OWASP Releases Software Assurance Maturity Model (SAMM) Version 1.1 for Improving Software Security

Successor of OpenSAMM as OWASP SAMM v1.1 released to enable organizations to measure and improve their software security

Mar 16, 2016, 12:15 ET from OWASP Foundation

BEL AIR, Md., March 16, 2016 /PRNewswire/ -- The OWASP Foundation today announced the next release of OWASP SAMM v1.1. The Software Assurance Maturity Model (SAMM) is an open OWASP framework to help organizations formulate and implement a strategy for software security that is tailored to organization-specific risks.

Photo - http://photos.prnewswire.com/prnh/20160315/344750-INFO

SAMM enables organizations to steadily improve their software security posture over time. As a result of organizations of all sizes and across every industry relying on web, mobile and cloud applications as a source of strategic differentiation and competitive advantage, the threat surface has dramatically expanded. Web applications have become the number one target for cyber attackers, with application-layer vulnerabilities exploited as a point of entry in many recent high profile security breaches. The additions to OWASP SAMM are a direct response to the relentless occurrence of security breaches where vulnerable software allowed attackers to gain access to private, corporate data. The resources provided by SAMM aid in:

  • Evaluating an organization's existing software security practices;
  • Building a balanced software security assurance program in well-defined iterations;
  • Demonstrating concrete improvements to a security assurance program;
  • Defining and measuring security-related activities throughout an organization.

OpenSAMM v1.0 was originally developed, designed, and written by Pravir Chandra in 2009. SAMM v1.1 takes OpenSAMM to the next level by embedding practical experience in a Quick Start Guide combined with practical OWASP resources, such as OWASP Zed Attack Proxy Project and OWASP Application Security Verification Standard, to name a few. The new OWASP SAMM release v1.1 consists of the following components:

  • SAMM Core Model document, explaining the maturity model;
  • How-To Guide with implementation guidance;
  • Quick-Start Guide with different steps to improve your secure software practice;
  • Updated SAMM Tool Box to perform SAMM assessments and create SAMM roadmaps;
  • Useful OWASP resources to implement SAMM roadmaps, all linked from SAMM;
  • SAMM Benchmarks to compare your maturity and progress with other similar organizations and teams.

"OWASP SAMM v1.1 takes software security to the next level and combines an industry maturity standard with the best OWASP resources." [retweet this!]

"The traditional focus of security investments has been on hardening the network layer, but this approach is no longer sufficient," said John Dickson, Principal, Denim Group. "OWASP SAMM is a valuable tool for the enterprise to understand what they can do to secure the web, mobile and on-premises applications they build, buy and operate."

"Our main goal was to improve OpenSAMM and create an active OWASP Community to improve this great resource, now and in the coming years", says Sebastien Deleersnyder, co-project leader of OWASP SAMM.

Indeed, the OWASP SAMM community will gather again for their second SAMM Summit in New York, U.S., 20-21 April to start working on SAMM v2.0. The OWASP SAMM project leaders are Pravir Chandra, Sebastien Deleersnyder, Bart De Win & Kuai Hinojosa.

To learn more, visit https://www.owasp.org/index.php/SAMM and https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016

Follow OWASP SAMM on twitter: @owaspsamm For additional info owasp.foundation@owasp.org

About OWASP
The OWASP Foundation came online on December 1, 2001. It was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.

SOURCE OWASP Foundation



RELATED LINKS

http://www.owasp.org