Getting Traction for the OWASP Initiative
John Dickson of Denim Group gave a great presentation at the Austin OWASP chapter meeting on 4/28/15, “Using OpenSAMM for Benchmarking and Software Security Improvement,” to a large and very interested crowd. The OpenSAMM platform, with broad-based support from industry leaders, promises to greatly improve application security. While AlienVault’s Open Threat Exchange (OTX), is focused on crowd-sourced threat intelligence to enable better collaboration on existing and emerging threats, OpenSAMM is similar in intention: non-proprietary collaboration across vendors and organizations needing to improve security.
John talked about the huge steps the industry has taken recently to stop being “lonely voices in the wind” in improving application security for enterprises. As we all know, the current state of affairs in information security is somewhat sad, with patching vulnerabilities and reacting to security problems being the “solution”. All the while, organizations continue to produce new software with yet more vulnerabilities. The solution is not to patch: it is to collaborate to improve the existing sad state of affairs with more secure software that is resilient to attack.
While OpenSAMM has been around almost a decade, more collaboration was required in the industry to make it truly successful. Last month in Dublin, about 40 leaders from some of the top companies in the industry gathered together to finalize plans to put teeth in the OpenSAMM OWASP initiative, culminating a year-long effort. Participating in the effort are Aspect Security, AsTech Consulting, Denim Group, Gotham Digital Science, Security Innovation and Veracode. This collaboration is nothing less than remarkable in this highly competitive industry.
John highlighted the fact that C-level executives make data-driven decisions, and in order for them to divert resources to application security, they need to understand software risk. OpenSAMM is just the platform to help them quantify risk and invest properly in application security.
As this initiative is getting traction, additional companies are interested in joining the movement: HP (Fortify), Contrast, NetSPI, WhiteHat Security and Minded Security. The goal is to get 60-100 datasets available by the time of AppSecUSA this fall.The addition of a wider range of datasets will improve the richness and value of OpenSAMM for all participants, expanding access to valuable benchmarking data that applies to their particular case.The benchmarks within the framework are based on best practices of leading application security firms.
To learn more, you can watch the webcast of John’s presentation.
Here are some of the social handles mentioned:
https://twitter.com/johnbdickson
https://twitter.com/AsTech_infosec
https://twitter.com/denimgroup