Finishing up an @owasp #SAMM assessment and validation report for a major company in APAC region.
Built a lot of new templates and tools to assist with the process and looking forward to doing more of these assessments.
The #OWASPSAMM framework is solid and takes a very different approach to web-application security than more traditional compliance or audit frameworks. I'd recommend taking a look at it if your company primarily is an application developer or SaaS provider.
One of the stronger points for it is that it is geared towards self-assessment with a focus on continual improvement and a maturity approach. We kept telling our client, "We are not auditors and this is not an audit. We are here to help you document where you are today and where you want to be in the future." This lead to a very collaborative and non-adversarial engagement and lots of deep knowledge being freely shared by the development staff that you'd not see in a compliance audit (Trust me, I've done a lot of those too). We even had the
#InfoSec team tell us several times, "This is great because you're helping to validate our concerns and budget requests. Your vast experience from other companies is helping to guide us in solutions and bolsters our budget requests to executive management."
Again, if you are primarily developing #webapps for clients or running a #SaaS definitely consider doing your own self-assessment using the #OWASPSAMM toolkit. @owasp provides it for FREE in various flavors including Google Docs, Excel, and Docker. There is even the ability to use the JavaScript to build internal tools around it easily. Then if you decide you want a third-party validation, you can contract from the OWASP SAMM Practitioners list at: https://owaspsamm.org/practitioners/.
If you end up finding any of it useful or want more information, or to contribute you can also join @owasp and their SAMM meetings too. Find out more at: https://owaspsamm.org/contributing/
