[SAMM] SAMM Audit Framework

Wed Apr 7 22:36:05 EDT 2010

Christian, that due diligence process is exactly the need we intend to
serve with the questionnaire we're discussing. I'd be happy to hear if
other people are successful using it in that context

On Wed, Apr 7, 2010 at 8:11 PM, Christian Frichot <xntrik at gmail.com> wrote:
> If you're going to outsource to a 3rd party for anything important (based on
> information classification and risk) you're likely to go through a due
> diligence process of some sorts. If that outsourcing agreement is in the
> form of software development I wouldn't see it as too difficult to include
> the SAMM questions. Due diligence often starts as a simple questionnaire,
> it's up to the business to make the determination on how much of what the
> 3rd party says actually needs to be verified. For example, "Does your
> organization understand and document the types of attackers it faces?", you
> could follow that up with asking to review one of these documents, or the
> procedures that document this process.
> I mean I also agree the model fits more snuggly with inhouse development,
> but it's not completely lost on 3rd parties.
> On Wed, Apr 7, 2010 at 11:36 PM, Pravir Chandra <chandra at owasp.org> wrote:
>>
>> Lots of interesting points to consider, James. The main one that I've run
>> into is when an organization does a lot of outsourced development. SAMM was
>> built with focus on in-house dev, so this case presents a bit of a hiccup
>> for application of the model.
>> For the in-house stuff, SAMM basically works out of the box. For the
>> outsourced stuff, I've recommended that clients focus on the Verification
>> practices and activities, to which I also added a few others cherry-picked
>> from the other business functions.
>> I'm curious as to what other folks see as the "right way" for firms to
>> handle and control outsourced dev? A close corollary is COTS... the mic is
>> open on that one too :)
>> p.
>>
>>
>>
>> On Tue, Mar 30, 2010 at 12:15 PM, McGovern, James F. (P+C Technology)
>> <James.McGovern at thehartford.com> wrote:
>>>
>>> McGovern's sporadic brain dump of thoughts in making SAMM better (?)
>>>
>>>
>>> I am of the school of thought that says we need to serve both external
>>> and internal auditors equally. External auditors will look at the
>>> maturity of the organization at large where an internal auditor may look
>>> at the divisions, departments, particular teams, etc.
>>>
>>> Is there a difference in auditing a software development effort for a
>>> large enterprise when development is internal vs. when it is 100%
>>> outsourced in an offshore model? What aspects of maturity are transitive
>>> between business partners and what aspects are separate?
>>>
>>> Does the SecurityCompass work call out the need to better specify how
>>> auditors as a role play within SAMM?
>>>
>>> There are a few things hinted at within PCI that we should also
>>> consider. Should we figure out how to ask: Is the software development
>>> methodology well understood by the engineers building the software? This
>>> is more than general enthusiasm but trends into correlation techniques
>>> amongst interviewees/samples.
>>>
>>> How do we account for clarity when roles are defined by team members?
>>> Think specializing generalist.
>>>
>>> Should maturity have some notion of the real-world impact to failing a
>>> phased gate review?
>>>
>>> Can we address buildability of software? Is a developer required to do
>>> say static analysis before checking in?
>>>
>>> Should test plans be reviewed outside of QA (and not the repeat-after-me
>>> business buy-in)
>>>
>>> Is there an ideal ratio between functional and negative testing?
>>>
>>> If there is maturity, how can we measure the scalability of the process?
>>> ************************************************************
>>> This communication, including attachments, is for the exclusive use of
>>> addressee and may contain proprietary, confidential and/or privileged
>>> information.  If you are not the intended recipient, any use, copying,
>>> disclosure, dissemination or distribution is strictly prohibited.  If you
>>> are not the intended recipient, please notify the sender immediately by
>>> return e-mail, delete this communication and destroy all copies.
>>> ************************************************************
>>>
>>> _______________________________________________
>>> SAMM mailing list
>>> SAMM at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/samm
>>
>>
>> _______________________________________________
>> SAMM mailing list
>> SAMM at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/samm
>>
>
>
>
> --
> Christian Frichot
> Perth OWASP Chapter
> e: xntrik at gmail.com
> w: http://un-excogitate.org
>
>
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm
>
>

-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi