Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version: 1.1
Contributors:
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/legalcode; or, (b) send a letter to Creative Commons, 171 2nd Street, Suite
94105, USA. Assurance Maturity Model (SAMM) was created by Pravir Chandra.
The Software
It is licensed under the Creative Commons Attribution-Share Alike 3.0 License
SAMM Website: http://www.opensamm.org
ew Template
Description: One aim of the Software Assurance Maturity Model (SAMM) is to help organizations build software security assurance
programs. The current position and future targets can be charted and the SAMM document includes roadmap templates
for different industries. This spreadsheet helps produce roadmaps once the plan is known. It is structured with four
phases of improvement, like in SAMM, although could be altered to suit any number of stages.
SAMM The Software Assurance Maturity Model (SAMM) was created by Pravir Chandra and is now an Open Web Application
Security Project (OWASP) project.
SAMM is licensed under the Creative Commons Attribution-Share Alike 3.0 License
http://www.opensamm.org
Instruc
Interview an individual based on the questions below organized according to SAMM Business Functions and Se
Place a "Yes" or "No" next to each question or assertion based on the individual's response.
Document additional information such as how and why in the "Interview Notes" column.
In order to mark "Yes" on a question, each assertion below that question must also be satisfied.
Once the interview is complete, go to the "Scorecard" sheet and follow instructions.
Organization:
Project:
Interview Date:
Interviewer:
Persons Interviewed:
Gover
Strategy & Metrics
Is there a software security assurance program in place?
Guidance:
Guidance:
Guidance:
Are development staff aware of future plans for the assurance program?
Guidance:
Guidance:
SM1
Guidance:
Does the organization know about what’s required based on risk ratings?
Guidance:
Does your organization regularly compare your security spend with that of other organization
Guidance:
Guidance:
Guidance:
Does the organization utilize a set of policies and standards to control software development?
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
PC2
Are project teams able to request an audit for compliance with policies and standards?
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
Are projects periodically audited to ensure a baseline of compliance with policies and standar
Guidance:
Guidance:
Guidance:
PC3
Does the organization systematically use audits to collect and control compliance evidence?
Guidance:
Guidance:
Guidance:
Constr
Threat Assessment
Do projects in your organization consider and document likely threats?
Guidance:
Guidance:
Guidance:
Guidance:
TA1
Does your organization understand and document the types of attackers it faces?
Guidance:
Guidance:
Guidance:
TA3
Guidance:
Are the majority of the protection mechanisms and controls captured and mapped back to thr
TA3
Guidance:
Guidance:
Guidance:
Guidance:
Security Requirements
Do project teams specify security requirements during development?
Guidance:
Guidance:
Guidance:
Guidance:
SR1
Do project teams pull requirements from best practices and compliance guidance?
Guidance:
Guidance:
Guidance:
Do project teams specify requirements based on feedback from other security activities?
Guidance:
Are audits performed against the security requirements specified by project teams?
SR3 Guidance:
Guidance:
Guidance:
Guidance:
Secure Architecture
Are project teams provided with a list of recommended third-party components?
Guidance:
Guidance:
Guidance:
SA1
Are project teams aware of secure design principles and do they apply them consistently?
Guidance:
Guidance:
Do you advertise shared security services with guidance for project teams?
Guidance:
SA2
Guidance:
Guidance:
Guidance:
Guidance:
SA2
Are project teams provided with prescriptive design patterns based on their application archit
Guidance:
Guidance:
Guidance:
Verific
Design Review
Do project teams document the attack perimeter of software designs?
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
DR1
Do project teams check software designs against known security risks?
Guidance:
Guidance:
Guidance:
Guidance:
Does the secure design review process incorporate detailed data-level analysis?
Guidance:
Guidance:
Guidance:
DR3 Does a minimum security baseline exist for secure design review results?
Guidance:
DR3
Guidance:
Guidance:
Guidance:
Implementation Review
Do project teams have review checklists based on common security related problems?
Guidance:
Guidance:
Can project teams access automated code analysis tools to find security problems?
Guidance:
Guidance:
IR2
Do stakeholders consistently review results from code reviews?
Guidance:
Guidance:
Do project teams utilize automation to check code against application-specific coding standa
Guidance:
IR3 Does a minimum security baseline exist for code review results?
Guidance:
Guidance:
Security Testing
Do projects specify security testing based on defined security requirements?
Guidance:
Guidance:
Guidance:
Guidance:
Opera
Issue Management
Do projects have a point of contact for security issues or incidents?
Guidance:
Guidance:
Are project teams aware of their security point(s) of contact and response team(s)?
Guidance:
Does the organization utilize a consistent process for incident reporting and handling?
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
IM2 Guidance:
Guidance:
Guidance:
Are project stakeholders aware of relevant security disclosures related to their software proje
Guidance:
Environment Hardening
Do projects document operational environment security requirements?
Guidance:
Guidance:
Guidance:
EH1
Guidance:
EH1
Do projects check for security updates to third-party software components?
Guidance:
Guidance:
Are stakeholders aware of options for additional tools to protect software while running in op
Guidance:
Guidance:
Does a minimum security baseline exist for environment health (versioning, patching, etc)?
EH3
Guidance:
Guidance:
Guidance:
Guidance:
Operational Enablement
Are security notes delivered with each software release?
Guidance:
Guidance:
Guidance:
Guidance:
OE1
Are security-related alerts and error conditions documented on a per-project basis?
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
Guidance:
OE3 Is code signing routinely performed on software components using a consistent process?
Guidance:
Guidance:
Guidance:
Guidance:
Instructions
individual based on the questions below organized according to SAMM Business Functions and Security Practices.
" or "No" next to each question or assertion based on the individual's response.
dditional information such as how and why in the "Interview Notes" column.
ark "Yes" on a question, each assertion below that question must also be satisfied.
erview is complete, go to the "Scorecard" sheet and follow instructions.
Governance
Strategy & Metrics
there a software security assurance program in place?
Assurance program is documented and accessible to staff.
Assurance program has been used in recent development efforts.
Staff receives training against assurance program and responsibilities.
oes the organization know about what’s required based on risk ratings?
Staff receives training according to documented assurance program and risk classifications.
oes the organization utilize a set of policies and standards to control software development?
A set of security policies has been created based on compliance drivers.
Optional or recommended compliance items have been added to security policies.
Requirements based on known business drivers for security have been added to security policies.
Common or similar policies have been grouped, generalized, and rewritten to satisfy compliance and security requirements
Security policies do not include requirements that are too costly or difficult for project teams to comply.
Awareness programs have been created to advertise and spread awareness of security policies.
re project teams able to request an audit for compliance with policies and standards?
A process has been created for project teams to request an audit against security policies and compliance requirements.
Internal audits are prioritized based on business risk indicators.
Each project undergoes an audit at least biannually.
Awareness programs have been created to advertise and spread awareness of the organization's audit process.
Audit results are reviewed by project stakeholders including per requirement pass/fail status, impact, and remediation.
re projects periodically audited to ensure a baseline of compliance with policies and standards?
Compliance and security gates are established throughout the development process.
An exception approval process has been created for legacy or other specialized projects.
Automated tools (code review, penetration testing, etc) are used to assist in identifying non-compliance prior to the audit pr
oes the organization systematically use audits to collect and control compliance evidence?
An automated system is used to capture, organize, and display audit data and documentation.
Access to audit data is controlled based on a need to know
Instructions and procedures for accessing audit data are published and advertised to project groups.
oes each project team understand where to find secure development best-practices and guidance?
Resources regarding secure development practices have been assembled and made available to developers.
Management informs development groups that they are expected to utilize secure development resources.
A checklist based on the secure development resources has been created to ensure guidelines are met during developme
re those involved in the development process given role-specific security training and guidance?
Role specific
Managers andapplication security
requirements training
specifiers is given
receive to developers,
training in securityarchitects, QA, planning,
requirements etc. vulnerability and incident manage
threat modeling, and misuse/abuse case design.
Testers and auditors receive training in code review, architecture and design analysis, runtime analysis, and effective secu
planning.
Developer training includes security design patterns, tool-specific training, threat modeling and software assessment techn
Role specific training is provided at least annually as well as on demand based on need.
security-related guidance centrally controlled and consistently distributed throughout the organization?
A centralized repository has been created to organize secure development information, resources, and processes.
An approval board and change control management process is in place to control modification of information in this reposit
A method for collaboration and communication of secure development topics has been provided.
Content is searchable based on common factors like platform, language, library, life-cycle stage, etc.
Construction
Threat Assessment
o projects in your organization consider and document likely threats?
Likely
Attack worst-case scenarios
trees or a threat are
model is documented for each
created for each project
project based
tracing on its businessnecessary
the preconditions risk profile.
for a worst-case scenario to b
realized.
Attack trees or threat models are expanded to include potential security failures in current and historical functional requirem
When new features are added to a project, attack trees or threat models are updated.
oes your organization understand and document the types of attackers it faces?
Potential external threat agents and their motivations are documented for each project.
Potential internal threat agents, their associated roles, and damage potential are documented for each project or architectu
A common set of threat agents, motivations, and other information is collected at the organization level and re-used within
re the majority
An of the protection
assessment mechanisms
for each project hasand controls
been captured
conducted andmitigating
to identify mapped controls
back to that
threats?
prevent preconditions identified in a
trees or threat models.
This assessment is updated each time new features or requirements are introduced or the attack tree is modified.
have
Mitigating controls or been requirements
security documented within the attack
have been addedtree or threat
to each model.
project to address any preconditions that still lead to
successful attack within attack trees.
Security Requirements
o project teams specify security requirements during development?
Security requirements are derived from functional requirements and customer/organization concerns.
A security auditor leads specification of security requirements within each project.
Security requirements are specific, measurable, and reasonable.
Security requirements are documented for each project.
o project teams pull requirements from best practices and compliance guidance?
Industry best practices are used to derive additional security requirements.
Existing
Plans to code bases
refactor are analyzed
existing by a security
code to implement auditor
security for opportunities
requirements to add security
are prioritized requirements.
by project stakeholders including risk
management, senior developers, and architects.
Secure Architecture
re project teams provided with a list of recommended third-party components?
A weighted
The librarieslist
areofinformally
commonlyevaluated
used third-party libraries
for security basedandoncode
pastisincidents,
collectedresponses
and documented across
to identified the organization.
issues, complexity, and
appropriateness to the organization. Risk associated with these components are documented.
A list of approved third-party libraries for use within development projects is published.
re project teams aware of secure design principles and do they apply them consistently?
A list of secure design principles (such as defense in depth) have been collected and documented.
These principles are used as a checklist during the design phase of each project.
A list of reusable resources is collected and categorized based on the security mechanisms they fulfill (LDAP server, single
o you advertise shared
server, etc.).security services with guidance for project teams?
The organization has selected a set of reusable resources to standardize on.
These resources have been thoroughly audited for security issues.
Design guidance has been created for secure integration of each component within a project.
Project groups receive training regarding the proper use and integration of these components.
re project teams provided with prescriptive design patterns based on their application architecture?
Each
A project
set of is categorized
design based on architecture
patterns is documented (client-server,
for each architecture web application,
(Risk-based thick client,
authentication etc.).
system, single sign-on, centralized
logging, etc.).
Architects, senior developers, or other project stakeholders identify applicable and appropriate patterns for each project du
design phase.
re project teams
Auditsaudited
includefor the use of
evaluation of usage
secureofarchitecture
recommended components?
frameworks, design patterns, shared security services, and reference
platforms.
Results are used to determine if additional frameworks, resources, or guidance need to be specified as well as the quality o
guidance provided to project teams.
Verification
Design Review
o project teams document the attack perimeter of software designs?
project group
Each component in creates a simplified
the diagram one-page
is analyzed architecture
in terms diagram
of accessibility representing
of the high-level
interface from modules.
authorized users, anonymous use
operators, application-specific roles, etc.
Interfaces and components with similar accessibility profiles are grouped and documented as the software attack surface.
One-page architecture diagram is annotated with security-related functionality.
Grouped interface designs are evaluated to determine whether security-related functionality is applied consistently.
Architecture diagrams and attack surface analysis is updated when an application's design is altered.
o project teams
Eachspecifically analyze
interface within design elements
the high-level for security
architecture mechanisms?
diagram is formally inspected for security mechanisms (includes internal an
external application
Analysis includes thetiers).
following minimum categories: authentication, authorization, input validation, output encoding, error h
logging, cryptography, and session management.
Each software release is required to undergo a design review.
oes the secure design review process incorporate detailed data-level analysis?
identify details
Project teams document on system
relevant behavior
software around
modules, data high-risk
sources, functionality (such as CRUD
actors, and messages of sensitive
that flow betweendata).
data sources o
businessthe
Utilizing functions.
data flow diagram, project teams identify software modules that handle data or functionality with differing sens
levels.
oes a minimum security baseline exist for secure design review results?
A consistent design review program has been established.
A criteria gates
Release is created to determine
are used within thewhether a project
development passes
process to the design
ensure reviewcannot
projects process (for example
advance no high-risk
to the next findings).
step until the projec
succesfully
A process iscompletes a design
established review.
for handling design review results in legacy projects, including a requirement to establish a time fr
successfully completing the design review process.
Implementation Review
o project teams have review checklists based on common security related problems?
The organization has derived a light-weight code review checklist based on previously identified security requirements.
Developers receive training regarding their role and the goals of the checklist.
oes a minimum
Eachsecurity baselineaexist
project contains for code
checkpoint review
in the results? process that requires a specific level of code review results to be m
development
before
The release. has established an exception process for legacy code, which requires a certain level of assurance to be m
organization
within a specific time period
Security Testing
o projects specify security testing based on defined security requirements?
The organization has documented general test cases based on security requirements and common vulnerabilities.
Each ensures
Staff project has
testdocumented test casesfeasible,
cases are applicable, for security
and requirements specific
can be executed to that project.
by relevant development, security, and quality assu
staff.
o projects use
Theautomation
organization tohas
evaluate
reviewedsecurity test cases?
open source, commercial, and other solution for performing automated security testing and
a solution that will best fit the organization.
Automated security testing has been integrated within the development process.
o projects follow a consistent process to evaluate and report on security tests to stakeholders?
Automated security testing occurs across projects on a regular, scheduled basis.
A process has been created for reviewing security testing results with project stakeholders and remediating risk.
oes a minimum
Eachsecurity baselineaexist
project contains for security
checkpoint in the testing?
development process that requires a specific level of security testing results to be
before release.
The organization has established an exception process for handling security testing results in legacy projects, which requir
certain level of assurance to be met within a specific time period
Operations
Issue Management
o projects have a point of contact for security issues or incidents?
Each project or development group has assigned a security-savvy developer to be the point of contact for security issues.
The organization maintains a centralized list of applications, projects, and points of contact regarding security issues.
re project teams aware of their security point(s) of contact and response team(s)?
The security response team meets with project groups at least annually to brief individuals on the incident response proces
re project stakeholders aware of relevant security disclosures related to their software projects?
A formal, documented process has been established for tracking, handling, and communicating incidents internally.
o projects consistently
Metrics suchcollect and report
as frequency data and
of software metrics
projects related
affected by to incidents?
incidents, system downtime and cost from loss of use, human re
The organization's
taken centralized
in handling and cleanup incident response
of the incident, processofislong-term
estimates expandedcosts
to collect
such and record metrics.
as regulatory fines or brand damage, etc.
collected.
Past security incidents are recorded and reviewed every six months and recommendations to improve the organization or s
assurance process are made.
Environment Hardening
o projects document operational environment security requirements?
The organization documents and maintains a set of baseline operating platforms.
project teams expand on existing, approved baseline operating platforms to meet project requirements.
Project teams document assumptions made about operating environments during development.
Organization and project operating platforms are reviewed at least every six months.
re stakeholders aware of options for additional tools to protect software while running in operations?
The security team or operations team reviews optional tools for protecting software with project stakeholders.
Appropriate solutions such as a WAF, IPS, HIDS, etc. are adopted for each project's operational environment.
oes a minimum security baseline exist for environment health (versioning, patching, etc)?
Project-level audits include analysis and testing of the operational environment in which the software resides.
Audits include verification of compliance with the organization's patch management process.
Operational
The environment
organization audits occur
has established at least every
an exception six months.
process for legacy operational environments, which requires a certain level
assurance to be met within a specific time period.
Operational Enablement
re security notes delivered
Project with each
teams document software release?
security-relevant configuration and operations information and provide documentation to users an
operators.
Project teams document a list of security features built into the software, options for configuration, security impacts, and inc
secure default.
Project stakeholders review security documentation prior to release.
Project teams update security documentation at least every six months.
re security-related
Project alerts
teamsand error conditions
document documented on
important security-related a per-project
alerts basis? and provide the documentation to the operat
and error conditions
team.
Project teams update alerts and error conditions documentation at least every six months.
Project teams document an automated or manual process for monitoring and responding to application alerts and errors.
Operations team regularly monitors and responds to application alerts and errors based on provided documentation.
o project teams deliver an operational security guide with each product release?
Project teams develop an operational security guide starting with information documented about security-related alerts and
Guides include all security information needed by users and operators.
Guides include items such as: security-related configuration options, event handling procedures, installation and upgrade g
operational environment specifications, security-related assumptions about the deployment environment, etc.
Project teams work with project stakeholders to determine an appropriate level of detail for the operational security guide.
Project teams update the operational security guide with each release.
1+
Yes
Yes
No
No
No
Yes
No
0+
0+
Yes
0
Yes/No Interview Notes Rating
Yes
0+
No
0
Yes/No Interview Notes Rating
0
Yes/No Interview Notes Rating
0+
Yes
Yes/No Interview Notes Rating
0+
0+
Yes
0+
Yes
No
SAMM Assessment Scorecard: For
Instructions
Fill out the following scorecard based on the "Yes" or "No" responses marked during the interview
If "Yes" has been marked for a question, a whole number maturity level has been achieved (for example "1" or "2" rather th
If a question has been marked "No", but assertions below that question have been marked "Yes" AND the question for the
maturity level has been marked "Yes", a "1+", "2+", or "3+" can be recorded
Organization:
Project:
Interview Date:
Interviewer:
Persons Interviewed:
Business
Functions Security Practices Current 1 2 3
nterview
ed (for example "1" or "2" rather than "1+"
d "Yes" AND the question for the previous
Software Assurance Maturity Model (SAMM) Roadmap
1
Policy & Compliance
0
1 2 3 4 5 6 7 8 9
1
Education & Guidance
0
1 2 3 4 5 6 7 8 9
1
Threat Assessment
0
1 2 3 4 5 6 7 8 9
1
Security Requirements
0
1 2 3 4 5 6 7 8 9
1
Secure Architecture
0
1 2 3 4 5 6 7 8 9
1
Design Analysis
0
1 2 3 4 5 6 7 8 9
1
Implementation Review
0
1 2 3 4 5 6 7 8 9
1
Security Testing
0
1 2 3 4 5 6 7 8 9
1
Issue Management
0
1 2 3 4 5 6 7 8 9
1
Environment Hardening
0
1 2 3 4 5 6 7 8 9
1
Operational Enablement
0
1 2 3 4 5 6 7 8 9
Software Assurance Maturity Model (SAMM) Roadmap Chart Template Notes
1 The chart template assumes four stages.
2 To update the charts, enter your own target levels for each of the security practices over the four phases. Take care, there are partially obscured cells
(white text) to the right of the phases in the data table - these are necessary for the correct formatting of the charts. They contain a formula that simply
duplicates the maturity level in the cell to their left.
3 Valid values for maturity levels are The values should be 0, 1, 2 or 3 only.
4 The charts are constructed using multiple Excel area charts, each with a single line of data - one for each security practice. The charts use background
pictures to provide the striping effect, and there is an empty chart with the grey striping in the background of all of these. Unfortunately it was also
necessary to add two white rectangle objects to mask the right and bottom borders of the latter empty chart.
5 The print area is set on the chart page only to include the charts, not the source data.
6 If you need fewer or more than four phases, you'll need to spend some time adding columns, altering charts and creating new background images (see
separate worksheet).
7 Most cells are locked and have protection turned on (without a password) - use Tools | Protection | Unprotect Sheet to turn off