According to a recent study published by SANS: 23 percent of respondents said that applications were the source of actual breach, data loss and attacks on others and only 25 percent of the respondents believe they have a mature application security program.
OWASP SAMM v1.5 is built to help organizations formulate and implement a strategy for software security that is tailored to organization-specific risks. With SAMM v1.5, organizations can accurately evaluate their existing software security practices and steadily improve their security posture over time in well defined iterations designed to meet their unique needs.
The new SAMM scoring model helps demonstrate concrete improvements to security related activities throughout an organization. SAMM is one of the very few mature and open resources available to assist organizations measure and build software security programs.
"Our main goal for version 1.5 was to support our large user community by incorporating their feedback and improving the measurement system of the model," says Bart De Win, co-project leader of OWASP SAMM.
OWASP SAMM v1.5 improves the granularity of scoring, allowing partial credit for achieving maturity benchmarks. This coupled with the matching scoring system, makes it easy to see maturity improvements from projects and initiatives on a dashboard.
SAMM project co-lead Brian Glas notes, "One of the main benefits of the updated scoring model is that you can visibly see improvement to your maturity score on the dashboard as initiatives are completed. This can go a long way in building support for your Application Security Program."
Version 1.5 has enhanced explanations of the maturity model with worksheets and guidance containing example case studies which allows organizations not only understand where they are, but to understand what has worked (and hasn't) for others in similar scenarios. This is a continuing effort with more improvements expected in v2.0.
Implementing SAMM is easier with a new Quick Start guide and Tool Box that includes interview forms and the ability to generate roadmaps, charts, and graphs. The increased ease of adoption has led some companies to begin evaluation with v1.5 despite recent setup of v1.1.
Mike Craigue from Dell Cybersecurity, explains, "We've already started using version 1.5 of the tool internally, and we've gotten an enthusiastic response to the enhanced scoring and easy-to-generate charts."
The OWASP SAMM project leaders are Sebastien Deleersnyder, Bart De Win, and Brian Glas.