OpenSAMM — Part 01

This is part of a series of presentations that i am going to create for explaining an open secure SDLC maturity model, called SAMM aka OpenSAMM. Click here to view the presentation.

Disclaimer — This is NOT an original work. I have taken help from the official presentation and some other articles/presentations available on internet. I regret that because i forgot to keep track of the sources, i cannot credit them properly in the presentation. However, if i get any information about the source, i will update this presentation with the credits. Would request people to get back to me if they have information on the sources.

Although it is generally believed that security should be in-built and not a patch after development, very few companies give it a try for one or more of the reasons:-

  1. There is little explicit demand (after all, my customers are not saying they want security, why should i bother? If i put some investment and cannot get it back, it’ll be bad for business, won’t it?);
  2. As a corollary to the above point, clients probably worry that if they demand security, maybe they have to pay for it (in terms of additional efforts and hence cost);

However, with SEC demanding that companies disclose “potential” security breaches (and this usually means that apart from companies to take notice of this fact, us compliance professionals can take little sadistic respite in the fact that we would be in little more demand 😉 ), i think companies better start demanding security in their applications (at-least those that come under purview of SEC).

OpenSAMM (or SAMM) is a maturity model that helps gauge the maturity of secure SDLC implementation in an organization. It also provides a benchmark against which similar efforts from different organizations can be judged. In retrospect, isn’t this how ISO propagated (capitalism, anyone?). Business wise, i think it makes perfect sense to demand security from a service provider, and then benchmark it against those of other vendors, makes ROI sense.

I gave this presentation at an OWASP Chapter Meet. Hope to finish the entire series in a couple of months. Watch this space for more!

ISO 27001 : A Business View

Hi People,

I am back after a strong lethargic break. Before i go back to hibernation (i can promise that i will be regular from now onward, but people who know me will differ — and i don’t blame them, either — but i digress), let me share a presentation that i did for a NULL meeting (what? You don’t know NULL? Shame on you!, go back and Google; on second thoughts, read this please and then go back, coz i am not sure if you will come back!).

Please visit this Google Presentation and share the feedback. My take is:-

ISO 27001 is a standard which provides a structured and step-by-step approach in solving many security problems , most of which do not involve technology.

I have tried to take some examples to illustrate some events that technology will need some years to solve. However, using a methodology such as ISO 27001 helps us in securing, and maintaining the same, the information and infrastructure supporting it.