August 29, 2022

Last Updated on August 20, 2024

Development teams in pursuit of a mature software security program frequently leverage the OWASP Application Security Verification Standard (ASVS). But what about the OWASP Software Assurance Maturity Model (SAMM), another proven assessment and improvement tool?

Does it make sense to use the two frameworks together? And what’s a best-practice approach for doing so?

To share ideas and tips on getting the most from OWASP SAMM, a recent episode of The Virtual CISO Podcast features Taylor Smith, Network & Application Penetration Testing Lead at Pivot Point Security. John Verry, Pivot Point Security CISO and Managing Partner, hosts the podcast.

SAMM and ASVS are complementary

SAMM and ASVS serve complementary purposes, so using them together expands security coverage and supports understanding of controls and requirements.

“ASVS serves as more of a template,” Taylor explains. “It uses a series of controls, which is like a really big to-do list that developers can use internally as a metric to build their application. But then testers can also use those same requirements to test the application and perform a full-scale penetration test.”

“So, ASVS is a twofold tool,” Taylor adds. “OWASP says it’s a threefold because it also provides guidance. That’s where you start to get a lot of overlap with SAMM.”

In Taylor’s experience, many of the ASVS requirements can mirror content within SAMM’s business functions and the activities associated with its different streams.

For example, a penetration test (which ASVS requires) falls under SAMM’s Verification business function. When you compare the two frameworks, they overlap across many of the business functions.

Using SAMM and ASVS together

In Taylor’s view, using SAMM with ASVS is “the best of both worlds.”

“I like to pair these two as one project,” suggests Taylor. “Developers can use the requirements from both to cover the majority of their security bases.”

Many of the SAMM activities align with requirements in ASVS, while SAMM provides a clear and complete framework of activities that, in Taylor’s view, “can make you feel a little less lost.”

“SAMM tends to be a little less piecemeal than ASVS,” notes Taylor. “It’s very general, and it’s built that way so that it is flexible and different teams with different development styles can use it.”

ASVS is significantly more granular and offers more technical direction than SAMM. It provides precise definitions requirements that teams can adjust according to their application’s particular needs.

“When you pair these two OWASP projects together, you get something really, really valuable,” shares Taylor. “You get the full security coverage.”

Covering all the angles

John sums up the SAMM-ASVS synergy as approaching the goal of secure applications from two different angles.

“When you look at SAMM and a SAMM assessment, it validates that you’ve got the right processes in place to result in a secure application,” observes John. “And then ASVS is a mechanism to validate that the net application you developed [using SAMM] is secure.”

It’s very valuable to have that cross-check because you can have a well-defined process that, for whatever reason(s), doesn’t yield a secure application at the end. SAMM and ASVS together not only help create and validate a secure application, but also support continuous improvement of an org’s software security process.

What’s next?

To catch this podcast episode featuring pen testing lead Taylor Smith, click here.

Interested in using the OWASP ASVS? Here’s a great podcast to get you started: EP#11 – Daniel Cuthbert – OWASP ASVS: The Go-To Standard for Application Security