SAMMY UI is optimized for resolutions with a width 1024px and higher.
Maturity Level 1
Maturity Level 2
Maturity Level 3
Test high risk application components manually
V-ST-B-1: Do you manually review the security quality of selected high-risk components?
  • Criteria exist to help the reviewer focus on high-risk components
  • Qualified personnel conduct reviews following documented guidelines
  • You address findings in accordance with the organization's defect management policy
Coverage
- None: There is no coverage for this activity or not all quality criteria have been fulfilled.
- Some: You perform this activity across some portion of your applications, to a certain extend, or review it on an ad-hoc basis, while making sure that all quality criteria are fulfilled.
- Half: You perform this activity across half of your applications, to a larger extent or review it at regular times (though not very often), while making sure that all quality criteria are fulfilled.
- Most/All: You perform this activity across most / all of your applications, to a full extent or review it at regular times at most once a year, while making sure that all quality criteria are fulfilled.
Description

Perform selective manual security testing, possibly using a combination of static and dynamic analysis tools to guide or focus the review, in order to more thoroughly analyze parts of the application, as an attacker. Automated tools are effective at finding various types of vulnerabilities but can never replace expert manual review.

Code-level vulnerabilities in security-critical parts of software can have dramatically increased impact so project teams review high-risk modules for common vulnerabilities. Common examples of high-risk functionality include authentication modules, access control enforcement points, session management schemes, external interfaces, and input validators and data parsers. Teams can combine code-level metrics and focused automated scans to determine where best to focus their efforts. In practice, the activity can take many forms including pair programming and peer review, time-boxed security "pushes" involving the entire development team, or spontaneous independent reviews by members of a specialised security group.

During development cycles where high-risk code is changed and reviewed, development managers triage the findings and prioritize remediation appropriately with input from other project stakeholders.

Endorsed Solutions for Mastering Deep Understanding
vendor logo Become a Recommended Vendor for Deep Understanding!

Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Deep Understanding? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!

Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading...
Loading, please wait.
Community guidance

This guidance is based on the approved community submissions.

Loading...
Loading, please wait.