null - opensamm

Good Morning

http://digitalcatharsis.files.wordpress.com/2008/10/sleeping-man_ml.jpg



{openSAMM

Why & How?

http://api.ning.com/files/OMGuiScfW0WEzLqgZ-vEG1Gocfg9TzXJ*3p8tfJVh6piUZb380lsGCXDJa0aFePIDX7q-FwM16dSET5kxHSYqOcFNjdBtZiK/elephant.jpg



People

ProcessTechnology

http://30dom.com/wp-content/uploads/2013/11/olympic-weight-lifting-wallpaperli-xueying-weightlifting-olympic--china-photos-and-wallpapers-nusxdel.jpg



http://www.veracode.com/blog/wp-content/uploads/2013/06/bug-bounty-programs.jpg

http://www.veracode.com/blog/wp-content/uploads/2013/06/bug-bounty-programs.jpg

https://www.owasp.org/images/thumb/f/ff/Security_in_the_SDLC_Process.png/600px-Security_in_the_SDLC_Process.png

https://www.owasp.org/images/thumb/f/ff/Security_in_the_SDLC_Process.png/600px-Security_in_the_SDLC_Process.png

http://www.shipulski.com/wp-content/uploads/2012/06/Impossible.jpeg



https://s3.amazonaws.com/pbblogassets/uploads/2013/04/donkey-pulling-cart.jpg

https://s3.amazonaws.com/pbblogassets/uploads/2013/04/donkey-pulling-cart.jpg

http://devpolicy.org/wp-content/uploads/2013/08/Value-for-money.jpg



http://www.rms.net/roi_investreturn.gif

http://www.rms.net/roi_investreturn.gif

http://www.you-stylish-barcelona-apartments.com/blog/wp-content/uploads/2010/09/what-to-do.JPG.jpeg

http://www.you-stylish-barcelona-apartments.com/blog/wp-content/uploads/2010/09/what-to-do.JPG.jpeg

Classification system for a set of processes / function

Shows characteristics of processes over different levels

Examples CMMI (DEV, SVC, ACQ) SSE-CMM BSIMM, openSAMM, etc

Maturity Models

Open Software Assurance Maturity Model

OWASP Project Open framework to help organizations

Formulate Implement Strategy for software security Tailored to the specific risks facing the

organization

openSAMM

openSAMM

Recognizes 4 type of business functions

Any organization performing software development would have these (names could be different)

3 business practices for each function 3 objectives (for levels) under each practice

0 (implied starting point, not included) 1 (initial understanding and ad hoc provision of practice) 2 (increase efficiency / effectiveness of practice) 3 (comprehensive mastery of the practice)

openSAMM - Security Practices

openSAMM - Example

For every level, SAMM defines Objective Activities Results Success Metrics Costs Personnel Related Levels

openSAMM

http://creativeconstruction.files.wordpress.com/2013/02/how_to_do_one_thing_at_a_time.jpg



http://www.jasonshen.com/wp-content/uploads/2012/04/buy-in-image-560x355.jpg



Step 2 - Perform Gap Assessment

Step 3 - Create Roadmap / Assurance Program

Perform practices / activities for level 1 Keep assessing it till you are satisfied

and the scorecard tells you to Inform management with the updated

roadmap in a periodic manner Move to next level after you are done

with the previous one

Step 4 - Execute with periodic reviews

www.sripati.info http://in.linkedin.com/in/sripati

Who Am I

http://www.sripati.info/

http://in.linkedin.com/in/sripati

http://in.linkedin.com/in/sripati

http://www.opensamm.org/downloads/resources/OpenSAMM-1.0.ppt

http://www.opensamm.org/downloads/resources/20090602-Software%20Assurance%20Maturity%20Model.ppt

Credits






