Embed Size (px)
Citation preview
OpenSAMMBSIMM-V5 Mapping
Seba [email protected] project co-leader
Thanks to:• BSIMM for providing the observation data • Luis Servin for updating the BSIMM mapping
BSIMM-V mapped• Luis Servin updated the mapping of BSIMM-V to SAMM activities• I added the Observed data in the BSIMM sheet• I did some Excel VBA scripting to map the other way around• The detailed mapping is available in the “OpenSAMM Scorecard” sheet• I have summed the observed data in the SAMM activities• The Excel is available online
Thanks to:• BSIMM for providing the observation data • Luis Servin for updating the BSIMM mapping
SAMM ScoreCard
SM 1.A 21 TA 1.A 16 DR 1.A 0 VM 1.A 0SM 1.B 34 TA 1.B 30 DR 1.B 56 VM 1.B 59SM 2.A 26 TA 2.A 11 DR 2.A 10 VM 2.A 50SM 2.B 20 TA 2.B 0 DR 2.B 24 VM 2.B 0SM 3.A 0 TA 3.A 8 DR 3.A 8 VM 3.A 6SM 3.B 16 TA 3.B 0 DR 3.B 0 VM 3.B 44PC 1.A 43 SR 1.A 19 CR 1.A 24 EH 1.A 0PC 1.B 52 SR 1.B 45 CR 1.B 34 EH 1.B 0PC 2.A 23 SR 2.A 0 CR 2.A 1 EH 2.A 19PC 2.B 57 SR 2.B 0 CR 2.B 0 EH 2.B 61PC 3.A 31 SR 3.A 12 CR 3.A 6 EH 3.A 9PC 3.B 4 SR 3.B 0 CR 3.B 23 EH 3.B 0EG 1.A 9 SA 1.A 54 ST 1.A 13 OE 1.A 0EG 1.B 43 SA 1.B 53 ST 1.B 62 OE 1.B 0EG 2.A 9 SA 2.A 29 ST 2.A 27 OE 2.A 0EG 2.B 23 SA 2.B 26 ST 2.B 11 OE 2.B 31EG 3.A 25 SA 3.A 13 ST 3.A 7 OE 3.A 0EG 3.B 4 SA 3.B 9 ST 3.B 27 OE 3.B 10
Governance Construction Verification Deployment
Most observed activity per SAMM security practice
4
SM Build and maintain assurance program roadmapPC Establish project audit practiceEG Build and maintain technical guidelinesTA Develop attacker profile from software architectureSR Evaluate security and compliance guidance for requirementsSA Explicitly apply security principles to designDR Analyze design against known security requirementsCR Perform point- review of high- risk codeST Conduct penetration testing on software releasesVM Create informal security response team(s)EH Monitor baseline environment configuration statusOE Maintain formal operational security guides
SAMM activities that are not observedSM 3.A Conduct periodic industry- wide cost comparisonsTA 2.B Adopt a weighting system for measurement of threatsTA 3.B Elaborate threat models with compensating controlsSR 2.A Build an access control matrix for resources and capabilitiesSR 2.B Specify security requirements based on known risksSR 3.B Expand audit program for security requirementsDR 3.B Establish release gates for design reviewCR 2.B Integrate code analysis into development processVM 2.B Adopt a security issue disclosure processEH 1.A Maintain operational environment specificationEH 1.B Identify and install critical security upgrades and patchesEH 3.B Expand audit program for environment configurationOE 1.A Capture critical security information for deploymentOE 1.B Document procedures for typical application alertsOE 2.A Create per- release change management proceduresOE 3.A Expand audit program for operational information
Measure & Improve!
OpenSAMM.org
