Under the umbrella of OWASP we created a fundamentals course for OWASP SAMM. If you are new to OWASP SAMM, or if you want to get new colleagues up to speed this is a great place to start. The SAMM training walks through all 5 business functions and explains how each security practice should be interpreted and scored.
The SAMM training consists of 79 lessons with a total of 5 hours of video content. It also includes two practical case studies to practice SAMM assessments. The instructor of the course is our CEO Dr. Aram Hovsepyan. Upon completion of the course you will receive a certificate of completion.
The full OWASP SAMM training available for free on Thinkific.
Extract from the OWASP SAMM Training
Find out more about all the things the Codific team does at OWASP.
OWASP SAMM Fundamentals Course content.
The OWASP SAMM Fundamentals course follows the structure of the OWASP SAMM model from left to right. This is up to some extent the logical way of going through the model, Governance, Design, Implementation, Verification and Operations. We recommend going through the whole course, but we understand that you may be looking for guidance on a specific practice or business function. In that case you could jump straight to that chapter.
Introduction to OWASP SAMM and the Fundamentals Course.
In the first chapter of the SAMM training you will find the general introduction of the course. Aram starts out by giving a broad overview of the context in which OWASP SAMM was created, including a short overview of the history of the model. Then the model itself is introduced. You should refer to this chapter if you are trying to get an overall picture of the structure of the model, methodology for use and introduction to assessment tools.
The best tool to use SAMM is Codific’s SAMMY, you can use it for free here.
Extract from the OWASP SAMM Training
Governance.
Governance processes are typically set at an organizational level, so if you are scoring different teams within an organization they are likely to score similarly on Governance. This business function is divided into three practices:
- Strategy & Metrics
- Policy & Compliance
- Education & Guidance
People who come from a managerial background, legal background or GRC background will find this the easiest business function to analyze. People who come from an engineering background may find it somewhat abstract and may benefit from jumping in here.
Extract from the OWASP SAMM Training
Design
Design is where the SDLC section really begins. This business function is essential to the “shift left” philosophy in security. You want to build security into the requirements and create “secure by design” architecture. In order to do those things you must first systematically analyze risk profiles and potential threads. Design is divided into three practices:
- Threat Assessment
- Security Requirements
- Security Architecture
If you have a background in threat modeling you will feel right at home in this chapter. If you are not so familiar with these things you might want to jump in here.
Extract from the OWASP SAMM Training
Implementation
Implementation is at the core of the DevSecOps pipeline. This is where the rubber meets the road. This is not about coding but about the processes around deployment. A lot of attention is paid to automation and scalability. As in all business practices in OWASP SAMM, more formalized processes tend to be more mature from a security perspective. Automation also ensures no important steps are skipped. Implementation is divided into three practices:
- Secure Build
- Secure Deployment
- Defect Management
If you come from a secure software engineering background this chapter will have little surprises for you. If you come from a less hands-on background you may want to jump in here.
Extract from the OWASP SAMM Training
Verification
Verification looks at whether we did the right things the right way. It goes from abstract architectural assessments to very specific testing such as penetration testing, stress testing and fussing. As always the focus is on analyzing the scalability and maturity of the processes in place. Verification is divided into three practices:
- Architecture Assessment
- Requirements-driven Testing
- Security Testing
If you have a background in offensive cybersecurity you will be well acquainted with these practices. If you are not familiar with these practices you may want to jump in here.
Extract from the OWASP SAMM Training
Operations
Stepping away from the DevSecOps pipeline, the Operations chapter focuses on ensuring confidentiality, integrity and availability is maintained during the operational lifetime. Does the organization have the right processes in place to deal with changing environments and potential disruptions? Operations is divided into three practices:
- Incident Management
- Environment Management
- Operational Management
If you have a background in cloud security or incidence response you will quickly grasp this chapter. If you have limited operational experience with cloud infrastructure you may want to jump into this chapter.
Extract from the OWASP SAMM Training
Certificate of completion
Remember, if you do go through the whole course you will receive a certificate of completion. That certificate will look really good on your Linkedin profile. And don’t be shy to give a shoutout to your teacher Dr Aram Hovsepyan, to Codific and to OWASP SAMM when you post!
Now that you have completed the course, you can start using SAMMY to do your assessments. Find out more here.