[SAMM] Job Description

Eoin eoin.keary at owasp.org
Mon Dec 7 12:19:45 EST 2009 

....Sure any change to SDLC is more a cultural effort rather than a
technical one.
The idea of secure development needs to be embraced by the organisation and
a belief needs to be developed so there is understanding "why I am doing
this"
Any good individuals with ISO, Consultancy, Advisor roles need to be able to
convey requirements and gaps in an influencing way and a "the benefits to
you are...." so you get developer buy-in.

So key (on a human level) is to get the right personality who is not a
"Policeman-auditor" but rather an influencer/advisor explaining the positive
reasons (both to an organisation and individual) for SAMM, applying a road
map and secure app dev. People involved in CMM may also fit this profile
also if they were any good at it.

On the other hand some organisations use "carrots" and "sticks" throughout
the SDLC process. reward if you have the lowest fault density /non compliant
issues  for your last code review. Slap on the head if you are the worst. I
found in dev organisations that the "Secure development team of the year"
award worked well, gave recognition and demonstrated how serious the org is.

I'm not sure if there should be a "certified SAMM auditor", this could
cheapen the brand, SAMM is small enough so all-of-a-sudden everyone will be
certified etc etc

another 10 cent (out of change).

-ek




2009/12/7 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>

>  Not quite sure of how to flush it out, but let me share more on my
> thoughts for asking.
>
> 1. I need to complete an HR approved job description such that in my day
> job, we get the opportunity for someone to have as their fulltime job the
> championing of SAMM internally. We want to do this via "influence" over
> "command and control". We will of course have executive support (they will
> sign off on funding) but will only be periodic mouthpieces.
>
> 2. As an observer, I think all of the analysis / comparisons on maturity
> models in this space have outlined more of the process. What is sorely
> lacking is the "profile" of the individuals and what characteristic about
> them made their adoption of SAMM successful. So, I want to capture more of
> the people aspects and will make a great supporting document to SAMM.
>
> 3. If we capture the above, it could also serve as input into something I
> think would absolutely rock. I know that folks will jump all over me for
> mentioning certification, but if you look at Scrum, the notion of a
> Certified ScrumMaster has caused lots of mouthpieces to emerge. I do want to
> expend effort in creating something similiar to help evangelize SAMM.
>
>  ------------------------------
>  *From:* samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org]
> *On Behalf Of *Eoin
> *Sent:* Monday, December 07, 2009 11:35 AM
>
> *To:* Software Assurance Maturity Model (SAMM)
> *Subject:* Re: [SAMM] Job Description
>
>   "how it would feel" - James can you flesh out this question?
>
>
>
> 2009/12/7 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>
>
>>  So, I think this answers what they need to know in terms of a body of
>> knowledge. Looking for insight into how it would feel. Would it feel like an
>> Enterprise PMO or more like an Agile Coach, ScrumMaster?
>>
>>  ------------------------------
>> *From:* samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org]
>> *On Behalf Of *Eoin
>> *Sent:* Monday, December 07, 2009 11:24 AM
>> *To:* Software Assurance Maturity Model (SAMM)
>> *Subject:* Re: [SAMM] Job Description
>>
>>  Hi
>> My exp of samm would dictate;
>>
>> Regarding a process weeine this actually helps, experience in interviewing
>> (audit interviews) and getting to an accurate answer us very
>> important. Someone with SDLC security and
>> with 27001 exposure would be great at the job.
>> SDLC experience (From secure dev to change control to awareness and
>> training rollout etc) is important and also knowledge of the industry being
>> audited; this helps with developing a roadmap and what to focus on.
>>
>> my 10 cent
>>
>> -ek
>>
>>
>>
>>
>>
>>
>>
>> 2009/12/7 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>
>>
>>>  If a large enterprise wanted to annoint an individual to rollout SAMM,
>>> what would the job description look like? What are some of the
>>> characteristics this individual would need in order to be successful? Could
>>> they be successful in being a process weenie alone or is something else
>>> required? Do they need to know how to program? Do they need to know about
>>> project/program management?
>>>
>>> ************************************************************
>>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>>> ************************************************************
>>>
>>>
>>> _______________________________________________
>>> SAMM mailing list
>>> SAMM at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/samm
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>> OWASP Ireland Chapter Lead
>> OWASP Global Committee Member (Industry)
>>
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>>
>> ************************************************************
>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>> ************************************************************
>>
>>
>> _______________________________________________
>> SAMM mailing list
>> SAMM at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/samm
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
>
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/samm/attachments/20091207/5d95a266/attachment.html

More information about the SAMM mailing list