASP Software Assurance Maturity Model (SAMM) which can be integrated into any existing SDLC.

SAMM is based around a set of 12 security practices, which are grouped into 4 business functions. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level.

The structure and setup of the SAMM maturity model are made to support:
 * 1) The assessment of the current software assurance posture
 * 2) The definition of the strategy (i.e. the target) that the organization should take
 * 3) The formulation of an implementation roadmap of how to get there and
 * 4) Prescriptive advice on how to implement particular activities.

In that sense, the value of SAMM lies in providing a means to know where your organization is on its journey towards software assurance, and to understand what is recommended to move to a next level of maturity. Note that SAMM does not insist that all organizations achieve maturity level 3 in every category. Indeed, you determine the target maturity level for each Security Practice that is the best fit for your organization and its needs. SAMM provides a number of templates for typical organizations to this end, but you can adapt these as you see fit.

= How to Apply =

A typical approach of using SAMM in an organization is as follows:

As part of a quick start effort, the first four phases (preparation, assess, setting the target and defining the plan) can be executed by a single person in a limited amount of time (1 to 2 days). Making sure that this is supported in the organization, as well as the implementation and roll-out phases typically require much more time to execute.

= Final Notes = The best way to grasp SAMM is to start using it. This document has presented a number of concrete steps and supportive material to execute these. Now it’s your turn. We warmly invite you to spend a day or two on following the first steps, and you will quickly understand and appreciate the added value of the model. Enjoy! Suggestions for improvements are very welcome. And if you’re interested, consider to join the mailinglist or become part of the OpenSAMM community