[Owasp-leaders] [SAMM] Mapping OWASP projects on OpenSAMM practices

Colin Watson colin.watson at owasp.org
Mon Jun 24 14:12:20 UTC 2013


This is a very useful document, and at some point it should be shared
with the Leaders list - it highlights the large bias towards testing
tools and educational materials. Perhaps OWASP needs to call for
projects to fill in the gaps?

1) Perhaps there are some incubator projects which ought to be labs,
and that would allow us to add them into the matrix. Cheat Sheet
series stands out, but there are probably others. Should identify
suitable incubator projects and encourage them to progress up to labs
projects? My own OWASP Cornucopia could fit TA2 and SR2.

2) What about non-project things like the Appsec Guide for CISOs
(probably a SM2 and SM3)?

3) Should CLASP be mentioned?

4) Perhaps we need to fill the gaps with non-OWASP references too?


On 23 June 2013 19:21, Seba <seba at owasp.org> wrote:
> Dear,
> One of the OpenSAMM v1.1 improvements is better integration of OpenSAMM with
> the other OWASP projects.
> With this in mind I have started a mapping of the OWASP Flagship and Labs
> projects to the SAMM practices.
> A first draft of this mapping is available for your review on:
> https://docs.google.com/file/d/0B4cY8G2SHaWKNnE0V3lXZk90WWs/edit?usp=sharing
> Some thoughts:
> Most of the projects can easily be mapped on a specific SAMM Practice and
> Level.
> Other projects map on several SAMM Practices.
> There are some projects that do not map on any SAMM Practice.
> Coverage:
> I have calculated the coverage of SAMM Practices by OWASP projects (see 2nd
> worksheet "Coverage").
> Some Practices do have none or very low projects.
> I would love to see more action on Threat Assessment & Security Requirements
> in the Construction Practices.
> The Deployment Practices also need more love and OWASP projects focusing on
> secure deployment of web applications.
> We welcome your input as comments on the spreadsheet, on the SAMM mailing
> list or to me directly (deadline: 7-July-2013).
> Thank you,
> Kind regards,
> Seba
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm

More information about the OWASP-Leaders mailing list