Getting Companies to Work Together on Application Security: OpenSAMM

April 29, 2015 | Kate Brew

Getting Traction for the OWASP Initiative

John Dickson of Denim Group gave a great presentation at the Austin OWASP chapter meeting on 4/28/15, “Using OpenSAMM for Benchmarking and Software Security Improvement,” to a large and very interested crowd. The OpenSAMM platform, with broad-based support from industry leaders, promises to greatly improve application security. While AlienVault’s Open Threat Exchange (OTX), is focused on crowd-sourced threat intelligence to enable better collaboration on existing and emerging threats, OpenSAMM is similar in intention: non-proprietary collaboration across vendors and organizations needing to improve security.

owasp opensamm denim group

John talked about the huge steps the industry has taken recently to stop being “lonely voices in the wind” in improving application security for enterprises. As we all know, the current state of affairs in information security is somewhat sad, with patching vulnerabilities and reacting to security problems being the “solution”. All the while, organizations continue to produce new software with yet more vulnerabilities. The solution is not to patch: it is to collaborate to improve the existing sad state of affairs with more secure software that is resilient to attack.

opensamm owasp denim group

While OpenSAMM has been around almost a decade, more collaboration was required in the industry to make it truly successful. Last month in Dublin, about 40 leaders from some of the top companies in the industry gathered together to finalize plans to put teeth in the OpenSAMM OWASP initiative, culminating a year-long effort. Participating in the effort are Aspect Security, AsTech Consulting, Denim Group, Gotham Digital Science, Security Innovation and Veracode. This collaboration is nothing less than remarkable in this highly competitive industry.

John highlighted the fact that C-level executives make data-driven decisions, and in order for them to divert resources to application security, they need to understand software risk. OpenSAMM is just the platform to help them quantify risk and invest properly in application security.

As this initiative is getting traction, additional companies are interested in joining the movement: HP (Fortify), Contrast, NetSPI, WhiteHat Security and Minded Security. The goal is to get 60-100 datasets available by the time of AppSecUSA this fall.The addition of a wider range of datasets will improve the richness and value of OpenSAMM for all participants, expanding access to  valuable benchmarking data that applies to their particular case.The benchmarks within the framework are based on best practices of leading application security firms.

opensamm owasp next steps

To learn more, you can watch the webcast of John’s presentation.

Here are some of the social handles mentioned:

https://twitter.com/johnbdickson

https://twitter.com/attcyber

https://twitter.com/AsTech_infosec

https://twitter.com/denimgroup

https://twitter.com/SecInnovation

https://twitter.com/Veracode

https://twitter.com/securitybrew

Kate Brew

About the Author: Kate Brew

Kate has over 15 years experience in product management and marketing, primarily in information security.

Read more posts from Kate Brew ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial