[SAMM] SAMM in real world

Moulay Abdsamad Belghiti abdsamad.belghiti at gmail.com
Wed Sep 29 15:29:53 EDT 2010


Dear James,
Thank you.
The 80/20 rule you told will certainly fulfill the needs.
About partners, actually most of them shall not proceed to SAMM's activities
to deliver on time/on budget.
First time we talked about penalties for security flaws, we gave in the SLA
assurance level required on ASVS basis, or compliance required with the
Top10. And this seems to make sense for everyone.
Taking the issue by compliance seems to be more effective, as long as
software security still appear counterproductive.
But I will come back later to share some feedback about SAMM.
Thank you again.
MAB

2010/9/27 James McGovern <JMcGovern at virtusa.com>

>  Responses inline
>
>
>
> *James McGovern
> *Insurance SBU
>
> *Virtusa **Corporation***
>
> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>
> *Phone:  *860 688 9900 *Ext:  *1037 | *Facsimile:  *860 688 2890
>
> [image: cid:image011.jpg at 01CB08A4.F95CFA30] <http://www.virtusa.com/> [image:
> cid:image012.gif at 01CB08A4.F95CFA30] <http://www.virtusa.com/blog/> [image:
> cid:image004.gif at 01CB08A4.F95CFA30] <https://twitter.com/VirtusaCorp> [image:
> cid:image005.gif at 01CB08A4.F95CFA30]<http://www.linkedin.com/companies/virtusa>
>  [image: cid:image006.gif at 01CB08A4.F95CFA30]<http://www.facebook.com/VirtusaCorp>
>
>
>
> *From:* samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org]
> *On Behalf Of *Moulay Abdsamad Belghiti
> *Sent:* Sunday, September 26, 2010 11:15 AM
> *To:* samm at lists.owasp.org
> *Subject:* [SAMM] SAMM in real world
>
>
>
> Hi,
>
>
>
> I'm trying to apply SAMM in 2 large company (energy, insurance), things
> become much complex than expected; below some issues I'm now facing.
>
>    1. "discontinuous" level: for example, the company is reaching level 2
>    on Policy & compliance, but nothing at level 1... how to represent maturity
>    level? This is normal in most large organizations. If you are using
>    SAMM at the “enterprise” level, I think the question is more about 80% does
>    and not the outliers. Otherwise, you could take SAMM and produce on a
>    division by division basis.
>    2. "variable" levels : the company no more develops, nor hosts its
>    software; outsourcing and 3rd parties are the rule. But the company still
>    owns and manages the risk, IT risk, both technical and business.. how can we
>    estimate level with so many stakeholders? A company does not have to
>    develop software in order to align. What they may need to do is to ensure
>    that their partners are doing it on their behalf. If you were to look at
>    their outsourcing agreement in the software development space, is any form
>    of security lifecycle mandated in contract? Have the outsourcing firms
>    trained their staff in secure coding practices, etc?
>
>  For point 1, discontinuous level, I thought about 2 solutions
>
>    - Introducing "minus" levels: 1- 2- 3-
>    1+ 2+ 3+ describe "up-achievement" of the levels, while 1- 2- 3-
>    describe "down-achievement"
>    - Using "vector" of 3 level-points : 0 1 0 <=> level 1 ko, level 2 ok,
>    level 3 ok
>    (in this case 1+ 2+ 3+ are not necessary); further we can imagine a %
>    for each point, leading us to represent the maturity level in a radar
>    diagram.
>
>  Obviously, this complexifies the representation, but it seems to be more
> realistic.
>
>
>
> Experience feedback would be appreciated.
>
>
>
> Thank you,
>
> MAB
>
> *NB: i'm really impressed by the work done in SAMM; thank you to
> contributors and to Pravir for this job.*
>
>
>
> -------
>
> Moulay Abdsamad Belghiti
>
> Application security consultant, Paris
>
> Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.
>
> ---------------------------------------------------------------------------------------------
>
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
>
> ---------------------------------------------------------------------------------------------
>
>
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/samm/attachments/20100929/fd4f1e1f/attachment.html 


More information about the SAMM mailing list