10 May, 2024
Starting a OWASP SAMM assessment journey can feel overwhelming. SAMM, short for Software Assurance Maturity Model, is the process of guiding organisations towards understanding their current security maturity within a defined scope, whether its a team, business unit, or the entire organisation.
At its essence, SAMM assessment involves interpreting the layers of security practices through a structured questionnaire. This questionnaire is composed of 90 multiple-choice questions and a set of quality criteria defining the benchmark for each query. However, mastering the art of conducting a precise SAMM assessment presents its own set of challenges. Determining the right personnel to lead the assessment, ensuring objective scoring, and what is necessary to prepare in advance from both interviewees and interviewers are just a few hurdles organisations encounter along the way.
The importance of assessing security maturity cannot be overstated. Beyond serving as a foundational step towards enhancement, it proves invaluable in scenarios like mergers and acquisitions, where understanding the security posture of an organisation becomes critical.
Introducing the experts
In our most recent podcast, our CEO Aram hosted a panel of leading industry experts to gain insights into how to properly do SAMM assessment. Joining Aram were Rob van der Veer, Brian Glas and Maxim Baele, all esteemed members of the core team behind OWASP SAMM. Together, they explored the nuances of SAMM assessment, shedding light on the process, practical implementation strategies, best practices, and insider tips to streamline the process.
With over 18 years of experience in the field of Application Security, Brian Glas has played a pivotal role in shaping various versions of the OWASP SAMM framework. He is also the project co-lead of the famous OWASP TOP 10. When he is not working on OWASP projects or conducting SAMM assessment, Brain serves as a professor and chair at the Computer Science department at Union University.
Maxim Baele brings a wealth of expertise to the table, with a focus on consulting and helping individuals, teams and organisations build software with privacy and security by design at Toreon. His contributions to the discussion provided invaluable perspectives on SAMM assessment and their impact.
Rob van der Veer is renowned for his contributions to enhancing software security and value at SIG (Software Improve Group). He is also a pioneer in AI and machine learning and the impact it has on software and AppSec.
Last but not least, Aram Hovsepyan is the founder and CEO of Codific. Before leading this innovative cybersecurity company, Aram was also a researcher in the DistriNet group, also aiding in the development of the privacy gold standard LINDUNN.
This podcast focused on the most pressing questions SAMM users and practitioners typically have when tackling SAMM assessments.
These are as follows:
- What are the pros and cons of bringing in an external team of SAMM experts to run the assessment?
- How are these assessment interviews structured and scheduled?
- How to strike the balance between being friendly, but objective when dealing with teams who are eager to achieve a high SAMM score?
- What should the interviewee prepare in advance?
- What are the main differences when conducting a SAMM assessment in the context of an acquisition or merge?
- Is there anything AI and LLMs could do to help with a SAMM assessment?
Listen to the podcast below!
Want to get started with SAMM?
We have just the thing! Take the free OWASP SAMM training course to learn all about SAMM assessments and security. The SAMM training consists of 79 lessons with a total of 5 hours of video content. It also includes two practical case studies to practise SAMM assessments. The instructor of the course is our CEO Dr. Aram Hovsepyan. Upon completion of the course you will receive a certificate of completion.
