SAMM (Software Assurance Maturity Model) is a model for assessing the maturity of security related activities in software construction and verification as well as other software engineering domains. It is developed by the Open Web Application Security Project OWASP community; hence the model is open source, making it free to use for anyone who is interested in improving their software security assurance. elfGROUP offers SAMM assessments by a team of security experts as a service, providing our customers an efficient way to carry out the assessment work.
The SAMM model is used to evaluate the software development cycle, taking into account aspects as diverse as requirements, reviews, security approach or operational environment threats. When multiple teams are assessed, the state of the whole company can be outlined in how secure and reliable their software development process is. As it gives a wide image of the company’s situation, it also reveals the strengths and weaknesses of different teams within the company. The model yields a score as a result, that can be compared with other teams, other companies’ scores or with the company’s earlier SAMM results.
The model covers 12 different areas that are grouped to four different business functions. Each topic is given a score, so the assessed team or company can decide which low score areas need to be given attention and developed further.
How does elfGROUP carry out the SAMM assessment?
The assessment is carried out as interviews, which are discussions by nature. Each team is assessed separately. An interview typically takes 4 hours per team, and the results are shared about 48 hours after the interview. There’s always one and same person conducting the assessments of the teams within a company to keep the assessment level identical throughout the different teams. An overall report is also given on a company level.
The consultant might be accompanied by specialists of different fields when necessary to ensure fluent discussion in very specialized topics. elfGROUP has a wide variety of personnel with different specialties and involves their knowledge of software development and testing to these assessment discussions. Our specialists’ education and experience quickly lead the discussion to pain points and typical weak links – we know where to “dig”.
Similarly, the customer is also encouraged to involve people with as diverse roles and tasks in the software project as possible in the meeting: they have different objectives and will give a better snapshot of practices. The assessment includes questions from many sides of the topic. It’s worthy to involve testers, developers, architects, product owners and infra specialistsif you have, so everybody is represented, and can answer the questions from their point of view. In the end, all of these topics are linked, and improving one topic also supports related areas.
Why wouldn't everyone do it in-house?
Involving an “outsider” to carry out the assessment creates an atmosphere of confidentiality. It is often easier to admit weak points and problems to an objective third party than to one’s manager or colleague. In many cases people have introduced other problems during the discussion, even if not directly related to the SAMM assessment, but they have felt the assessment process has also opened a discussion channel and a way to pass a message to the managers. If the interviewee thinks some practice needs change, it’s always a benefit for the company to consider if there’s truth to it.
It’s easier for the managers to later bring forth changes and enhancements, when the problem areas are identified together. Employees are committed and interested to change for better. According to our experiences with the SAMM assessments, problem areas are often seen all over the teams, and then it’s just a decision the company has to make, everybody is ready for it.
Besides this safe and confidential environment, hiring the services of an experienced SAMM interviewer involving a team of cyber security professionals also raises the effectiveness of the interviews, saving your own specialists precious time for their dedicated projects.
With the score, elfGROUP provides a visual report, guidance on what area should be focused, what should be done to improve their skills on each topic and how much resources that would take.
The point in the SAMM assessment is also seeing the improvement. Completing the assessment once gives an outlook on your status. Doing it again, for example after 6 months when you’ve had time to put improvements in place, shows your progress.
Who gets to be assessed? A story of teams competing on a chance to win the assessment
A customer once made the SAMM assessment a kind of internal competition to their teams. They had to apply, explain why they wanted to win a SAMM assessment and what it would bring to their project. That was a great approach from the company, because the winning team was really motivated. Instead of saying that someone is coming to assess you, put the blame on you for things done wrong, and point out your weaknesses, the team in this case wanted to win and get support, to see what they could improve to get better. The guys were so happy when we were there!
Would your company benefit from SAMM assessment? Contact our sales, and we’ll make a suggestion on a SAMM assessment project that fits your development work perfectly!