[SAMM] OpenSAMM Case Study

42 views
Skip to first unread message

fabian....@optimabit.com

unread,
Jul 1, 2011, 5:21:59 AM7/1/11
to sa...@lists.owasp.org
Hello!

I'm doing research on OpenSAMM for my bachelor's thesis and I'd like to
know if the case study of "VirtualWare" at the end of the document is
an anonymized experience report or if it is entirely fictional.

Thank you very much,
Fabian Streitel

_______________________________________________
SAMM mailing list
SA...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/samm

Christian Heinrich

unread,
Jul 1, 2011, 7:22:02 PM7/1/11
to Software Assurance Maturity Model (SAMM)
Fabian,

On Fri, Jul 1, 2011 at 7:21 PM, <fabian....@optimabit.com> wrote:
> I'm doing research on OpenSAMM for my bachelor's thesis and I'd like to
> know if the case study of "VirtualWare" at the end of the document is
> an anonymized experience report or if it is entirely fictional.

According the presentation on OpenSAMM delivered by Justin Derry at
the AISA Sydney (Australia) Branch Meeting on 6 October 2010, he
prepared this case study and alleged that "VirtualWare" might be
"VMWare".

You might also want to consider http://bsimm.com/ which is study of
~30 real world case studies which I have summarised at
http://www.slideshare.net/cmlh/bsimm


--
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh

Pravir Chandra

unread,
Jul 1, 2011, 8:04:09 PM7/1/11
to Software Assurance Maturity Model (SAMM), Software Assurance Maturity Model (SAMM)
It's not based on VMWare, but interestingly, Justin Derry was the original author of the case study in SAMM :)

When we wrote it, we were basically drawing from our individual experiences from a few different organizations where we had led the build-out of software security programs. Then, we "reverse engineered" the case study from that by putting our experience from those programs in terms of the model's levels, activities, etc.

Does that help?

p.

fabian....@optimabit.com

unread,
Jul 2, 2011, 3:26:54 AM7/2/11
to sa...@lists.owasp.org
Thank you both for your quick reply.

That was exactly the information I needed.

Greetings,
Fabian

--
Start using GPG! (http://www.gnupg.org/)

Christian Heinrich

unread,
Jul 2, 2011, 7:48:12 PM7/2/11
to Software Assurance Maturity Model (SAMM)
Pravir,

On Sat, Jul 2, 2011 at 10:04 AM, Pravir Chandra <cha...@owasp.org> wrote:
> When we wrote it, we were basically drawing from our individual experiences from a few different organizations where we had led the build-out of software security programs. Then, we "reverse engineered" the case study from that by putting our experience from those programs in terms of the model's levels, activities, etc.

Would the above would be applicable to four examples after p27 within
"Building Assurance Programs"?

Pravir Chandra

unread,
Jul 10, 2011, 2:27:15 PM7/10/11
to Software Assurance Maturity Model (SAMM)
Yeah, same idea there, but we separated our notes into silos for those 4
example org types and them built the roadmaps from the applicable
companies. The case-study was ISV only.

p.

On 7/2/11 4:48 PM, Christian Heinrich wrote:
> Pravir,
>
> On Sat, Jul 2, 2011 at 10:04 AM, Pravir Chandra<cha...@owasp.org> wrote:
>> When we wrote it, we were basically drawing from our individual experiences from a few different organizations where we had led the build-out of software security programs. Then, we "reverse engineered" the case study from that by putting our experience from those programs in terms of the model's levels, activities, etc.
> Would the above would be applicable to four examples after p27 within
> "Building Assurance Programs"?
>
>

Reply all
Reply to author
Forward
0 new messages