Difference between revisions of "OWASP SAMM Project"

From OWASP
Jump to: navigation, search
m
Line 46: Line 46:
 
== Project Leaders ==
 
== Project Leaders ==
  
Project Leaders<br/>[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] [https://www.owasp.org/index.php/User:Pravir_Chandra Pravir Chandra]  
+
Project Leaders<br/>[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] [https://www.owasp.org/index.php/User:Pravir_Chandra Pravir Chandra] [https://www.owasp.org/index.php/Kuai_Hinojosa Kuai Hinojosa]  [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]  
[https://www.owasp.org/index.php/Kuai_Hinojosa Kuai Hinojosa]  [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]  
 
  
 
== Related Projects ==
 
== Related Projects ==
Line 75: Line 74:
 
[[Image:zap128x128.png|right]]
 
[[Image:zap128x128.png|right]]
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}
+
{{:Projects/OWASP SAMM Project/Pages/Talks | Talks}}
  
  
Line 82: Line 81:
 
[[Image:zap128x128.png|right]]
 
[[Image:zap128x128.png|right]]
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}
+
{{:Projects/OWASP SAMM Project/Pages/News | News}}
  
 
</div>
 
</div>
= ZAP Gear =
 
[[Image:zap128x128.png|right]]
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
  
Yes, you can now buy ZAP related gear!
 
 
Its your chance to show your support for the project, c/o `CafePress`.
 
 
Click on the tshirt to enter the [http://www.cafepress.com/zaproxy ZAP Gear Store]:
 
 
[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]
 
 
</div>
 
 
= Supporters =
 
= Supporters =
 
[[Image:zap128x128.png|right]]
 
[[Image:zap128x128.png|right]]
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
  
ZAP is developed by a worldwide [http://code.google.com/p/zaproxy/people/list team] of volunteers.
+
SAMM is developed and maintained by a worldwide team of volunteers.
  
But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:
+
But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:
  
 
* [http://www.owasp.org OWASP]
 
* [http://www.owasp.org OWASP]
* [http://www.mozilla.org Mozilla]
+
* TBD
* [http://www.sage.co.uk Sage]
 
* [http://www.google.com Google]
 
* [http://www.microsoft.com Microsoft]
 
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
 
* [http://www.dinosec.com/ DinoSec]
 
* [http://www.denimgroup.com Denim Group]
 
* [http://www.aspectsecurity.com/ Aspect Security]
 
* [http://secureideas.net SecureIdeas]
 
* [http://utilisec.com UtiliSec]
 
* [http://www.encription.co.uk/ encription]
 
</div>
 
 
 
= Functionality =
 
[[Image:zap128x128.png|right]]
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
'''Some of ZAP's functionality:'''
 
 
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsIntercept Intercepting Proxy]
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsAscan Automated scanner]
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPscan Passive scanner]
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsBruteforce Forced browsing]
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsFuzz Fuzzer]
 
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
 
* [http://code.google.com/p/zaproxy/wiki/SmartCards Smartcard and Client Digital Certificates support]
 
* [http://code.google.com/p/zaproxy/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
 
* [http://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
 
* [http://code.google.com/p/zaproxy/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
 
* Authentication and session support
 
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsApi Powerful REST based API]
 
* Automatic updating option
 
* [https://code.google.com/p/zap-extensions/ Integrated and growing marketplace of add-ons]
 
  
 
</div>
 
</div>
= Features =
 
[[Image:zap128x128.png|right]]
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
'''Some of ZAP's features:'''
 
  
* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
+
= Browse Online =
* Cross platform
+
===== Click on any badge to learn more =====
* Easy to install (just requires java 1.7)
 
* Completely free (no paid for 'Pro' version)
 
* Ease of use a priority
 
* [http://code.google.com/p/zaproxy/wiki/HelpIntro Comprehensive help pages]
 
* Fully internationalized
 
* Translated into over 20 languages
 
* Community based, with involvement actively encouraged
 
* Under active development by an international team of volunteers
 
  
ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].
+
{| cellpadding="1"
 
+
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
</div>
+
|-
 +
|align="center"|'''Strategy & Metrics'''
 +
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
 +
|-
 +
|align="center"|'''Policy & Compliance'''
 +
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
 +
|-
 +
|align="center"|'''Education & Guidance'''
 +
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
 +
|-
 +
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
 +
|-
 +
|align="center"|'''Threat Assessment'''
 +
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
 +
|-
 +
|align="center"|'''Security Requirements'''
 +
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
 +
|-
 +
|align="center"|'''Secure Architecture'''
 +
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
 +
|-
 +
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
 +
|-
 +
|align="center"|'''Design Review'''
 +
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
 +
|-
 +
|align="center"|'''Code Review'''
 +
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
 +
|-
 +
|align="center"|'''Security Testing'''
 +
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
 +
|-
 +
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
 +
|-
 +
|align="center"|'''Vulnerability Management'''
 +
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
 +
|-
 +
|align="center"|'''Environment Hardening'''
 +
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
 +
|-
 +
|align="center"|'''Operational Enablement'''
 +
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
 +
|-
 +
|}
 
= Languages =
 
= Languages =
[[Image:zap128x128.png|right]]
 
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
  
'''ZAP supports the following languages:'''
+
'''SAMM is available in the following languages:'''
  
 
* English
 
* English
* Arabic
+
* Spanish
* Bosnian
+
* Japanese
* Brazilian Portuguese
 
* Chinese
 
* Danish
 
* Filipino
 
* French
 
 
* German
 
* German
* Greek
 
* Indonesian
 
* Italian
 
* Japanese
 
* Korean
 
* Persian
 
* Polish
 
* Russian
 
* Sinhala
 
* Spanish
 
* Urdu
 
  
You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!
+
 
 +
 
 +
You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!
  
 
</div>
 
</div>
 
= Roadmap =
 
= Roadmap =
[[Image:zap128x128.png|right]]
+
 
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
  
==Release 2.3.0==
+
'''Project Roadmap:'''<br>
ZAP 2.3.0 has been released, which includes:
+
Is available via this [https://docs.google.com/document/d/1y97loS-JqhDjLqGj8gLZdGLT0GHdp50QpLD59W34wQA/edit link]
* A ZAP 'lite' version in addition to the existing 'full' version
 
* View, intercept, manipulate, resend and fuzz client-side (browser) events
 
* Enhanced authentication support
 
* Support for non standard apps
 
* Input Vector scripts
 
* Scan policy - fine grained control
 
* Advanced Scan dialog
 
* Extended command line options
 
* More API support
 
* Internationalized help file
 
* Keyboard shortcuts
 
* New UI options
 
* More functionality moved to add-ons
 
* New and improved active and passive scanning rules
 
  
For more details see http://code.google.com/p/zaproxy/wiki/HelpReleases2_3_0
 
  
==Release 2.4.0==
+
==Release 1.1 ==
  
 
The major features we are currently working on include:
 
The major features we are currently working on include:
* Client side scanning
+
* Add quick start guide
* Advanced fuzzing
+
* Add tools & OWASP resources
* Advanced access control testing
+
* Add use cases, experience
* SOAP service scanning
+
* Revamp SAMM wiki
* Sequence scanning
 
* Sequence detection
 
  
The date and exact features that will be included in 2.4 have not been finalized.
+
The date and exact items that will be included in 2.0 have not been finalized. The list of requested improvements is [https://docs.google.com/document/d/1MPOMjairq6PQbwIt3fGWp0muTY6yfFwkWjo5cgPEK4s/edit here]
  
 
</div>
 
</div>
Line 231: Line 185:
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
 
<div style="font-size:120%;border:none;margin: 0;color:#000">
  
Involvement in the development of ZAP is actively encouraged!
+
Involvement in the development of SAMM is actively encouraged!
  
 
You do not have to be a security expert in order to contribute.
 
You do not have to be a security expert in order to contribute.
Line 239: Line 193:
 
==Feature Requests==
 
==Feature Requests==
  
Please raise new feature requests as enhancement requests here: http://code.google.com/p/zaproxy/issues/list
+
TBD
 
 
If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.
 
  
 
==Feedback==
 
==Feedback==
  
Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
+
Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
 
* What do like?
 
* What do like?
 
* What don't you like?
 
* What don't you like?
* What features could be made easier to use?
+
* How can we make SAMM easier to use?
* How could the help pages be improved?
+
* How could SAMM be improved?  
 
 
==Log issues==
 
 
 
Have you had a problem using ZAP?
 
  
If so and its not already been logged then please [http://code.google.com/p/zaproxy/issues/list report it]
 
  
 
==Localization==
 
==Localization==
  
Are you fluent in another language? Can you help translate ZAP into that language?
+
Are you fluent in another language? Can you help translate SAMM into that language?
  
You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!
+
You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!
  
 
==Development==
 
==Development==
Line 272: Line 219:
  
 
</div>
 
</div>
 +
 +
= Project Sponsors =
 +
 +
==== Acknowledgements ====
 +
We would like to thank the following sponsors who donated funds to our project:
 +
 +
[http://www.veracode.com https://www.owasp.org/images/d/d6/Veracode-samm.png]
 +
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />

Revision as of 09:17, 30 November 2014

OWASP Project Header.jpg

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:

  • Evaluate an organization’s existing software security practices
  • Build a balanced software security assurance program in well-defined iterations
  • Demonstrate concrete improvements to a security assurance program
  • Define and measure security-related activities throughout an organization


DownloadButton.png


Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

Want a very quick introduction? See the TBD - Quickstart Guide

For a slightly longer introduction see the latest project presentation.

Browse the SAMM model online here TBD



Quick Download

Download OWASP SAMM!

News and Events

Please see the News and Talks tabs

Change Log

  • TBD


Email List

Questions? Please ask on the SAMM Mailing List

Project Leaders

Project Leaders
Seba Deleersnyder Pravir Chandra Kuai Hinojosa Bart De Win

Related Projects


Classifications

Midlevel projects.png Owasp-defenders-small.png
Owasp-builders-small.png
C C A-S Alike 3.0
Project Type Files DOC.jpg


Zap128x128.png

upcoming talks will be listed here:

  • OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
  • OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
  • InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

  • OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - here) - 2015
  • OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download presentation) - 2014
  • AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download presentation, see video) - 2014
  • AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download presentation) - 2013
  • OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download presentation) - 2013
  • AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download presentation) - 2011
  • AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download presentation) - 2009
  • Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download presentation) - 2009
  • Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download presentation) - 2009


Zap128x128.png

Latest News on SAMM

Zap128x128.png

SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:

Click on any badge to learn more
G.png
Strategy & Metrics
SM1.png SM2.png SM3.png
Policy & Compliance
PC1.png PC2.png PC3.png
Education & Guidance
EG1.png EG2.png EG3.png
C.png
Threat Assessment
TA1.png TA2.png TA3.png
Security Requirements
SR1.png SR2.png SR3.png
Secure Architecture
SA1.png SA2.png SA3.png
V.png
Design Review
DR1.png DR2.png DR3.png
Code Review
CR1.png CR2.png CR3.png
Security Testing
ST1.png ST2.png ST3.png
D.png
Vulnerability Management
VM1.png VM2.png VM3.png
Environment Hardening
EH1.png EH2.png EH3.png
Operational Enablement
OE1.png OE2.png OE3.png

SAMM is available in the following languages:

  • English
  • Spanish
  • Japanese
  • German


You can use Crowdin to help improve these translations or add new ones right now!

Project Roadmap:
Is available via this link


Release 1.1

The major features we are currently working on include:

  • Add quick start guide
  • Add tools & OWASP resources
  • Add use cases, experience
  • Revamp SAMM wiki

The date and exact items that will be included in 2.0 have not been finalized. The list of requested improvements is here

Zap128x128.png

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

Feature Requests

TBD

Feedback

Please use the Mailing List for feedback:

  • What do like?
  • What don't you like?
  • How can we make SAMM easier to use?
  • How could SAMM be improved?


Localization

Are you fluent in another language? Can you help translate SAMM into that language?

You can use Crowdin to do that!

Development

If you fancy having a go at adding functionality to ZAP then please get in touch via the zaproxy-develop Google Group.

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

Acknowledgements

We would like to thank the following sponsors who donated funds to our project:

Veracode-samm.png


Retrieved from "https://www.owasp.org/index.php?title=OWASP_SAMM_Project&oldid=186203"