SAMM

Back to list of all Outcomes


Core Metrics

Outcomes

This Working Session will result in updated SAMM Metrics and an outline plan for the future updates.

Synopsis and Takeaways

  • Adding an optional depth component to scoring for questionnaire needs to be evaluated
  • Remove success metrics and replace with business metrics
    • Alternatively Metrics may require its own section
    • Focus on metrics ranging from operational to strategic operations
  • Three logical categories of metrics
    • App
    • Process
    • Environment

Core Model Update - Dev Methods

Outcomes

Synopsis and Takeaways

  • Restructure SAMM activities with an increasing maturity of implementation
  • Apply this restructure to all SAMM practises and activities (high level)
  • Create one or more detailed descriptions with implementation guidance

Core Model Update - Implementation

Outcomes

  • Core Model

Synopsis and Takeaways

  • We are exploring adding a fifth business function to the SAMM Model.
  • This function will be somewhere between the current “Construction” and “Verification” business functions
  • The new function may encompass code building and code mangement
  • The current “Construction” Business Function is mostly about design, so needs recategorising
  • Defect management is not clearly defined in the current SAMM Model
  • We will probably need to make fundamental additions and changes to the current SAMM Model
  • Ideas for the new business function naming and criteria have been put forward
  • Ideas for new security practices have been noted
  • Likely updates to the “Operations” business function are to be made to account for more infrastructure-related activities

DataSet Project

Outcomes

Synopsis and Takeaways

  • The Dataset Project was unanimously agreed upon to be a key project for OWASP and is worth pursuing.
  • The Dataset project is key to the SAMM project as a whole
  • For the project to progress steadily it is important to collect names that are willing to contribute to the project consistently
  • Create a survey that is to be sent via the “SAMM users mailing list”, in order to gain valuable information about what users want from the Dataset

Introduction - GDOSMM

Outcomes

Synopsis and Takeaways

  • No need to change the core model but reviewing the SAMM activities is important to assure they are implementation neutral
  • In addition Implementation advice can be included for different roles and processes e.g. DevOps, Waterfall and Agile
  • GDOSMM is a potential implementation subset of SAMM
  • An evening session was agreed for model mapping SAMM to GDOSMM
  • The effort/impact dimensions suggested make for an interesting addition to activities

Kick-off

Outcomes

Synopsis and Takeaways

  • Captured expectations of participants
  • Better understanding
  • Include agile/devops
  • Contribute
  • Tools
  • Benchmarking

  • Make the model more “agile”?
  • Focus on developers
  • Measure efficiency
  • SAMM Profiles

Outreach and Market

Outcomes

  • High-level plan for promoting and integrating SAMM

Synopsis and Takeaways

  • Need a marketing specialist to construct a model for SAMM to improve market awareness
  • Invite members of the mailing list to create a video showcasing some real world evidence of SAMM in action
  • Need a way to measure downloads of the SAMM model; a possible solution is to link to the model from GitHub

OWASP Project alignment

Outcomes

  • Recommendations for addition to SAMM
  • Plan for project and activity alignment

Synopsis and Takeaways

  • We must make sure to remap “Flagship” and “Lab” projects for SAMM Version 2
  • Reach out to “Flagship” and “Lab” leaders to get references to the SAMM project and, if possible, link to an activity or security process.
  • Identify the missing tools and artefacts needed for different activates
  • Make sure to promote the missing tools and artefacts to encourage people to undertake the project themselves
  • Map a lower level of granularity; map at a level of activities

Stories and Templates

Outcomes

  • New templates drafted
  • Existing use cases updated
  • New use cases identified

SAMM V2 Ground Rules

Synopsis and Takeaways

  • One Model
  • Evolution
  • Scope equals software
  • Experiment with tagging to cover various viewpoints
  • Extra working session to discuss DevSecOps maturity model (tomorrow – morning session)
  • Keep it simple with a Balanced model (desirable)

Working materials

Content

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:

  • Evaluate an organization’s existing software security practices
  • Build a balanced software security assurance program in well-defined iterations
  • Demonstrate concrete improvements to a security assurance program
  • Define and measure security-related activities throughout an organization

OWASP SMM


Back to list of all Outcomes

Edit this page here