SAN ANTONIO--(BUSINESS WIRE)--The Open Software Assurance Maturity Model (OpenSAMM) consortium today announced the industry’s first publicly available, anonymized software security benchmarking data that enables organizations to steadily improve their software security posture over time. OpenSAMM is an easy-to-use assessment which provides flexible datasets that can be customized by organization demographics, including sector, development and cultural profile, resulting in pragmatic milestones towards reducing overall security risk.
The expanded access to these datasets makes OpenSAMM available to a larger number of organizations, which previously weren’t able to apply valuable benchmarking data to their particular case. Each of the practical, constructive benchmarks within the framework was derived from best practices of leading application security firms. Contributing members of the consortium include Aspect Security, AsTech Consulting, Denim Group, Gotham Digital Science, Security Innovation and Veracode.
As organizations of all sizes and across every industry increasingly rely on web, mobile and cloud applications as a source of strategic differentiation and competitive advantage, the threat surface has dramatically expanded. According to the Verizon DBIR, web applications have become the number one target for cyberattackers, with application-layer vulnerabilities exploited as a point of entry in many recent high profile security breaches. The additions to OpenSAMM are a direct response to the relentless occurrence of security breaches where vulnerable software allowed attackers to gain access to private, corporate data.
“The traditional focus of security investments has been on hardening the network layer, but, this approach is no longer sufficient,” said John Dickson, Principal, Denim Group. “OpenSAMM is a valuable tool for the enterprise to understand what they can do to secure the web, mobile and on-premises applications they build, buy and operate.”
“Like many other application security evangelists, we have a special vantage point and can see how organizations can improve their secure development game,” said Justin Clarke, Director at Gotham Digital Science. “We know there remains a gap between what organizations should be doing in the way of application security and what they are actually doing.”
Improvements in the OpenSAMM data collection process and neutral hosting by OWASP will provide confidence that ultimately encourages a broader set of companies to contribute their internal and client benchmarking data. “Software security guidance has been too general, based on existing practices and difficult for organizations to navigate,” said John Pavone, CEO of Aspect Security. “OpenSAMM’s benchmarking capability combined with expert-based best practices, will allow organizations to better tailor their improvement roadmap.” To initiate the process, the coalition of security companies contributed the results of 30 assessments to seed the data set. Because the results are vendor agnostic and open, any organization can contribute or simply view the results that have been published. “By providing visibility and transparency into the process, these contributors have provided a shot in the arm to the OpenSAMM project and the application security community in general,” said Sebastien Deleersnyder, OpenSAMM project lead. “Having benchmarking data is a real game changer that will allow a broader population of companies to participate more quickly.”
“Application security is at the forefront of issues troubling organizations today,” said Jasmine Noel, Principal Product Marketing Manager at Veracode. “It’s critical to have an open framework where people can go to assess data and begin to benchmark their application security practices. Understanding that OpenSAMM was game changing for our industry, we recognized the need for it to be enhanced given the state of today’s threat landscape.”
The consortium publicly released the results of their year-long effort at the OWASP OpenSAMM Summit 2015 in Dublin, Ireland on 27th-28th March. OpenSAMM project leads Sebastien Deleersnyder, Bart De Win and Pravir Chandra hosted the summit.
To learn more, visit www.opensamm.org and https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015.
The OWASP Foundation came online on December 1, 2001. It was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.
About the application security firms leading this effort:
Aspect Security is a consulting and services firm focused on
application security since 2002 and a founding member of OWASP. We work
with clients in a cross section of industries to improve their ability
to build, procure, and operate secure applications and verify that the
organization’s underlying data is secure. Clients use our Secure
Development Program Services to implement application security programs
that are practical and match the organization’s security needs. Our
Assessment Services team verifies 5,000,000 lines of critical code every
month and we unearth over 10,000 vulnerabilities every year. Our
instructors have taught tens of thousands of people around the world how
to build, test and deploy secure applications making us a leader in
application security training.
AsTech Consulting has been helping companies manage Internet risk
since 1997 - from vulnerability discovery through optimizing a Secure
Software Development Lifecycle. By understanding our clients’ unique
risk appetites and business objectives, our processes bring strategic
focus to application security initiatives. AsTech provides source code
security assessments, web application penetration testing, source code
risk remediation and secure development training. We also offer process
automation and integration services relating to application security
eco-systems - enabling communication between vulnerability scanners,
WAFs, GRC platforms, and bug-tracking systems. We deliver scalable,
customized solutions designed to meet your organization’s unique
Denim Group is the leading secure software development firm that
is a trusted advisor to organizations on matters of software risk and
security. The company builds secure software for the most security
conscious and helps organizations assess and mitigate risk of their
existing software. Denim Group’s flagship ThreadFix product accelerates
the process of software vulnerability remediation and reflects Denim
Group’s deep understanding of what it takes to fix application
vulnerabilities faster. At the vanguard of deep thinkers in the software
security arena, Denim Group is a strong contributor to the larger
application security community, and has been involved with the Open Web
Application Security Project (OWASP) since shortly after its inception.
The company has been recognized as one of the 5,000 Fastest Growing
Company’s by Inc. Magazine five years in a row, and has won multiple
awards including its accolades as one of the best places to work in San
Gotham Digital Science (GDS) is an international security
services company specializing in Application and Network Infrastructure
security, and Information Security Risk Management. GDS clients number
among the largest financial services institutions and software
development companies in the world. GDS security specialists work with
clients to assess risk and then design, build, and maintain secure
applications, networks, and processes. With offices located in New York
City and London, GDS seamlessly and efficiently assists clients with
operations on both sides of the Atlantic.
Security Innovation: An application security pioneer since 2002,
Security Innovation is dedicated to making software more resilient
within the world’s most challenging environments; whether on the web, in
devices or in the cloud. Recognizing that application software no longer
exists in isolation, our clients are better prepared to anticipate,
navigate and reduce security risk regardless of technology or system
complexity. There are more than a million licenses of Security
Innovation’s eLearning products in use today.
Veracode is a leader in securing web, mobile and third-party
applications for the world’s largest global enterprises. By enabling
organizations to rapidly identify and remediate application-layer
threats before cyberattackers can exploit them, Veracode helps
enterprises speed their innovations to market – without compromising
security. Veracode’s powerful cloud-based platform, deep security
expertise and systematic, policy-based approach provide enterprises with
a simpler and more scalable way to reduce application-layer risk across
their global software infrastructures. Veracode serves hundreds of
customers across a wide range of industries, including nearly one-third
of the Fortune 500, three of the top four U.S. commercial banks and more
than 20 of Forbes’ 100 Most Valuable Brands.