SAMM Self Assessment
So what is the Samm Self Assessment tool?
The Samm Self Assessment tool is an implementation of the OpenSAMM (www.opensamm.org) process wrapped together into a little Rails application. Its aim is to simplify the measurement of your organisation against OpenSAMM, and to assist in the construction of a roadmap, and subsequent tracking of progress down that roadmap.
Why would you build this?
Well, simply put, we think that OpenSAMM is a great process to help organisations measure the maturity of security within their software development lifecycle. Plus, we wanted something lightweight that could be stood up on a standalone desktop (with Rails), or even hosted on the Internet (Heroku/EC2/etc)
Okay, so why would I measure software security maturity?
Without this measurement trying to improve the state of security within your software development lifecycle is going to be difficult. As they say: You can't manage what you can't measure.
(This is a fairly standard Rails app, so, these instructions are somewhat generic)
rvm.io/)1. Install Ruby 1.9.3 (I use RVM -
2. Clone this repo:
$ git clone https://github.com/AsteriskLabs/ssa.git
3. Change into the ssa directory (RVM may warn if you want to trust the rvmrc file, this sets a new gemset for 'ssa')
$ cd ssa
4. Install dependencies with bundler, if you don't have bundler 'gem install bundler' it
5. Copy the example DB config file (and edit it if you wish)
$ cp config/database.yml.example config/database.yml
6. Run the database migrations
$ rake db:migrate
7. Create the secret_token.rb file in 'config/initializers'
$ vi config/initializers/secret_token.rb
8. Enter the following into the file
Ssa::Application.config.secret_token = "<RANDOM TOKEN>"
9. Rake can be used to generate a random value for you if you wish
$ rake secret
10. By default, registering a new account will require email validation, so update 'config/initializers/mail.rb' with appropriate settings.
11. Update 'config/initializers/devise.rb' with an appropriate 'from' email address
12. If you don't want users to have to validate their emails, update 'app/models/user.rb' and remove the ':confirmable' option.
13. Start up the local server
$ rails s