SAMMY UI is optimized for resolutions with a width 1024px and higher.
Maturity Level 1
Maturity Level 2
Maturity Level 3
Track security defects centrally
I-DM-A-1: Do you track all known security defects in accessible locations?
  • You can easily get an overview of all security defects impacting one application
  • You have at least a rudimentary classification scheme in place
  • The process includes a strategy for handling false positives and duplicate entries
  • The defect management system covers defects from various sources and activities
Coverage
- None: There is no coverage for this activity or not all quality criteria have been fulfilled.
- Some: You perform this activity across some portion of your applications, to a certain extend, or review it on an ad-hoc basis, while making sure that all quality criteria are fulfilled.
- Half: You perform this activity across half of your applications, to a larger extent or review it at regular times (though not very often), while making sure that all quality criteria are fulfilled.
- Most/All: You perform this activity across most / all of your applications, to a full extent or review it at regular times at most once a year, while making sure that all quality criteria are fulfilled.
Description

Introduce a common definition / understanding of a security defect and define the most common ways of identifying these. These typically include, but are not limited to:

  • Threat assessments
  • Penetration tests
  • Output from static and dynamic analysis scanning tools
  • Responsible disclosure processes or bug bounties

Foster a culture of transparency and avoid blaming any teams for introducing or identifying security defects. Record and track all security defects in a defined location. This location doesn't necessarily have to be centralized for the whole organization, however ensure that you're able to get an overview of all defects affecting a particular application at any single point in time. Define and apply access rules for the tracked security defects to mitigate the risk of leakage and abuse of this information.

Introduce at least rudimentary qualitative classificiation of security defects so that you are able to prioritize fixing efforts accordingly. Strive for limiting duplication of information and presence of false positives to increase the trustworthiness of the process.

Endorsed Solutions for Mastering Defect Tracking
vendor logo Become a Recommended Vendor for Defect Tracking!

Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Defect Tracking? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!

Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading...
Loading, please wait.
Community guidance

This guidance is based on the approved community submissions.

Loading...
Loading, please wait.