OWASP DHS SWA Day 2010 OpenSAMM
Download the presentation -- Note, some of the images have been removed to reduce file size for download.
A speaker bio for Shakeel Tufail will be posted shortly.
The Open SAMM project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that's tailored to the specific business risks facing the organization. Anyone can provide feedback on OSAMM at the OSAMM.ORG web site. SAMM has Creative Commons rights management.
OSAMM is used as a measuring stick against an organization’s security practices and functions. The OSAMM maturity model should be used as a scorecard for improving software assurance and provides prescriptive guidance for technical and non-technical users.
OSAMM divides the SDLC into the governance, construction, verification, and deployment business functions, each consisting of 12 security practices. Each practice is a silo for improvement that can be performed independently or as part of a plan. The maturity of each practice is scored from 0 to 3.
The approach of SAMM is iterative and the goal is to have a phased approach to assess which areas need the most work and prioritize. The initial results are used to create a baseline roadmap from which the phased approach would be developed. The resulting scorecard provides a basis to perform a gap analysis.
A new OSAMM version will include new functionality of analyzing feedback, case studies, and mapping of OSAMM to other regulations such as PCI, COBIT, CMMI, and FISMA. See Software Assurance (SwA) Self-Assessment where the SwA Processes and Practices Working Group has synthesized the contributions of leading government and industry experts (including OSAMM) into a set of high-level goals and supporting practices.