Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2009
05:04 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Open-Source Security Software Assurance Maturity Model Debuts

OpenSAMM helps organizations formulate a software security strategy tailored to their specific information security risks

San Diego, CA, March 25, 2009 " Many organizations struggle with how to effectively incorporate information security into software development projects, largely due to time and budget constraints. Today, software security expert Pravir Chandra of Cognosticus announced the launch of OpenSAMM, a framework to help organizations formulate a software security strategy tailored to their specific information security risks. OpenSAMM is a prescriptive security framework with sequential, measurable goals that can be used by small, medium and large organizations in any type of business that involves software development.

"While there have been a number of secure development approaches, we wanted to create something that was adaptable and could work in tune with an organization's business goals and risk tolerance," said Pravir. "OpenSAMM is a resource that businesses can use right off the shelf without the need for expensive consultants. It's simple, well-defined, measurable, and enables iterative improvement."

OpenSAMM maps all security related activities under four business functions that are inherent to software development: Governance, Construction, Verification, and Deployment. There are three security practices mapped to each business function and these are the silos for improvement within an organization.

"OpenSAMM has defined the building blocks for effective software security assurance," said Matt Bartoldus, a Director at Gotham Digital Science, an information security consulting firm that works with clients to identify, prevent, and manage security risks and is using OpenSAMM with clients.

"Our clients can use the model to see what needs to be done and what skills and resources are needed to do the job. Best of all, businesses can use OpenSAMM to quantify results and improvements by assessing practices against SAMM activities."

OpenSAMM is useful to any organization that develops software, whether for internal or external use. This includes independent software vendors, online services providers, financial services organizations and government organizations.

One of OpenSAMM's main goals is to build industry standards for software assurance. Though created by Pravir, OpenSAMM was a collaborative effort. "I spent six months getting some of the most experienced practitioners in the industry to review the model and provide feedback. All OpenSAMM content is and will remain vendor-neutral and freely available for all to use," said Pravir, who is an OWASP contributor and member of OWASP Global Projects Committee.

Previous methods have been software lifecycle approaches that require companies to change their development process, are only suitable for large firms with large budgets, are limited to certain types of software, or tie clients to a particular vendor's products.

"From a consultant's perspective, it's impressive to our clients that OpenSAMM has been approved not only by us but also by a number of our industry peers," said Matt. "Plus, its versatility enables us to apply it to our full range of clients, regardless of the size, type of software or method of development.

"OpenSAMM is also presented in a way that makes it easy to get buy-in from our clients. You don't need to be a security expert to understand OpenSAMM's value to your business".

About OpenSAMM

The SAMM project was originally created by Pravir Chandra, Principle Consultant at Cognosticus, OWASP contributor and member of the OWASP Global Projects Committee. For more information on OpenSAMM or to download a copy, please visit http://www.opensamm.org/.

About Gotham Digital Science

Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. GDS specializes in security testing, software security, and risk management and compliance. GDS develops tools that solve specific security issues and offers a number of security training programs for IT professionals. With offices in New York and London, Gotham Digital Science can seamlessly assist clients on both sides of the Atlantic. For more information, visit our website at http://www.gdssecurity.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...