3. The OWASP Software Assurance Maturity Model (SAMM) aims to help organisations implement a software security (assurance) programme, designed to be:
• Evolvable: security programme incrementally delivers assurance gains, while working toward long-term goals;
• Adaptable: works for different methodologies, different organisation types and risk tolerances;
• Measurable: guidance for activities is prescriptive: simple, well-defined and measurable;
• Open: vendor-neutral and available to all.
SAMM is organised around four business functions, each of which has three security practices, shown in the overview below:
Each practice has activities and maturity levels from 0-3, with 0 representing the “doing nothing” starting point and 3 representing “comprehensive mastery of the security practice at scale”. Maturity levels are assigned both by activities undertaken and a measure of how far they are implemented (0.2, 0.5 or 1.0). An organisation’s security programme is assessed against SAMM using a scorecard.
Answer the following questions concerning the OWASP SAMM.
(a) The Building Security In Maturity Model (BSIMM) was inspired by an early SAMM version. Using your understanding of BSIMM, explain the main differences between BSIMM and SAMM and what each tries to achieve. [6 marks]
(b) Do you think it makes sense for an organisation to use both BSIMM and SAMM? Discuss why or why not. [3 marks]
(c) BSIMM has more activities than SAMM but SAMM activities are often more general. Two BSIMM activities which cannot be mapped to SAMM are:
Strategy & Metrics SM3.1 Run an external marketing program.
Training T3.3 Host software security events.
Explain why these activities are excluded from SAMM.
(d) SAMM aims to help organisations build software security assurance programmes. The idea is to define a roadmap which schedules practices to improve in stages, based on the organisation’s own goals and resources. Figure 2 on page 7 shows three template roadmaps which are proposed in SAMM as templates for three different kinds of organisation:
Online Service Provider Builds web applications and microservices.
Entire operation online. Needs to innovate rapidly.
Financial Services Company Supports transactions and processing.
Many internal and back-end systems. Needs strong reliability and attack resistance.
Government Organisation Builds software for public sector projects. National-level responsibility and visibility. Needs resilience and privacy for large data.
Answer the following questions concerning these different organisation types.
i. Considering the three roadmaps in Figure 2, match each one to the organisation type you think best fits the profile shown. For each case, give two reasons why you think the profile matches. You may mention specific example activities as well as practices in your reasons. [9 marks]
ii. For each of the following additional factors, pick one of the organization types you think could be affected, and explain how the additional factor might influence the importance of particular practices and activities within them, leading to adjusting the template roadmap.
Outsourced development significant external development resource.
Online payment processing handles payments directly.
Regulatory compliance under heavy compliance requirement.
Organisation grown by acquisition several development teams are active with different security practices