OWASP Podcast about SAMM

Posted by Pravir Chandra in Press on March 25th, 2009

I recorded an OWASP Podcast episode with Jim Manico and it just went live. We discuss the new SAMM release, some of the project’s history, and, of course, some other favorite projects of mine. Jim is a great host and I can’t wait to get invited for another!

, ,

1 Comment

SAMM 1.0 Released!

Posted by Pravir Chandra in Releases on March 25th, 2009

samm-coverThe Beta release has been out for quite a while now (since August 2008) and lots of organizations and individuals have provided excellent feedback to help improve the model. I’ve heard lots of stories from people using SAMM (some are consulting firms, and some are development organizations) and that feedback has been some of the most valuable. This release marks the official 1.0 version of SAMM and there’s a few new pieces added:

  • Executive summary and introduction to the model
  • Improved details on applying the model to solve problems
  • Assessment worksheets for evaluating existing programs
  • Roadmaps for financial services and government organizations
  • Improvements and refinements to the model (I’ll cover changes individually in separate posts)

Many thanks to the individual reviewers and the organizations that have volunteered time to help improve SAMM. I look forward to more active participants as we push forward with some of the future development plans for SAMM.

,

5 Comments

SAMM Mailing List

Posted by Pravir Chandra in Discussion on March 23rd, 2009

We’ve got a project mailing list setup through the OWASP mailing list manager. You can:


2 Comments

Next SAMM release coming this week

Posted by Pravir Chandra in Discussion on March 23rd, 2009

There’s been a huge amount of feedback and lots of refinement to SAMM since the Beta was release last August. I’m happy to report that we’re putting the finishing touches and reviews on the next release as I write. I’ll put together some separate posts that discuss the rationale behind the major changes, but in general, here are some new features in the next release:

  • Better introduction – there’s a proper Executive Summary and a section describing the structure of the model before diving into the details
  • A section on assessing an existing assurance program – this should help folks that need to map an existing software security program into SAMM (or anyone just performing an assessment of a software security program in general)
  • Better guidance on building assurance programs – the Beta had some short text, but the next release includes a bigger section on and building a roadmap for a particular organization
  • New layout and design – revamped the ordering of SAMM materials based on feedback from users and there’s a new topical table of contents (to better route people through the resource provided)

I’m looking forward to feedback on the 1.0 release once it’s out this week… stay tuned!

,

2 Comments

What’s up with the other model?

Posted by Pravir Chandra in Discussion on March 6th, 2009

A day or two back, Cigital and Fortify just released another maturity model named the Building Security In Maturity Model (BSI-MM). I’ve had lots of folks ask me about it and how it’s related to SAMM, so I figured I should write a post about it. The short answer: they’re different (BSIMM forked from the SAMM Beta). The long answer? Keep reading…

So, a long time ago in a galaxy far… ahem… actually, it was last July (2008). Brian Chess and I had a drink at RSA and discussed what I’d be doing with my time now that I’d left Cigital to start independent consulting. I was really focused on using my new found spare time to build the next revision to CLASP. In my vision (which I talked about as early as the OWASP EU conference in Milan in May of 2007), there would be a model that both demonstrated how to logically improve individual security functions over time as well as a collection of prescriptive roadmaps based on the organization type.

Brian and Fortify gave me contract to fund development of what would become the SAMM Beta. Once the Beta was complete last August, Gary McGraw (who sits on Fortify’s Technical Advisory Board) got word of SAMM and wanted to get Cigital involved. We had one meeting for Cigital to provide feedback on SAMM, but it was clear to me that they wanted to take the model in a different direction than I had wanted (lots of reasons here, but one objection I had was use of branding/marketing terminology). So, we forked.

Gary, Brian, and Sammy (and maybe others) massaged the high-level framework from SAMM into what they call their Software Security Framework (SSF). They took this out to 9 big companies with advanced secure development practices to get feedback on what those companies are actually doing. Though I really liked the idea of collecting that data, I wasn’t involved at all. Based on what they learned from SAMM and what they heard from those 9, they created the BSI-MM. So, even though the models may seem similar in structure, they’re different in terms of content.

Just as a disclaimer on the current state of things, I have not worked with the folks at Cigital, but I’m still actively collaborating with folks at Fortify who are supporting both models (and maybe others too!). If folks are interested, I’ll write up more about SAMM vs. BSI-MM once the next release of SAMM comes out next week.

,

2 Comments

Shiny new website

Posted by Pravir Chandra in Discussion on March 4th, 2009

Well, it was time to trade-in the quick and dirty website we stood up for the SAMM Beta. In exchange, we’ve now got a real workhorse, WordPress. Now people can leave comments and discuss proposed changes right here on the site. It’s also a really good platform for building other nifty tools into the site, but more on that later.

No Comments

Working Session on SAMM at OWASP EU Summit

Posted by Pravir Chandra in Discussion on October 20th, 2008

At the upcoming OWASP EU Summit in Portugal, I’ll be leading a working session to collate and integrate much of the feedback received on the SAMM Beta. Specifically, some of the topics for the working session are:

  • General terminology definition and usage
  • Proposed changes to the high-level framework
  • Proposed changes to activities and details under each security function
  • Creation of pilots and case studies
  • Additional road-maps for common organization types
  • Self-assessment and scorecard generation
  • Real-world feedback and data collection

All are invited to participate in the session, so please review the working session page and sign up!

3 Comments

SAMM Presentation at OWASP NYC 2008

Posted by Pravir Chandra in Press on September 25th, 2008

As the project lead for the OWASP CLASP Project, I was invited to speak at the OWASP NYC conference to introduce SAMM and discuss details with attendees. The conference and my talk had a great turn out, and I was impressed with the amount of feedback received. Both slides and video from my presentation (below) are online as well as from all the talks at the conference.

2 Comments

SAMM Beta Release

Posted by Pravir Chandra in Releases on August 21st, 2008

betacoverThanks to sponsorship and feedback from Fortify, we’ve finished an initial release of the Software Assurance Maturity Model (SAMM) that is now available on the downloads page. Everyone is encouraged to review and provide feedback either directly to me or through discussion on the OWASP-CMM mailing list. The working goal is to have a solid 1.0 release in a few months after public review and feedback from organizations using the model and vendors in the software security space.

,

No Comments