OpenSAMM for the Masses: A Case for Cooperation, presented at OWASPSAMMSUMMIT 2015

by Justin Clarke, John B. Dickson,

Summary : We all know that behind every breach story in the press is an organization that probably should have done more to build secure software. Yet, organizations struggle mightily to focus resources on building software securely from the outset and, as a result, software security remains an after the fact “nice to do” and not a “have to do” activity in many organizations. How can organizations determine the right sets of activities or appropriate resource allocation levels that it should undertake to adequately address software risk? Organizations can make these determinations by benchmarking via OWASP’s Open Software Assurance Maturity Model (OpenSAMM) framework. Yet organizations looking to step up their software security game have encountered hurdles standing in the way of fully utilizing the power of OpenSAMM as a benchmarking tool. Justin and John will detail a broad industry effort to address some of the hurdles by redefining certain aspects of the data schema around OpenSAMM and providing more comparative data that will open up this benchmarking tool for broader use throughout industry.