SAMMY UI is optimized for resolutions with a width 1024px and higher.
Maturity Level 1
Maturity Level 2
Maturity Level 3
Identify the organization's risk appetite
G-SM-A-1: Do you understand the enterprise-wide risk appetite for your applications?
  • You capture the risk appetite of your organization's executive leadership
  • The organization's leadership vet and approve the set of risks
  • You identify the main business and technical threats to your assets and data
  • You document risks and store them in an accessible location
Coverage
- None: There is no coverage for this activity or not all quality criteria have been fulfilled.
- Some: You perform this activity across some portion of your applications, to a certain extend, or review it on an ad-hoc basis, while making sure that all quality criteria are fulfilled.
- Half: You perform this activity across half of your applications, to a larger extent or review it at regular times (though not very often), while making sure that all quality criteria are fulfilled.
- Most/All: You perform this activity across most / all of your applications, to a full extent or review it at regular times at most once a year, while making sure that all quality criteria are fulfilled.
Description

Understand, based on application risk exposure, what threats exist or may exist, as well as how tolerant executive leadership is of these risks. This understanding is a key component of determining software security assurance priorities. To ascertain these threats, interview business owners and stakeholders and document drivers specific to industries where the organization operates as well as drivers specific to the organization. Gathered information includes worst-case scenarios that could impact the organization, as well as opportunities where an optimized software development lifecycle and more secure applications could provide a market-differentiator or create additional opportunities.

Gathered information provides a baseline for the organization to develop and promote its application security program. Items in the program are prioritized to address threats and opportunities most important to the organization. The baseline is split into several risk factors and drivers linked directly to the organization's priorities and used to help build a risk profile of each custom-developed application by documenting how they can impact the organization if they are compromised.

The baseline and individual risk factors should be published and made available to application development teams to ensure a more transparent process of creating application risk profiles and incorporating the organization's priorities into the program. Additionally, these goals should provide a set of objectives which should be used to ensure all application security program enhancements provide direct support of the organization's current and future needs.

Endorsed Solutions for Mastering Create and Promote
vendor logo Become a Recommended Vendor for Create and Promote!

Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Create and Promote? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!

Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading...
Loading, please wait.
Community guidance

This guidance is based on the approved community submissions.

Loading...
Loading, please wait.