OWASP SAMM v1.5 Release

According to recent research published by SANS: 23% of respondents said that applications were the source of actual breach, data loss and attacks on others and only 25% of the respondents believe they have a mature application security program.

The OWASP Software Assurance Maturity Model (SAMM) enables organizations to formulate and implement a strategy for software security that is tailored to organization-specific risks. With SAMM, organizations can accurately evaluate their existing software security practices and steadily improve their security posture over time in well defined iterations designed to meet their unique needs. The SAMM scoring model also helps demonstrate concrete improvements to security related activities throughout an organization. SAMM is one of the very few mature and open resources available to assist organizations measure and build software security programs.

Example SAMM Scorecard

 The new additions to OWASP SAMM are a direct response to the relentless occurrence of security breaches where vulnerable software allowed attackers to gain access to private, corporate data. Bart De Win, co-project leader of OWASP SAMM, says "Our main goal for version 1.5 was to support our large user community by incorporating their feedback and improving the measurement system of the model."

Anyone who has filled out a SAMM assessment has had a discussion on whether to mark an answer “yes” or “no”, when the answer is honestly something in between. By replacing the Yes/No answers with four graduated steps, SAMM v1.5 improves the granularity of scoring, allowing partial credit for achieving maturity benchmarks.This coupled with the matching scoring system, makes it easy to see maturity improvements from projects and initiatives on a dashboard. One of the main benefits of the updated scoring model is that you can visibly see improvement to your maturity score on the dashboard as initiatives are completed. This can go a long way in building support for your Application Security Program.

Example Worksheet

SAMM v1.5 has enhanced explanations of the maturity model with worksheets and guidance containing example case studies which allows organizations not only understand where they are, but to understand what has worked (and hasn't) for others in similar scenarios. This is a continuing effort with more improvements expected in v2.0. Implementing SAMM is easier with a new Quick Start guide and Tool Box that includes interview forms and the ability to generate road maps, charts, and graphs.

For more information you can visit https://www.owasp.org/index.php/SAMM, watch the SAMM v1.5 Webinar on YouTube, or download the slide deck on SlideShare.

Follow OWASP SAMM on twitter. For additional info email owasp.foundation@owasp.org