BSIMM activities mapped to SAMM


For the impatient, click here to download the mapping spreadsheet. For those still reading… Firstly, many thanks to the OWASP community for hosting the fantastic OWASP Summit 2011 in Lisbon, Portugal a few weeks back. This was a fantastic forum for us to hold OpenSAMM working sessions to discuss experiences and potential improvements to the model. Over the course of the week, we were able to build up a list of additions/changes we’d like to make in the next release, but I’ll cover those in more detail under separate cover.

The main thing I want to share now is an activity-level mapping of the ~110 BSIMM2 activities to the corresponding 72 activities in SAMM. Obviously, this means that in some cases, more than one BSIMM activity may be mapped to a single SAMM activity. That being said, the overlap spots seem to make sense when we (the ~10 people that worked on it) looked at them in detail. Don’t take our word for it, though, please do review and send any feedback (mailing list or just comment below). And before you ask, yes, you probably will have to go read the respective BSIMM and SAMM activity descriptions in order to see the linkage for some of them (given the occasionally imprecise nature of written language, it’s not always obvious from the activity names alone).

It’s worth noting that we did leave two BSIMM activities unmapped. They are SM 3.2 “run external marketing program” and T 3.3 “host external software security events”. Based on the experience of the working group participants, these activities did not appear to directly improve an organization’s software assurance posture, rather, they appeared to be evidence that the organization was using its (presumably mature) software assurance posture to bolster its public perception or generate additional value in the business. Again, this is totally up for debate if anyone has an argument the other way, so please do share your thoughts.

Last, but certainly not least, I’d like to thank all the people at the Summit for the detailed and thoughtful conversations about using SAMM and about what we can do to make it even better.  Specifically, those that contributed and helped review this mapping (in no particular order):

  • Colin Watson
  • Seba Deleersnyder
  • Steven van der Baan
  • Bart De Win
  • Justin Clarke
  • Dan Cornell
  • Sherif Koussa
  • Brian Chess

 

, ,

  1. #1 by cmlh - March 9th, 2011 at 16:20

    @Pravir,

    Is this the published/Final version of the spreadsheet that was initially created by Bart De Win?

  2. #2 by Pravir Chandra - March 17th, 2011 at 21:52

    We definitely looked at it, but this was a mapping that Brian and I started and we finished and reviewed in some detail at the working session during the OWASP Summit. As someone who has looked into this stuff pretty closely, what do you think?

  3. #3 by cmlh - April 1st, 2011 at 18:06

    @Pravir,

    Pravir Chandra :
    We definitely looked at it, but this was a mapping that Brian and I started and we finished and reviewed in some detail at the working session during the OWASP Summit. As someone who has looked into this stuff pretty closely, what do you think?

    I fully support the creation of more bodies of work like this as it provides a reference to QA my own research and assists with showing support for reaching a consensus of the touchpoints of BSIMM to OpenSAMM and vice versa.

(will not be published)

  1. No trackbacks yet.