OWASP DHS SWA Day 2010 OpenSAMM
Download the presentation -- Note, some of the images have been removed to reduce file size for download.
A speaker bio for Shakeel Tufail will be posted shortly.
The Open SAMM project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that's tailored to the specific business risks facing the organization.
SAMM is used as a measuring stick against an organization’s security practices and functions. OpenSAMM is a maturity model should be used as a scorecard for improving software assurance and provides prescriptive guidance for technical and non-technical users.
SAMM divides the SDLC into the governance, construction, verification, and deployment business functions consisting of 12 security practices. Each practice is a silo for improvement that can be performed independently or as part of a plan. The maturity of each practice is scored from 0 to 3.
The approach of SAMM is iterative and the goal is to have a phased approach to assess which areas need the most work and prioritize. The initial results are used to create a baseline roadmap from which the phased approach would be developed. The resulting scorecard provides a basis to perform a gap analysis.
A new OpenSAMM version will include new functionality of analyzing feedback, case studies, and mapping of OpenSAMM to other regulations such as PCI, COBIT, CMMI, and FISMA.