[Owasp-leaders] SAMM Self Assessment Tool

Christian Frichot christian.frichot at owasp.org
Wed Oct 23 07:26:57 UTC 2013

Hey Seba,

Certainly very interested!

Keen to see this become either a project or sub-project of OpenSAMM.

And very keen to see further system and OWASP integration (i.e, provide
links, tips to OWASP materials, or provide easier ways to get deeper access
to SAMM material etc).



On Wed, Oct 23, 2013 at 3:13 PM, Seba <seba at owasp.org> wrote:

> Hi Christian,
> That is just *awesome*. I will definitely add this to our upcoming SAMM
> tools/resources wiki section.
> We would love to integrate this tool in the OpenSAMM project and host it
> on the OWASP infrastructure.
> Can you help us with that?
> thank you!
> Kind regards
> Seba
>  On Wed, Oct 23, 2013 at 8:09 AM, Christian Frichot <
> christian.frichot at owasp.org> wrote:
>>  Hi All,
>> Just wanted to share with you a quick tool that I've put together to
>> provide a quick way for people to self-assess against OpenSAMM.
>> Keen to know your thoughts, and how best I can incorporate it back into
>> the OpenSAMM project.
>> Originally posted at
>> http://labs.asteriskinfosec.com.au/samm-self-assessment-tool/
>> ==== Say 'Hi' to the SAMM Self Assessment Tool ====
>> Asterisk are happy to be releasing their first public beta of the SAMM
>> Self Assessment Tool, or SSA. One of our favourite OWASP projects is the
>> OpenSAMM project, and for those who haven't seen OpenSAMM before, it is a
>> framework to help organisations to evaluate their current software security
>> practices, and build measurable targets and plans for improving these
>> practices.
>> Part of OpenSAMM includes conducting assessments (you can't manage what
>> you can't measure right?). The OpenSAMM methodology categorises these
>> assessments as either Lightweight or Detailed. SSA aims to provide a very
>> simple way to perform this Lightweight assessment, and compare your current
>> status with some pre-canned target states. And literally, that's it.
>> We've used this tool on a number of engagements to quickly gauge where an
>> organisation is, and it's certainly helped with figuring out the 'current
>> state' of an organisations software security maturity.
>> There's currently two different ways you can use SSA:
>>  1. You can visit https://ssa.asteriskinfosec.com.au/ and complete the
>> checklist directly. You don't even have to save your assessment anywhere if
>> you don't want. On the other hand, if you want to store your results,
>> there's a few ways to do that, such as in your cookies or online in a
>> database. For online storage you need to Sign Up, either with a username
>> and password (please don't re-use your passwords folks), or you can sign in
>> with a Google account too.
>>  2. Clone a copy of the Rails app and spin it up somewhere locally. We
>> recognised quite early on that some organisations may feel uncomfortable
>> with tracking this sort of information on the Internet, so, if you have the
>> capability, sure, feel free to clone the repository locally and do what you
>> wish. https://github.com/AsteriskLabs/ssa
>> SSA is being released under an MIT license, and our intent is to give it
>> back to the OWASP community for further enhancements. We have a high level
>> list of proposed features available on the GitHub page, but currently
>> they're being developed on a 'When Christian Has Time and is Sober'
>> timescale.
>> ====
>> Cheers all!
>> -Christian '@xntrik' Frichot
>> Perth OWASP Chapter
>> christian.frichot at owasp.org
>> xntrik at gmail.com
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131023/191e1a0c/attachment.html>

More information about the OWASP-Leaders mailing list