OpenSAMM Consortium Launches Industry's First Public Benchmarking Data for Improving Software Security

Pragmatic, Open Assessment Process Improves Usability by Enabling Organizations to Parse Data by Industry and Company Size.


San Antonio, TX April 15, 2015 - The Open Software Assurance Maturity Model (OpenSAMM) consortium today announced the industry’s first publicly available, anonymized software security benchmarking data that enables organizations to steadily improve their software security posture over time. OpenSAMM is an easy-to-use assessment which provides flexible datasets that can be customized by organization demographics, including sector, development and cultural profile, resulting in pragmatic milestones towards reducing overall security risk.


The expanded access to these datasets makes OpenSAMM available to a larger number of organizations, which previously weren’t able to apply valuable benchmarking data to their particular case. Each of the practical, constructive benchmarks within the framework was derived from best practices of leading application security firms. Contributing members of the consortium include Aspect Security, AsTech Consulting, Denim Group, Gotham Digital Science, Security Innovation and Veracode.


As organizations of all sizes and across every industry increasingly rely on web, mobile and cloud applications as a source of strategic differentiation and competitive advantage, the threat surface has dramatically expanded. According to the Verizon DBIR, web applications have become the number one target for cyberattackers, with application-layer vulnerabilities exploited as a point of entry in many recent high profile security breaches. The additions to OpenSAMM are a direct response to the relentless occurrence of security breaches where vulnerable software allowed attackers to gain access to private, corporate data.


"The traditional focus of security investments has been on hardening the network layer, but, this approach is no longer sufficient," said John Dickson, Principal, Denim Group. "OpenSAMM is a valuable tool for the enterprise to understand what they can do to secure the web, mobile and on-premises applications they build, buy and operate."


"Like many other application security evangelists, we have a special vantage point and can see how organizations can improve their secure development game," said Justin Clarke, Director at Gotham Digital Science. "We know there remains a gap between what organizations should be doing in the way of application security and what they are actually doing."


Improvements in the OpenSAMM data collection process and neutral hosting by OWASP will provide confidence that ultimately encourages a broader set of companies to contribute their internal and client benchmarking data. "Software security guidance has been too general, based on existing practices and difficult for organizations to navigate," said John Pavone, CEO of Aspect Security. "OpenSAMM’s benchmarking capability combined with expert-based best practices, will allow organizations to better tailor their improvement roadmap." To initiate the process, the coalition of security companies contributed the results of 30 assessments to seed the data set. Because the results are vendor agnostic and open, any organization can contribute or simply view the results that have been published. "By providing visibility and transparency into the process, these contributors have provided a shot in the arm to the OpenSAMM project and the application security community in general," said Sebastien Deleersnyder, OpenSAMM project lead. "Having benchmarking data is a real game changer that will allow a broader population of companies to participate more quickly."


"Application security is at the forefront of issues troubling organizations today," said Jasmine Noel, Principal Product Marketing Manager at Veracode. "It’s critical to have an open framework where people can go to assess data and begin to benchmark their application security practices. Understanding that OpenSAMM was game changing for our industry, we recognized the need for it to be enhanced given the state of today’s threat landscape."


The consortium publicly released the results of their year-long effort at the OWASP OpenSAMM Summit 2015 in Dublin, Ireland on 27th-28th March. OpenSAMM project leads Sebastien Deleersnyder, Bart De Win and Pravir Chandra hosted the summit.


To learn more, visit www.opensamm.org and https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015.


About OWASP

The OWASP Foundation came online on December 1, 2001. It was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.


About the application security firms leading this effort:

Aspect Security is a consulting and services firm focused on application security since 2002 and a founding member of OWASP. We work with clients in a cross section of industries to improve their ability to build, procure, and operate secure applications and verify that the organization’s underlying data is secure. Clients use our Secure Development Program Services to implement application security programs that are practical and match the organization’s security needs. Our Assessment Services team verifies 5,000,000 lines of critical code every month and we unearth over 10,000 vulnerabilities every year. Our instructors have taught tens of thousands of people around the world how to build, test and deploy secure applications making us a leader in application security training. www.aspectsecurity.com


AsTech Consulting has been helping companies manage Internet risk since 1997 - from vulnerability discovery through optimizing a Secure Software Development Lifecycle. By understanding our clients’ unique risk appetites and business objectives, our processes bring strategic focus to application security initiatives. AsTech provides source code security assessments, web application penetration testing, source code risk remediation and secure development training. We also offer process automation and integration services relating to application security eco-systems - enabling communication between vulnerability scanners, WAFs, GRC platforms, and bug-tracking systems. We deliver scalable, customized solutions designed to meet your organization’s unique requirements. www.astechconsulting.com


Denim Group is the leading secure software development firm that is a trusted advisor to organizations on matters of software risk and security. The company builds secure software for the most security conscious and helps organizations assess and mitigate risk of their existing software. Denim Group’s flagship ThreadFix product accelerates the process of software vulnerability remediation and reflects Denim Group’s deep understanding of what it takes to fix application vulnerabilities faster. At the vanguard of deep thinkers in the software security arena, Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. The company has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine five years in a row, and has won multiple awards including its accolades as one of the best places to work in San Antonio. www.denimgroup.com


Gotham Digital Science (GDS) is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management. GDS clients number among the largest financial services institutions and software development companies in the world. GDS security specialists work with clients to assess risk and then design, build, and maintain secure applications, networks, and processes. With offices located in New York City and London, GDS seamlessly and efficiently assists clients with operations on both sides of the Atlantic. www.gdssecurity.com


Security Innovation: An application security pioneer since 2002, Security Innovation is dedicated to making software more resilient within the world’s most challenging environments; whether on the web, in devices or in the cloud. Recognizing that application software no longer exists in isolation, our clients are better prepared to anticipate, navigate and reduce security risk regardless of technology or system complexity. There are more than a million licenses of Security Innovation’s eLearning products in use today. www.securityinnovation.com


Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security. Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures. Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 500, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. www.veracode.com