TIL: 25th July 2023 — OWASP SAMM model for secure software development life cycle

OWASP SAMM model for secure software development life cycle§

OWASP (well known for their Top 10 web application security risks) maintains the Software Assurance Maturity Model that maps business functions to security practices along the maturity levels from 1 to 3.

Each function (e.g. "Design") has its own set of practices (e.g. "Threat Assessment") with each practice attaining the levels across two streams (e.g. "Application Risk Profile" and "Thread Modeling"). Maturity level 3 means mastery of the practice in the business function.

OWASP SAMM has a nice set of self-assessment tools:

  • A spreadsheet with the interview questions and detailed results breakdown
  • An application that can run in a container to go through the survey interactively and build a report

This is one of the best known SSDLC (Secure Software Development Life Cycle) models that expand on the SDLC models (such as Waterfall and Agile) with more focus on addressing security concerns early in the development process. Meaning that security should be integrated into every phase of the SDLC, from requirements gathering to maintenance and evolution.

This model's goal is to build a roadmap with measurable ways of improving the organisation's development life cycle security stance. In fact, there's a lot to learn by simply going through the self-assessment interview.