|
|
OWASP SAMM version 2
Public release - January 31, 2020
After three years of preparation, our SAMM project team has delivered version 2 of SAMM!
The OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement through our self-assessment model a strategy for software security, that can be integrated into their existing Software Development Lifecycle (SDLC).
The new SAMM release v2 consists of the following components:
-
The SAMM Model overview and introduction, explaining the maturity model in detail;
-
A Quick-Start Guide with different steps to improve your secure software practice;
-
Updated SAMM Tool Box to perform SAMM assessments and create SAMM road maps;
-
A new SAMM Benchmark Initiative to compare your maturity and progress with other similar organizations and teams.
|
|
|
What's changed with SAMM v2?
For those organizations using earlier versions of SAMM it’s important to take the time to understand how the framework has evolved in favor of automation and better alignment with development teams.
Organizationally, some important changes worth noting:
-
Construction is now Design
-
A new business function: Implementation
-
Redesigned business function: Verification
-
New security practice: Operational Management
-
Operational Enablement no longer exists and other practices have absorbed its activities
Activities are now ordered in logical flows throughout each of the 15 SAMM security practices, divided into two streams, which aligns and links the activities in the practice over the different maturity levels.
The new model supports maturity measurements both from a coverage and quality based measurement perspectives. We added new quality criteria for all the activities. There is an updated scoring SAMM toolbox designed to help assessors and organizations with their software assurance assessments and roadmaps.
We have a single source using GitHub and we can automatically generate PDF documents, the website, the toolbox, and applications. All the model content has been converted to YAML files, allowing tools or other SAMM consumers to automatically use the model. You can always find the latest version of SAMM on our website, in the Model section. The full release notes for version 2 are available here.
As always, feedback is welcome in the usual channels:
Seba Deleersnyder and Bart De Win, SAMM Project co-leaders, commented: “This is a really important release for the project team. We are grateful for the team, our SAMM community, and the help of our sponsors. With all of them, after three years, we now have an effective and measurable way for all types of organizations to analyze and improve their software security posture”.
Don’t forget to look around our new website, review the updated model and toolbox.
|
|
Thanks
Big thanks to our community, your feedback, corrections, questions, input, and encouragement. SAMM version 2 is for you!
Special thanks to Brett Crawley, Brian Glas, Bruce Jenkins, Chris Cooper, Daniel Kefer, Felipe Zipitria, Hardik Parekh, John Dileo, John Ellingsworth, John Kennedy, Nessim Kisserli, Patricia Duarte, Sebastian Arriada, and Yan Kravchenko.
And to our leading sponsors, Concord, Micro Focus Fortify, NCC Group, Toreon, PWC, and Splunk.
Time to celebrate!
The OWASP SAMM project team
|
|
Let us know if there is any particular subject
you would like to hear more about in our newsletters?
Thank you!
The SAMM project team
Join our SAMM channel #project-samm
(use this invitation link to get on OWASP Slack)
|
|
Copyright © 2020 OWASP Foundation, All rights reserved.
You have been included in this newsletter because of your earlier subscription to the SAMM mailing list. We promise to only use your email to inform you on SAMM news and to keep the spam level low.
Our mailing address is:
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.
|
|
|
|
