We here at Cycode passionately advocate for protecting your source code and the secrets within it throughout its lifecycle and along all points of your supply chain, whether we’re telling you why You Should Care About Securing Your Source Code or warning you about The Bad Coding Habits That Leave Your Source Code Exposed. One of the first and best methods serving as a step toward that end is adhering to a reliable compliance model. The OWASP SAMM Framework is one such compliance model that we’re a big fan of.
All of the security software, encryption, and user restrictions in the world are of little importance if you don’t first have an official model of compliance — the rules of engagement — in place to ensure that everyone in your organization is on the same page and doing their part to protect your proprietary and secret information. In other words, a compliance model is about driving behavior. You need policies, standards, processes, and guidelines in place that align behavior across your organization.
A solid compliance model gives you a solid foundation to build from. Google SLSA and NIST SSDF are newer frameworks that have been created in the wake of the SolarWinds supply chain attack; these are important and outline current best practices, but they were both inspired by guidance from the OWASP SAMM Framework.
Who is OWASP?
OWASP is shorthand for the Open Web Application Security Project, which is a nonprofit foundation devoted to software security. OWASP has thousands of members scattered among hundreds of chapters across the world who support open source projects and provide educational conferences.
The OWASP Foundation was founded in 2001 and is supported by a combination of corporations, foundations, developers, and volunteers. Given the support of so many tech industry players and a global reach, the Foundation has become an authoritative voice in cyber security. For example, OWASP regularly publishes their Top Ten document that drives web application security awareness by highlighting the current top ten web application security risks. Many major organizations, books, and other publications that reference the OWASP Top Ten include MITRE, PCI DSS, the Defense Information Systems Agency, and the United States Federal Trade Commission, just to name a few.1
OWASP develops a wealth of various projects and reference material, but today we want to draw your attention to their SAMM project in particular.
What is the OWASP SAMM Framework?
SAMM is short for the Software Assurance Maturity Model, which is the software security compliance model OWASP developed, sponsored by various industry organizations.
In the Foundation’s own words:
“Our mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture. We want to raise awareness and educate organizations on how to design, develop, and deploy secure software through our self-assessment model.” 2
Adhering to industry best practices, especially when framed via a reliable and authoritative model, is always a more trustworthy method to guide your ship rather than simply making it all up as you go. Given the expertise, history, and industry backing OWASP brings to the table, SAMM is worth the cost of adoption. By implementing and strictly adhering to such a model within your organization, you can be confident that you are better prepared for threats to your source code.
A Simple Framework
While security is paramount, implementing a new framework throughout your software supply chain is no small task. What we like about SAMM is that it’s both very simple to understand — even without any technical know-how — and it’s very flexible. Whether you’re a small software startup or a large enterprise with multiple teams and functions involved in the development process, SAMM can be adapted to fit your needs and implemented in a manner that is as least disruptive as possible.
The OWASP SAMM Framework is built on twelve core security practices, grouped into five business functions, containing two streams (groups of activities), with each stream divided into three maturity levels.
The maturity levels are where the model molds around your particular business situation. What maturity level your organization is at depends on what security practices you already have in place. From there, it’s up to you what maturity level you want to achieve, which will vary from one organization to another. SAMM is thankfully not a one-size-fits-all solution and its flexibility is its main value driver.
SAMM is implemented in six steps, the first four of which can be performed by a single person within a couple of days.
Every security solution vendor wants to vie for a portion of your pocketbook (as do we — call us biased, but we believe Cycode is worth it). The OWASP SAMM Framework, however, is entirely free to implement and, like with all open-source projects we know and love, is community-supported. There’s no software to download or services to pay for.
Simply start with the quick start guide, then assess your organization’s situation and needs. OWASP even provides an assessment toolbox you can use for reference. There’s a free guide to help you ensure you implement SAMM in an Agile way, and you can find some free advice via their Slack and Google Groups communities.
The OWASP SAMM Framework, in Layman Terms
In our excitement, we’ve thrown a lot of benefits and links at you, but perhaps at this point you’re thinking, “Ok, sounds great — But I need a simple breakdown of what this is.” No problem!
First, the model has twelve security practices at the core of everything. A “practice” is a group of security-related activities.
SAMM groups these twelve activities into five business functions. You likely have different departments/functions/teams involved at different points in your software development lifecycle. These five business functions are spread across these groups. Everyone who touches your software has a responsibility.
Now, back to the practices themselves: Activities belonging to a single practice are divided into two “streams”. Each stream has an objective that can be reached in increasing levels of maturity.
Finally, activities fall into one of three maturity levels. Lower maturity activities are easier and less formal while higher ones are more complex and formalized.
So it essentially looks like this:
It doesn’t matter how simple or complex your organization is or how heavily technical the details get for your situation. This model will flex and adapt to meet your needs.
If you’re looking at this from the perspective of a leadership position, you’re probably now asking yourself “But what can go wrong with this?” If so, check out The Seven Deadly Sins of SAMM, by John Wood from SAMM’s recent User Day series of presentations.