Project Spotlight - SAMM
OWASP Software Assurance Maturity Model (SAMM) makes software security measurable. Once you can measure it, you can manage it. So it allows one to actually manage a secure software program in an organization. SAMM helps any application security manager or security champion to understand where they are in terms of activities and also what they can do moving forward. It helps one to create a roadmap and to improve and demonstrate security activities are performed.
Software in each of the business functions of an organisation have a couple of security practices and each of these security practices have a couple of activities with an increasing level of maturity. The model provides the framework to know what kind of activities and practices one needs to look at in terms of software security.
For example: Credit assessment is an important aspect of software because one must understand the risk profile of an application. How important is the application for the organization ‘s application risk profile? Does one need to do threat modelling? One needs to understand what kind of risks one has, what kind of threats are there for the software and provide threat modelling.
- Perform activities at a basic level, ad hoc.
- More organized, structured, and possibly automated activities.
- Learn from what has been done and provide feedback into the other activities of your software assurance program.
Contributing Author: Vandana Verma