OWASP SAMM Guidance

Updated: 20 December, 2024 28 November, 2024 Over the past year, our SAMMY tool has grown significantly. It now supports not just OWASP Software Assurance Maturity Model (SAMM) but also many other frameworks and standards. Whether you need a cybersecurity framework, quality framework, maturity model, or compliance standard, SAMMY unifies them all. This versatility often raises a key question: “Which framework is best for an application security program?” OWASP SAMM stands out, but what about Building Security In Maturity Model (BSIMM) or NIST Secure Software Development Framework (SSDF)? SAMM looks excellent on paper, but SSDF comes from NIST, a highly respected organization. Meanwhile, BSIMM is popular among large enterprises. I have already written a blog on BSIMM vs SAMM. BSIMM is not cheap and even if your organization has the budget, SAMM is likely a better pick. In this post, I will focus on comparing OWASP SAMM and NIST SSDF. Key […]

Updated: 20 December, 2024 2 November, 2024 OWASP Software Assurance Maturity Model (SAMM) is one of the only comprehensive frameworks available for application security program management. Aside from BSIMM, there’s not much else around. Moreover, SAMM is open-source, making it accessible to everyone with zero barriers to entry. However there’s a catch: implementing OWASP SAMM comes with a learning curve. Beginner and even intermediate users seem to struggle with certain aspects of the model. Based on my experience, users have the hardest time figuring out: How to deal with quality criteria (or the “definition of done”) and what they mean; How to come up with a meaningful prioritization for the improvement roadmap; What type of evidence is required for demonstrating “compliance”; How to interpret the model for domains other than web application development; How can SAMM help for a smaller company. In this blog, I will offer 12 foolproof ways[…]

Updated: 7 December, 2024 20 October, 2024 What is supplier risk management about? Outsourcing software development has become a cornerstone for many organizations, enabling them to accelerate innovation, reduce costs, and tap into specialized expertise. However, outsourcing also introduces specific risks, particularly in ensuring strong application security throughout the development process. This is where supplier risk management plays a critical role. By systematically addressing supplier-related risks, organizations can maintain a secure software supply chain while reaping the benefits of outsourced development. In this blog, I will explore best practices for supplier risk management in the context of outsourced software development, offering actionable steps to ensure security is embedded across the software development lifecycle (SDLC). Here’s a quick overview of three key pillars of managing supplier risks in outsourced development, adapted from OWASP SAMM, listed in order of progressive difficulty: Supplier Evaluation: Assess potential suppliers against your organization’s security requirements, ensuring[…]

Updated: 22 November, 2024 19 October, 2024 Introduction to software security requirements Despite clearly understanding the importance of security requirements, organizations seem to struggle with figuring out how to implement security requirements for their SDLC (secure software development lifecycle). In this blog, we will provide an in-depth analysis and insights on how to do this right. Requirements in general and security requirements in particular establish the common theme throughout the software development lifecycle (SDLC). The whole product and solution development starts with business analysts specifying what needs to be developed. Requirements are the building blocks for those specification documents.  The architects create a software architecture that implements those requirements.  Developers implement those requirements conform to the specified architecture.  Then verification engineers and quality assurance (QA) teams validate that the implementation correctly addresses all the requirements.  Finally, the customers use the product and achieve their initial goal. In a nutshell, requirements[…]

Updated: 15 October, 2024 5 October, 2024 The OWASP Software Assurance Maturity Model (SAMM) is rapidly becoming the go-to framework for application security programs, and it’s easy to see why. SAMM offers a structured, measurement-driven approach to improving product security. As a well-established framework since 2009, it helps organizations evaluate their software security maturity on a scale from 0 to 3. However, many organizations face challenges after completing their initial SAMM assessment. There’s growing interest in understanding how other organizations are progressing, making real-world data one of the hottest topics in the SAMM community. SAMM Benchmarking project aims to provide exactly that. During the past OWASP Global AppSec Conference in San Francisco the SAMM Core Team has shared the latest benchmark data. In this blog, we provide an in-depth analysis and interpretation of the OWASP SAMM Benchmark data. Key takeaways Most of the currently limited benchmark data (30 assessments) is[…]

Updated: 20 December, 2024 2 October, 2024 Cybersecurity in general and application security (AppSec) in particular are extremely challenging topics. They run broad and deep and success in one area is just not enough. A systematic solution is provided by the myriad of various (compliance) cybersecurity standards, frameworks  and maturity models. CIS Controls, Cloud Controls Matrix (CCM), ISO27001, NIST SSDF, NIST CSF, BSIMM, OWASP SAMM, Cybersecurity Fundamentals, DevSecOps Maturity Model just to name a few. Amongst one of the most promising solutions is the OWASP Software Assurance Maturity Model that is rapidly becoming an industry standard within the AppSec domain. Nonetheless organizations often have to deal with more than one overlapping, complementing and even competing standards. Hence, mapping cybersecurity compliance standards and frameworks is essential in order to make sure that organizations are not reinventing the wheel. Amongst the key pressing questions nearly every organization has to deal with are:[…]

Updated: 1 November, 2024 12 June, 2024 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 15 October, 2024 10 May, 2024 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 13 December, 2024 12 April, 2024 How to use OWASP SAMM for effective communication on security? Reporting with OWASP SAMM is very impactful when done correctly. This blog is based on first and second hand experience of implementing SAMM (Software Assurance Maturity Model) as a security programme at organizations large and small. We focus on how security leaders at the organization can communicate upwards, how SAMM can help with this, what challenges arise and how these have been mitigated at different organizations. We start from the perspective of senior leadership. What senior leadership wants. Senior leadership wants clarity, simplicity, and reliability in the information they receive. Clarity to have good visibility on the situation at hand and its implications. Simplicity in order to easily digest information and know what conclusions to draw. Reliability or the ability to trust the numbers. Yet for each of these criteria there are challenges[…]

Updated: 20 December, 2024 20 March, 2024 Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This blog outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Though you may not always see them, Zebra is everywhere. Whether it’s on that recently delivered package, or the water bottle you just scanned at the supermarket – even in the shoulder pads of NFL players, Zebra is there.   Key Takeaways Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated[…]

Updated: 13 December, 2024 28 February, 2024 Application security requires a systematic approach and requires dealing with software security throughout every stage of the software development lifecycle (SDLC). However organizations typically struggle to create an effective improvement roadmap and end up in the rabbit hole of fixing security tool generated vulnerabilities. We believe that leveraging OWASP Application Security Verification Standard (ASVS) as a security requirements framework as well as a guide to unit and integration testing is by far the best pick in terms of ROI. Using security requirements driven testing and by turning security requirements into “just requirements” organizations can enable a common language shared by all stakeholders involved in the SDLC. We have analyzed the complete ASVS to determine how much of it we could automate using various testing strategies. Our analysis indicates that 162 (~58%) of ASVS can be automatically verified using unit, integration, acceptance tests. We[…]

Updated: 1 November, 2024 28 December, 2023 For the past 20 years web applications have always been the number one action vector for incidents and breaches (DBIR Verizon 2023). OWASP SAMM offers a systematic approach to tackling the challenges in application security. Amongst the key philosophies in SAMM is the idea of assessing the current situation and creating an incremental roadmap of improvements driven by risk. Creating and implementing an effective roadmap is a challenging task on its own. However to get to that starting point you will need to conduct a realistic assessment of the organization’s security practices. An imprecise assessment might lead to a suboptimal allocation of resources in the improvement phase. In this article, we provide some guidelines of how to run assessments. This blog is my personal reflection on the SAMM assessment process. It is however based on the combined experience of four OWASP SAMM core[…]