Global AppSec Amsterdam

OWASP SAMM2 (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software
The goal of this one-day training, which is a mix of training and workshop, is for the participants to get a more in-depth view on and practical implementation of the SAMM2 model. The training has run successfully for several years now.
The training is setup in three different parts.
In the first part, an overview is presented of the SAMM2 model and similarities and differences with other similar models are explained. The different domains (governance, design, implementation, verification, and operations), their activities and relations are explained. This will incorporate the updates of the v2 of the model. Furthermore, different elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
The first half-day will be spent on performing an actual SAMM2 evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the SAMM domains and discuss the results in the group. This will give all participants a good indication of the organization's maturity wrt. software assurance. In the same effort, we will define a target maturity for your organization and identify the most important challenges in getting there. All of this will be executed using the new SAMM2 toolbox.
The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. For instance, what about agile development, DevSecOps, outsourcing, or how do you best organize test automation? In this group discussion, experience between the different participants will be shared to address these questions.
In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for the highly effective and applicable treatment of this large domain! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.