Many organizations lack a structured and practical approach to enhance their cybersecurity maturity, resulting in inconsistent security practices, increased vulnerability to cyber threats, and difficulty in demonstrating compliance.

Organizations often struggle to effectively improve their cybersecurity posture due to the absence of a clear, actionable roadmap. This lack of guidance leads to ad-hoc security measures, gaps in protection, and an inability to measure and track progress. "A Hands-On Guide to Improve Cybersecurity Maturity" addresses this problem by providing a practical framework, such as OpenSAMM, to systematically assess current security practices, identify weaknesses, and implement targeted improvements. This approach enables organizations to move beyond reactive security measures and proactively build a robust and mature cybersecurity program, ultimately reducing risks and enhancing overall security resilience.

Understanding OWASP SAMM

SAMM stands for Software Assurance Maturity Model. OpenSAMM is an open-source framework designed to help organizations evaluate and improve their software security maturity. 

Note: 5 Business Functions, 15 Security Practice, 30 Stream, 90 Activity Questions

At the highest level, SAMM defines five business functions. Each business function is a category of activities that any organization involved with software development must fulfill to some degree.

Each business function has three security practices, areas of security-related activities that build assurance for the related business function.

Security practices have activities, grouped in logical flows and divided into two streams. Streams cover different aspects of a practice and have their own objectives, aligning and linking the activities in the practice over the different maturity levels.

For each security practice, SAMM defines three maturity levels. Each level has a successively more sophisticated objective with specific activities, and more strict success metrics.

Note: SAMM is based around 15 security practices grouped into 5 business functions.

The structure and setup of the SAMM model support

• the assessment of the organization’s current software security posture
• the definition of the organization’s target
• the definition of an implementation roadmap to get there
• prescriptive advice on how to implement particular activities

For further reference on OpenSAMM Model, tools and training go to https://owaspsamm.org

Assess current security posture using OWASP SAMM Toolbox

Step 1: Get OWASP SAMM Training

A fully free, self-paced course with over 5 hours of video content.

Visit the SAMM Fundamentals Course page on  https://owaspsamm.org/resources/training

Step 2:  Download OWASP SAMM Tool

Pick the latest version of the tool. Currently it is available as a Microsoft Excel Toolbox and a Google Spreadsheet Toolbox, I would recommend to pick the Google Spreadsheet version and make a local copy from https://owaspsamm.org/resources/assessment-tools

Step 3: Evaluate Current Security Posture

There are typically two types of SAMM assessments you can perform. 

• Self-assessment
• Expert assessment

I suggest incorporating a balanced approach that includes both self and expert assessments. This helps to capture the near accurate security posture based on your understanding as well as the business function experts. You should identify the right business function stakeholders and educate them about the assessment goal  assessment method with each interviewee before you start the interview to fill in the respective answers for those 90 activity questions across 5 business functions. Focus to cover respective business function questions with relevant interviewees. 

For example interview with:

• GRC leaders for Governance section
• Security architects for Design section
• DevOps and CI/CD security leaders for Implementation section
• Security architects, Security Test leaders for Verification section
•  DevOps security leaders for Operations section 

For more details refer SAMM Assessment Guide  

Once you downloaded the SAMM Toolbox, check out the tab “Interview”. Here under the Interview sheet you will see a list of questions for each of the activities in SAMM Model. Each  question has a set of quality criteria listed under the question. In order to answer the assessment question, you need to evaluate if these criteria are actually met. If the quality criteria are not (completely) filled in, you should answer “No”. If you meet the quality criteria, you can choose any of the other options best suitable to the current state and add corresponding notes under the “Interview Notes” column. Once you start filling in the questions, you will see that the Scorecard tab updates automatically for your current maturity score. Make sure you also capture Interview Notes covering the basis  the answer was chosen, that will become a reference note and help in any future assessment.

At the end you would have answers for all the 90 activity questions.

Here is an example showing interview Answer and Interview Note.

Step 4: Identify Current Maturity Score

Once you gather the answer for all the 90 activity questions across 15 security practices covering 5 business functions, you would get the current maturity score under the “Scorecard” sheet that is your organisation's current security maturity for each business function.

Note that you would also have a detailed score at business function level, security practice level, Phase wise and more. 

The scorecard is a radar chart with maturity score 0-3. Note that the radar chart shows the range up to the highest score under any practice, in the below diagram it shows range from 0-2.50 since the highest score in the chart is below 2.50. In case your maturity score goes beyond 2.5 for any security practices it will show range 0-3 and vice versa.

Step 5: Identify Current Maturity Gaps

Based on the current maturity core you should be able to identify which security practices are scoring low and need focus. This will help identify the key security gaps that can be mapped at security practice and business function level.

Step 6: Create Maturity Improvement Plan

Once you have identified the security gaps, you need to create a security maturity improvement plan. Depending upon the current security gaps, and how fast you want to address those gaps with supporting resources you could come up with your own short, mid and long term plan.

For example, you can have top 3 short term plans for 1 quarter, top 3 mid term plan ranging 2 quarters and top 3 long term plan ranging 4 quarters of the year.

Step 7: Continuous Assessment and Improvement

Once you complete the initial assessment and start working on improvement plans, on a regular interval you should be able to re-assess the security maturity and refine improvement plans.

Note that sometime due to challenges  in product line, business priority and resource alignment you may need to re-align your improvement plans on an ongoing basis.

Conclusion 

In conclusion, leveraging the OWASP SAMM framework provides a structured and practical approach to enhancing cybersecurity maturity. By conducting thorough assessments, identifying maturity gaps, and creating actionable improvement plans, organizations can systematically strengthen their security posture. Continuous assessment and refinement of these plans are crucial for adapting to evolving challenges and ensuring ongoing improvement in software security resilience.