[Owasp-leaders] SAMM Self Assessment Tool

Christian Frichot christian.frichot at owasp.org
Wed Oct 23 06:09:10 UTC 2013

Hi All,

Just wanted to share with you a quick tool that I've put together to
provide a quick way for people to self-assess against OpenSAMM.

Keen to know your thoughts, and how best I can incorporate it back into the
OpenSAMM project.

Originally posted at

==== Say 'Hi' to the SAMM Self Assessment Tool ====

Asterisk are happy to be releasing their first public beta of the SAMM Self
Assessment Tool, or SSA. One of our favourite OWASP projects is the
OpenSAMM project, and for those who haven't seen OpenSAMM before, it is a
framework to help organisations to evaluate their current software security
practices, and build measurable targets and plans for improving these

Part of OpenSAMM includes conducting assessments (you can't manage what you
can't measure right?). The OpenSAMM methodology categorises these
assessments as either Lightweight or Detailed. SSA aims to provide a very
simple way to perform this Lightweight assessment, and compare your current
status with some pre-canned target states. And literally, that's it.

We've used this tool on a number of engagements to quickly gauge where an
organisation is, and it's certainly helped with figuring out the 'current
state' of an organisations software security maturity.

There's currently two different ways you can use SSA:
 1. You can visit https://ssa.asteriskinfosec.com.au/ and complete the
checklist directly. You don't even have to save your assessment anywhere if
you don't want. On the other hand, if you want to store your results,
there's a few ways to do that, such as in your cookies or online in a
database. For online storage you need to Sign Up, either with a username
and password (please don't re-use your passwords folks), or you can sign in
with a Google account too.
 2. Clone a copy of the Rails app and spin it up somewhere locally. We
recognised quite early on that some organisations may feel uncomfortable
with tracking this sort of information on the Internet, so, if you have the
capability, sure, feel free to clone the repository locally and do what you
wish. https://github.com/AsteriskLabs/ssa

SSA is being released under an MIT license, and our intent is to give it
back to the OWASP community for further enhancements. We have a high level
list of proposed features available on the GitHub page, but currently
they're being developed on a 'When Christian Has Time and is Sober'


Cheers all!

-Christian '@xntrik' Frichot

Perth OWASP Chapter
christian.frichot at owasp.org
xntrik at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131023/fb25af4f/attachment-0001.html>

More information about the OWASP-Leaders mailing list