[SAMM] Suggestion for enhancement to extend OpenSAMM for use by US DoD app developers

Pravir Chandra chandra at owasp.org
Sat Sep 11 11:22:53 EDT 2010 

Hey Christian.

If you can share any of that "bridge" work you've done with ISO, SAMM, and other webappsec standards, I would love to see it... And let me know if you'd like to spearhead a mapping exercise for one of those into SAMM to build up a companion guide!

p.



On Sep 3, 2010, at 10:11 PM, Christian Heinrich <christian.heinrich at owasp.org> wrote:

> Mike,
> 
> I briefly reviewed the DISA ‘s Application Security and Development
> STIG  and it would appear to be more applicable to ASVS (i.e.
> controls) rather then OpenSAMM (i.e. maturity).  In your opinion, is
> there something missing from OpenSAMM that is included in DISA‘s
> Application Security and Development STIG from a maturity perspective?
> 
> OpenSAMM is intended audience is any organisation regardless of their
> size and/or market vertical, i.e. not just but including the US DoD.
> I have started to "bridge" various webappsec governance frameworks
> into the ISMS (i.e. ISO 2700x) for the NSW State Government which I
> believe is what you are proposing for the US DoD?
> 
> Do you have a URL for the presentation for
> http://www.owasp.org/index.php/DISA's_Application_Security_and_Development_STIG:_How_OWASP_Can_Help_You
> 
> On Sat, Sep 4, 2010 at 6:47 AM, Boberski, Michael [USA]
> <boberski_michael at bah.com> wrote:
>> I would like to suggest the following enhancement to extend OpenSAMM to
>> adapt it for use by US DoD custom app developers who have very specific
>> application security compliance requirements:
>> 
>> Just as there are e.g. SM1, SM2, SM3 which are generic in nature for each
>> business function, I would like to suggest the addition of e.g. SM1, SM2,
>> SM3, SM-DoD; PC1, PC2, PC3, PC-DoD; EG1, EG2, EG3, EG-DoD; and so on,
>> spanning OpenSAMM, where the additional component is specific to DISA ‘s
>> Application Security and Development STIG requirements.
>> 
>> The “Results” list then contains mapped functionality/docs/activities; the
>> “Add’l Success Metrics” list then contains corresponding CAT severity of
>> mapped functionality/docs/activities; costs and personnel stay the same,
>> perhaps ideally replaced with Gov’t-speak versions of terminology/roles.
>> Perhaps add an additional “Prescribed Solutions” under “Personnel” before
>> “Related Levels”, that would do things like say use NIST validated this, NSA
>> allowed that, use DoD PKI, etc.
>> 
>> The idea would be that one could then use OpenSAMM as supporting material to
>> help guide a dev team through make preparations to comply with DISA ‘s
>> Application Security and Development STIG.
> 
> -- 
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm

More information about the SAMM mailing list