deploy: 4de34c0

owaspsamm · Feb 6, 2025 · 597faf6 · 597faf6
1 parent 95d7a4d
commit 597faf6
Show file tree

Hide file tree

Showing 11 changed files with 30 additions and 30 deletions.
diff --git a/blog/2025/01/21/samm-relative-scoring/index.html b/blog/2025/01/21/samm-relative-scoring/index.html
diff --git a/blog/index.html b/blog/index.html
@@ -3,8 +3,8 @@
 <span class=sr-only>Blogs - go to homepage</span></a><div class=navbar-buttons><button type=button class="navbar-toggle btn-template-main" data-toggle=collapse data-target=#navigation>
 <span class=sr-only>Toggle Navigation</span>
 <i class="fa fa-align-justify"></i></button></div></div><div class="navbar-collapse collapse" id=navigation><ul class="nav navbar-nav navbar-right"><li class=dropdown><a href=# class=dropdown-toggle data-toggle=dropdown role=button aria-haspopup=true aria-expanded=false>About SAMM <span class=caret></span></a><ul class=dropdown-menu><li><a href=/about/>What is SAMM</a></li><li><a href=/team/>The team</a></li></ul></li><li class=dropdown><a href=/model/>The model</a></li><li class=dropdown><a href=/resources/>Resources</a></li><li class=dropdown><a href=# class=dropdown-toggle data-toggle=dropdown role=button aria-haspopup=true aria-expanded=false>Guidance <span class=caret></span></a><ul class=dropdown-menu><li><a href=/guidance/quick-start-guide/>Getting started</a></li><li><a href=/assessment/>Assessment</a></li><li><a href=/guidance/agile/>Agile</a></li><li><a href=/benchmark/>Benchmark</a></li><li><a href=/stream-guidance/>Stream guidance</a></li></ul></li><li class=dropdown><a href=# class=dropdown-toggle data-toggle=dropdown role=button aria-haspopup=true aria-expanded=false>Community <span class=caret></span></a><ul class=dropdown-menu><li><a href=/blog/>Blog</a></li><li><a href=/user-day/>User Day</a></li><li><a href=/sponsors/>Sponsors</a></li><li><a href=/samm-users/>Users</a></li><li><a href=/practitioners/>Practitioners</a></li><li><a href=/faq/>FAQ</a></li><li><a href=/contributing/>Contributing</a></li><li><a href=/contact/>Contact</a></li></ul></li></ul></div><div class="collapse clearfix" id=search><form class=navbar-form role=search><div class=input-group><input type=text class=form-control placeholder=Search>
-<span class=input-group-btn><button type=submit class="btn btn-template-main"><i class="fa fa-search"></i></button></span></div></form></div></div></div></div></header><div id=heading-breadcrumbs><div class=container><div class=row><div class=col-md-12><h1>Blogs</h1></div></div></div></div><div id=content><div class=container><div class=row><div class=col-md-9 id=blog-listing-medium><section class=post><div class=row><div class=col-md-4><div class=image><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/><img src=https://owaspsamm.org/img/banners/discussion.png class=img-responsive alt></a></div></div><div class=col-md-8><h2><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/>SAMM Scoring: Percentage to Target and Percent to Date Metrics</a></h2><div class=clearfix><p class=author-category>By <a href=#>Aram Hovsepyan</a>
-in <a href=https://owaspsamm.org/categories/assessment>assessment</a></p><p class=date-comments><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/><i class="fa fa-calendar-o"></i>January 21, 2025</a></p></div><p class=intro>SAMM Scoring: Percentage to Target and Percent to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.</p><p class=read-more><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/ class="btn btn-template-main">Continue reading</a></p></div></div></section><section class=post><div class=row><div class=col-md-4><div class=image><a href=https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/><img src=https://owaspsamm.org/img/resources/mappings.png class=img-responsive alt></a></div></div><div class=col-md-8><h2><a href=https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis</a></h2><div class=clearfix><p class=author-category>By <a href=#>Aram Hovsepyan</a>
+<span class=input-group-btn><button type=submit class="btn btn-template-main"><i class="fa fa-search"></i></button></span></div></form></div></div></div></div></header><div id=heading-breadcrumbs><div class=container><div class=row><div class=col-md-12><h1>Blogs</h1></div></div></div></div><div id=content><div class=container><div class=row><div class=col-md-9 id=blog-listing-medium><section class=post><div class=row><div class=col-md-4><div class=image><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/><img src=https://owaspsamm.org/img/banners/discussion.png class=img-responsive alt></a></div></div><div class=col-md-8><h2><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/>SAMM Scoring: Percent to Target and Progress to Date Metrics</a></h2><div class=clearfix><p class=author-category>By <a href=#>Aram Hovsepyan</a>
+in <a href=https://owaspsamm.org/categories/assessment>assessment</a></p><p class=date-comments><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/><i class="fa fa-calendar-o"></i>January 21, 2025</a></p></div><p class=intro>SAMM Scoring: Percent to Target and Progress to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.</p><p class=read-more><a href=https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/ class="btn btn-template-main">Continue reading</a></p></div></div></section><section class=post><div class=row><div class=col-md-4><div class=image><a href=https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/><img src=https://owaspsamm.org/img/resources/mappings.png class=img-responsive alt></a></div></div><div class=col-md-8><h2><a href=https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis</a></h2><div class=clearfix><p class=author-category>By <a href=#>Aram Hovsepyan</a>
 in <a href=https://owaspsamm.org/categories/mapping>mapping</a></p><p class=date-comments><a href=https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/><i class="fa fa-calendar-o"></i>January 20, 2025</a></p></div><p class=intro>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices.
 Today in its latest version, Microsoft SDL comprises 10 security practices, each containing a set of requirements designed to reduce security risks across the software development lifecycle.</p><p class=read-more><a href=https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/ class="btn btn-template-main">Continue reading</a></p></div></div></section><section class=post><div class=row><div class=col-md-4><div class=image><a href=https://owaspsamm.org/blog/2024/12/10/samm-bsimm-mapping/><img src=https://owaspsamm.org/img/banners/samm-ssdf.png class=img-responsive alt></a></div></div><div class=col-md-8><h2><a href=https://owaspsamm.org/blog/2024/12/10/samm-bsimm-mapping/>SAMM BSIMM Mapping</a></h2><div class=clearfix><p class=author-category>By <a href=#>Aram Hovsepyan, Maxim Baele</a>
 in <a href=https://owaspsamm.org/categories/mapping>mapping</a></p><p class=date-comments><a href=https://owaspsamm.org/blog/2024/12/10/samm-bsimm-mapping/><i class="fa fa-calendar-o"></i>December 10, 2024</a></p></div><p class=intro>Building Security In Maturity Model (BSIMM) Mapped to OWASP SAMM The full mapping sheet between BSIMM 14 and OWASP SAMM. Introduction The Building Security In Maturity Model (BSIMM) and OWASP Software Assurance Maturity Model (SAMM) share a common history. Both were conceived around 2008-2009 and are based on OpenSAMM, which was created by Pravir Chandra. Over time, however, these two models have evolved independently, with distinct conceptual differences. We have previously explored these differences in detail .</p><p class=read-more><a href=https://owaspsamm.org/blog/2024/12/10/samm-bsimm-mapping/ class="btn btn-template-main">Continue reading</a></p></div></div></section><section class=post><div class=row><div class=col-md-4><div class=image><a href=https://owaspsamm.org/blog/2023/09/20/owasp-samm-now-connects-to-opencre/><img src=https://owaspsamm.org/img/banners/opencre.png class=img-responsive alt></a></div></div><div class=col-md-8><h2><a href=https://owaspsamm.org/blog/2023/09/20/owasp-samm-now-connects-to-opencre/>OWASP SAMM now connects to OpenCRE</a></h2><div class=clearfix><p class=author-category>By <a href=#>The SAMM Project Team</a>

diff --git a/blog/index.xml b/blog/index.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Blogs on OWASP SAMM</title><link>https://owaspsamm.org/blog/</link><description>Recent content in Blogs on OWASP SAMM</description><generator>Hugo -- gohugo.io</generator><lastBuildDate>Tue, 21 Jan 2025 00:00:00 +0200</lastBuildDate><atom:link href="https://owaspsamm.org/blog/index.xml" rel="self" type="application/rss+xml"/><item><title>SAMM Scoring: Percentage to Target and Percent to Date Metrics</title><link>https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/</link><pubDate>Tue, 21 Jan 2025 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/</guid><description>SAMM Scoring: Percentage to Target and Percent to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.</description></item><item><title>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis</title><link>https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/</link><pubDate>Mon, 20 Jan 2025 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/</guid><description>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices.
+<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Blogs on OWASP SAMM</title><link>https://owaspsamm.org/blog/</link><description>Recent content in Blogs on OWASP SAMM</description><generator>Hugo -- gohugo.io</generator><lastBuildDate>Tue, 21 Jan 2025 00:00:00 +0200</lastBuildDate><atom:link href="https://owaspsamm.org/blog/index.xml" rel="self" type="application/rss+xml"/><item><title>SAMM Scoring: Percent to Target and Progress to Date Metrics</title><link>https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/</link><pubDate>Tue, 21 Jan 2025 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2025/01/21/samm-relative-scoring/</guid><description>SAMM Scoring: Percent to Target and Progress to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.</description></item><item><title>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis</title><link>https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/</link><pubDate>Mon, 20 Jan 2025 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2025/01/20/comparing-microsoft-sdl-and-samm/</guid><description>Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices.
 Today in its latest version, Microsoft SDL comprises 10 security practices, each containing a set of requirements designed to reduce security risks across the software development lifecycle.</description></item><item><title>SAMM BSIMM Mapping</title><link>https://owaspsamm.org/blog/2024/12/10/samm-bsimm-mapping/</link><pubDate>Tue, 10 Dec 2024 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2024/12/10/samm-bsimm-mapping/</guid><description>Building Security In Maturity Model (BSIMM) Mapped to OWASP SAMM The full mapping sheet between BSIMM 14 and OWASP SAMM. Introduction The Building Security In Maturity Model (BSIMM) and OWASP Software Assurance Maturity Model (SAMM) share a common history. Both were conceived around 2008-2009 and are based on OpenSAMM, which was created by Pravir Chandra. Over time, however, these two models have evolved independently, with distinct conceptual differences. We have previously explored these differences in detail .</description></item><item><title>OWASP SAMM now connects to OpenCRE</title><link>https://owaspsamm.org/blog/2023/09/20/owasp-samm-now-connects-to-opencre/</link><pubDate>Wed, 20 Sep 2023 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2023/09/20/owasp-samm-now-connects-to-opencre/</guid><description>We are excited to announce that each OWASP-SAMM stream now uses OpenCRE.org to link to other standards and guidelines. OpenCRE stands for Open Common Requirement Enumeration, and it aims to provide a common language and framework for mapping and comparing different security standards, guidelines, and frameworks. By linking SAMM to OpenCRE, we’ve made it easier for our users to find relevant and useful resources with every stream, as well as to see how SAMM aligns with other security standards such as NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-53.</description></item><item><title>Determining scope when implementing SAMM</title><link>https://owaspsamm.org/blog/2023/05/24/determining-scope-when-implementing-samm/</link><pubDate>Wed, 24 May 2023 00:00:00 +0200</pubDate><guid>https://owaspsamm.org/blog/2023/05/24/determining-scope-when-implementing-samm/</guid><description>When performing a SAMM assessment, should the scope be the whole organization or should it be smaller, like a business unit or even a single team or application?
 The short answer? Start small.
 Getting started Start by evaluating your goals. What do you want to achieve?