OWASP SAMM
OWASP SAMM is the default model in SAMMY. It is the reason why we created SAMMY in the first place.
or
Fill out an OWASP SAMM assessment
The workflow starts by filling out the assessment questions. This could all be filled out by you, or different business functions, activities and streams can be assigned to different users, so each section is filled out by the most relevant person.
Validate an OWASP SAMM assessment
Validation is an optional but very popular step. It is a central person checking the scoring, especially of self assessments.
Validation is done on a stream level. When done internally it is typically done by the person that is leading the overall assessment. He or she reviews the answers and the evidence presented, should they not be satisfied the stream returns to the assessment step with his comments. If the validator approves it, then the stream moves to the improvement track. In some cases the validator may be an external expert.
Implement improvement roadmaps
When a score on a stream is validated the question arises: “Is this good enough”. If it is: great, then the stream is completed. You can set an expiration date and forget about it until that date. At the time of the date this stream is re-evaluated. If it is not good enough an improvement process is initiated, a new target score is set together with a target date and an action plan. The process is assigned to a team member. At the end of the improvement process the stream returns to assessment to evaluate it’s situation and assses what the new maturity level is.
Clear visualization of scores
In SAMMY you can go to the reporting tab and you see a series to:
- Overview of score per business function.
- Scores per practice.
- Scores per business function
- Comparison between scopes
- Historic growth per business function
- Historic growth per scope
- Gap to target metrics and comparisons.
The report dashboard is customizable allow you to focus on the metrics that are important to your teams at this time.
Here you can also visualize the improvement roadmap and show the improvement targets.
Exporting reports
When you have your security posture mapped on SAMMY you use it to automatically generate different reports. Some of the reports that are currently available are:
Improvement reports
This report is generated as a PDF and includes a summary of the assessment, and a detailed overview of the improvement roadmap including details around timelines and ownership of the different improvements. It is an ideal for internal reporting.
SAMM to NIST SSDF mapping
This report maps your OWASP SAMM scores to NIST SSDF activities and links the relevant evidence. This functionality can be used to evaluate and demonstrate NIST SSDF compliance. Click here to find out more about NIST SSDF.
Gap Reports
A detailed report about the gaps to target posture or to policy requirements.
Mapping to different framworks
There are two types of mappings, direct mappings and transient mappings. The direct mappings are of the highest quality, we have for example a direct mapping between OWASP SAMM and NIST SSDF that has been validated by NIST. We also have direct mappings to NIST CSF2.0 and IEC 62443-4-1.
Transient mappings rely on OpenCRE, which is another OWASP project that maps different frameworks together. SAMMY will look at the best mapping available for each pair of frameworks and use that to map the assessment responses. In the coming months and years we will develop more high quality direct mappings.
Setting target postures
It should never be your ambition to have a maturity of 3 on all business functions. In fact this would likely be wasteful. What your ambitions should be depends on many factors of your business, its context and the risk profile of your products. The best way to manage such goals is to set target postures that are tailored to your context. In SAMMY you can easily create such target postures. These target postures may be derived from the company’s security policies and may help to further mature these policies. The target posture is then shown along the process to the different teams in the different scopes. The goal then becomes the elimination of the gap between the current posture and target posture. SAMMY has metrics, dashboard and reports to help you manage towards target postures.
User, role and team management
SAMMY is a collaborative tool. Tasks and responsibilities can be assigned on a team and an individual level. There is always clear ownership of any task. And individuals always have a clear overview of what they are expected to do.
Jira integration
As different tasks are assigned to different team members SAMMY is integrated with JIRA in order to automatically feed into your existing task management flow. Soon a similar integration will exist for Microsoft Teams.
If you don’t use JIRA or Teams and would like us to integrate with another tool, or if you have any other suggestions please reach out to us. The roadmap of this tool is community driven.