explain CBT

check secure design principles list "Least Privilege, Defense-in-Depth, Fail Secure (Safe) Complete Mediation, Session Management, Open Design, and Psychological Acceptability" (is there an OWASP project/reference for this)

consider direct references to projects (e.g. such as WebGoat or Juice Shop) to assure for the text to stay timeless for the next 10 years (?)

maturity 2

• bullets are not aligned
  include managers in target group?
  update on a "regular" basis instead of on an annual basis

maturity 3 (or 2):
include in onboarding process
based on criticality of the application developers can only start coding/commiting after completing the training

instead of
While the complete training may be unnecessary on an annual basis ...
While updating the complete training may be unnecessary on an annual basis ...

instead of
... develop these roles as Information Security subject-matter experts.
... develop these roles as Software Security subject-matter experts.

• "Instructor-led" not "Instructor-lead"
• "The organization should include cover..." - I'm not sure what the intended meaning is, so not sure how to correct.

organisation and culture:
Add organisation of internal security events and participation in external communities (such as OWASP - chapters) as part of Organization and Culture ?

SW security instead of "information security" ?
"liaison" instead of "liase on"

include security as part of the "culture" for everyone?

instead of:
"Build a set of questions and distribute these to the persons performing these risk evaluations."
=>
Include these questions as part of a specification or feature request phase of a new application.
add more guidance on the questions: comliance? example questions? ...

"As an organisation, you want to spend your security effort where it matters."
=> "As an organisation, you want to spend your security resources where it matters."
more part of the introduction of SAMM?

explain "risk profiles" - what does this mean?

make level 3 more strict ?
instead of "periodically":
for every change - how does this affect the risk profile of the application?
and review them at least once per year?

• look at NIST model - data classification "inherits" ...
  consider point system?

For instance: effort, result, environment. Bring these into defect management. Refer back to strategy & metrics.

If yes then its highly outdated - I will be happy to help update it.
If no then would be worth adding the link to the OWASP wiki site on the homepage itself as that site bubbles up in the google search and folks may not realize that there are newer versions for the model out there.

E.g. patching of your own environment vs pushing patches to your customers
Or handling software lifecycles (support / legacy) in your own environment vs documenting and communicating your own software's lifecycles to your customers

If someone wants to print the opensamm v.1.1 in A4 page size to give out as handouts in printed form, that's not really simple, since the current format is 2 pages per 1 physical page. Can you please upload a normally formatted opensamm documents, so if someone wants 2:1 layout like now, he can simply select that while printing. Reversing the current format from 2:1 to 1:1 layout is difficult.

Thank you,
Tonimir Kisasondi

secrets management - make clear that this is for the build stage (there is a secrets mgmt stream as part of the deploy stage later on)

consider including security testing tools already in maturity level 1?

typo:
Ideally, handle code singing = signing

L3
consider "defect acted upon within SLA" instead of breaking the build
add "filter" to not break the build afterwards when treating/accepting the defect
not only static testing?
expand "custom ruleset" more? regression checking with rules as part of the static testing.

update P&C streams into separate policies / compliance streams (now there is overlap)

contacted Jerry Hoff

brian is reviewing the survey (created by Bruce)

As SAMM has a security practice "Secure Build" the name "Build" is now reserved for software builds.
I recommend to rename "'A: Build and Promote" (from metrics) to something else like "A: Create and Promote" or "A: Gather and Promote".

Maturity level 3 is all about continuous process improvement. How you are improving needs to be captured so that it can be audited regularly.

Affected streams:

• o-environment-management
• i-secure-build
• d-security-architecture

Lots of cross-over relating to the management of 3rd party software. We need to make sure there are clear divisions to reduce overlap, but also make sure that the requirements at each maturity level are in-line with each other because they are all similar.

• dept vs breadth + percentages? slider in UX
  adding role
  "simplified / standalone" questions per role?
  in-depth assessments / proof / testability?

Dear all,
Great work!! In the attachment some remarks to make it better.

SAMM-Model-v2.00 alpha release_review-by-NOCOMPLEXITY.com.xlsx

Regards, Maikel

The text on p3-p4 is blurry and nothing renders after that.

Repository Operations.
Level 1 - There are a number of organizations I can think of that don’t have central code repositories, should something like this be included in the baseline functionality?
Level 2 – Apply repository hooks to invoke craftmanship checks, ie: linting, executing tests, test coverage
Level 3 – centralized build

We should consider incorporating:
Application instrumentation as the means for identifying active attacks, abuse of specific application functionality, and other abnormal application behavior.

Example: Business Logic abuse such as a peak of a specific functionality over time.

This is a real-time monitoring requirement.

Level 2 or 3 (likely 3)

requested to andrew, escalated to the board

Dependency management
Level 1 – consistent use of libraries

is "Yes, for most or all" answer a sign of higher maturity?
but what about GDPR (= minimal requirement)

L2 seams "easier" than L1 activity? But there is a logical dependency/order?

possibly combine L1/2 and increase maturity?

classification of data?

consider privileged user access (and possibly recording/tracing their activities)?

Do you have to make use of automated patching solutions (where available) at a certain level of maturity?

Is it related to incident response? Does it need its own activity stream?
Automated attack prevention
Automated incident response (e.g. rasp [Runtime Application Self-Protection Security], phantom, demisto)

work on supplemental guide - Yan will start on this and rest of team can comment/add to this!

based on status field

Typo: A ... at the end of L1

ASVS - 180 requirements ?
when are these triggered ? once each year or once ? add a frequency (yearly or with new features)

"application's use of the controls" not "applications user of the controls"

fix references in the text

Owasp T10 - too much web based (make this an example) - what about IoT

L2
frequency or when are the tests done?

L3
typo - .vA generic security test s

also consider regression testing as part of end-to-end testing?
or less specific in the headline
e.g. mutation tests ...
like "enforce security regression testing"

abuse level 1

• typo - FuzzDB*)

reference - typo [19] ?

less absolute: logical tests cannot be discovered with tools

format the bullet list

DoS
too concrete? only level 3?
look at the process? review with CMM in mind?

review picture - include DOS in earlier stages and add text from picture as L3

Where does this fit? How to distribute your own patches to customers. Do you force them?

attract income for the project

@SebaDele what do you think about including bug bounties somewhere? I don't think we've discussed them as far as I can think. Asking you as verification might be the right place, but I'm not sure. It's often considered an alternative to pentesting (activity stream B).

On the other hand, I suppose its something you do after you've done live? So it more to do with operations? Or are there reasons to leave it out entirely?

What do you think?

L3
bullet points formatting
"a defined escalation path" not "a defined escalation paths"

Development Ownership:
Level 1 – every application must have defined ownership from a developer perspective
Level 2 – leverage ownership approval for any change via review boards
Level 3 – extend ownership roles to owners, delegates, operations and provide clearly defined roles.

create branding

Error in "OpenSAMM_Assessment_Toolbox_v1-1-Final" doc, in "Roadmap Chart" tab due to local decimal settings

WHERE
In the document https://github.com/OWASP/opensamm/blob/master/v1.1/Final/OpenSAMM_Assessment_Toolbox_v1-1-Final.xlsx in the tab "Roadpmap Chart" in the cells "B10:B21"

WHAT
The "Start" value is showing an error, when the security practice score contains the character "+" and the regional settings have the decimal symbol set to comma ","

HOW TO RECREATE
[Recreated on Windows 8.1 and Excel 2016]

1. Go to Windows Control Panel -> Clock, Language and Region -> Region
2. Click on "Additional settings..." button
3. Set decimal symbol to ",". Click "Ok" button. Click "Ok" button again.
4. In the Excel document, go to "Interview" tab
5. Set the value "Yes" in cell: E18,
6. Set the value "No" in cells: E23, E28, E35, E41, E44, E48 and E56. (The cell I18 must be set to value "0+")
7. Go to "Roadmap Chart" tab

ERROR: The cell B10 is showing the error message "#VALUE!"
EXPECTED: The cell B10 must show the value "0,5"

SUGGESTED FIX
Fix the formula on the cells B10:B21 replacing the ".5" by 1/2.

Example to fix cell B10:
Replace

by