[Owasp-leaders] For public feedback - OWASP SAMMv2 alpha release

Seba seba at owasp.org
Wed Apr 4 18:35:54 UTC 2018


After a year of work by the SAMMv2 team, we now release the alpha version
of our new SAMMv2 framework.

Our objective is to update the SAMM framework taking into account the
following improvements:

1) clean out inconsistencies from the previous release;

2) a more logical flow of maturity levels of the security activities as
part of the SAMM practices;

3) take into account agile software development and DevOps practices;

4) decrease the number of "audit or quality gate" activities in the
previous framework.

A core team - with the help of many volunteers - has worked on the new
framework since the last OWASP summit in June 2017.

During that summit, we lay the foundations of version 2.0.

We then added more details to the draft version with a SAMM summit in
Reykjavik and extra online conference calls throughout 2017 and the last

The major changes are:

1) The addition of a new business function "Implementation", covering 3
security practices: Secure Build, Secure Deployment and Defect Management.

2) The introduction of 2 "Activity Streams" per security practice (this
replaces the A and B activities which did not have a logical relation in
the previous release). Each activity stream consists of 3 security
activities (increasing in maturity level).

The current draft framework is created in a spreadsheet as this provides a
better overview.

The final framework will be released in yaml format, with an updated
toolbox and document.

We now release the draft version for feedback, available here:

OneDrive: https://1drv.ms/x/s!Ag3u_YTLhehYgaNki2Voe0t-6UaGbw


We invite you to read the new framework and welcome all your feedback
(questions, remarks, update suggestions or typos)!

You can share your feedback:


   in our SAMM mailing list: https://lists.owasp.org/mailman/listinfo/samm

   in our SAMM Slack channel: https://owasp.slack.com/messages/C0VF1EJGH

   (preferred) through a feedback form:

   during our next SAMM project call on 11-April-2018

We will take into account all the feedback received by 19-April-2018.

Thank you!

Kind regards,

the SAMM team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180404/417e3d7e/attachment.html>

More information about the OWASP-Leaders mailing list