[Owasp-cmm] An intro and an idea
chandra at list.org
Tue Aug 5 12:31:54 EDT 2008
I'm Pravir Chandra, former lots of things (founder of Secure Software,
principal at Cigital, etc.), currently an independent contractor and steward
of the mostly dormant CLASP project.
I've been lurking in the background when this discussion was on the OWASP
Leaders list and I just jumped on this list and caught up with the brief
archives to make sure I understand what you guys are interested in achieving
with a maturity model.
Since I first talked about a 'new' version of CLASP more than a year ago,
I've been spending a bunch of time thinking about the right way to construct
such a model and put it out there in a way that would be inherently simple,
precise, and quantifiable. At the same time it must account for
organizational change being difficult and slow, customization for
organization-specific concerns, and demonstration of improvement over time.
As fate would have it, the smart folks at Fortify that I've been working
with (Brian Chess, Justin Derry) wanted exactly the same thing about 2
months ago and had goals similar to mine (to make it open and freely
available). A BETA release was just finished and we're seeking feedback as
well as shopping around for the best forum for public release of the
material. There's lots of discussion to be had on that end, but after
discussing with Brian and Justin yesterday, the timing does seem right for
us to share what we've been doing so far.
So, without further ado, meet the Software Assurance Maturity Model (SAMM).
To avoid the evil of attachments posted to lists, download it here:
Based on the chatter I've been privy to so far, I think you all will like
what we've put together. I think with a little bit of ramping it can replace
CLASP (all but the vulnerability lexicon) and really make it feasible for an
average human to think about building a software assurance program.
Please check out SAMM and let me know your thoughts (
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra chandra<at>list<dot>org
PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-cmm