[SAMM] Suggestion for enhancement to extend OpenSAMM for use by US DoD app developers

[Christian Heinrich]

Michael,

Would conformance to DISA ‘s Application Security and Development STIG
require a reduction of the scope of OpenSAMM?

If so, then the preferred outcome would be to consider OpenSAMM rather
then have their maturity increased so that they conform to a limited
number of controls specified in DISA ‘s Application Security and
Development STIG.

Perhaps you could provide an example(s) of where OpenSAMM does not
provide guidance to a specific section(s) of the DISA ‘s Application
Security and Development STIG?

On Sun, Sep 5, 2010 at 12:44 AM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:
> Hi Christian. The ASD STIG spans code, documentation, and lifecycle activities. Am suggesting a tailored extension to the OpenSAMM framework to assist dev teams attempting to make preparations to meet ASD STIG requirements by serving as a tailored handbook. Am perhaps incidentially providing an example of how OpenSAMM could be tailored for a given organization. The use case is a dev team is building something and it is subject to the ASD STIG among other STIGs, so they need to make deliberate preparations to comply, and such preparations can be explained in (closer to) plain english and for example teams can be organized according to OpenSAMM's taxonomy of business functions and activities, since the ASD STIG is otherwise an unsorted crazy quilt of different types of requirements, and dev teams subject to STIG requirements otherwise generally approach compliance as a panicked and unstructured exercise. I'm aware of all the various references. Such an extension certainly could/should be tied back to other OWASP solutions and also COTS and GOTS tools.


-- 
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking