[Owasp-cmm] An intro and an idea

[Dan Cornell]

So, without further ado, meet the Software Assurance Maturity Model
(SAMM). To avoid the evil of attachments posted to lists, download it
here: http://www.list.org/~chandra/SAMM.pdf

 

Based on the chatter I've been privy to so far, I think you all will
like what we've put together. I think with a little bit of ramping it
can replace CLASP (all but the vulnerability lexicon) and really make it
feasible for an average human to think about building a software
assurance program.

 

 

I need to review in more detail , but on first glance I really like this
- especially the structure and level of detail.

 

-Four Disciplines, each having three Functions, each having three levels
of Objectives is tractable enough that I can see it scaling from use in
small teams to larger enterprises.  Small teams will likely gloss over
some things and large enterprises will have to develop some additional
content  and perhaps extend some areas but as a basis the numbers here
seem to be a good fit.  The biggest problem I have with CMMi and many
compliance regimes is that they are so expansive and overly-inclusive
that there is an enormous barrier to entry if you want to start using
them.  With an approach like SAMM I don't feel like that would be as
much of an issue.

 

-As mentioned above I need to review in more detail, but on first glance
the list of Functions looks more than comprehensive enough to cover the
organizational activities we had been tracking with our preliminary
research.

 

Thanks,

 

Dan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cmm/attachments/20080809/5365d84c/attachment.html