SAMM Self Assessment¶ ↑
So what is the Samm Self Assessment tool?¶ ↑
The Samm Self Assessment tool is an implementation of the OpenSAMM (www.opensamm.org) process wrapped together into a little Rails application. Its aim is to simplify the measurement of your organisation against OpenSAMM, and to assist in the construction of a roadmap, and subsequent tracking of progress down that roadmap.
Why would you build this?¶ ↑
Well, simply put, we think that OpenSAMM is a great process to help organisations measure the maturity of security within their software development lifecycle. Plus, we wanted something lightweight that could be stood up on a standalone desktop (with Rails), or even hosted on the Internet (Heroku/EC2/etc)
Okay, so why would I measure software security maturity?¶ ↑
Without this measurement trying to improve the state of security within your software development lifecycle is going to be difficult. As they say: You can’t manage what you can’t measure.
Install Instructions¶ ↑
(This is a fairly standard Rails app, so, these instructions are somewhat generic)
1. Install Ruby 1.9.3 (I use RVM - rvm.io/)¶ ↑
2. Clone this repo:¶ ↑
$ git clone https://github.com/AsteriskLabs/ssa.git
3. Change into the ssa directory (RVM may warn if you want to trust the rvmrc file, this sets a new gemset for ‘ssa’)¶ ↑
$ cd ssa
4. Install dependencies with bundler, if you don’t have bundler ‘gem install bundler’ it¶ ↑
$ bundle
5. Copy the example DB config file (and edit it if you wish)¶ ↑
$ cp config/database.yml.example config/database.yml
6. Run the database migrations¶ ↑
$ rake db:migrate
7. Create the secret_token.rb file in ‘config/initializers’¶ ↑
$ vi config/initializers/secret_token.rb
8. Enter the following into the file¶ ↑
Ssa::Application.config.secret_token = "<RANDOM TOKEN>"
9. Rake can be used to generate a random value for you if you wish¶ ↑
$ rake secret
10. By default, registering a new account will require email validation, so update ‘config/initializers/mail.rb’ with appropriate settings.¶ ↑
11. Update ‘config/initializers/devise.rb’ with an appropriate ‘from’ email address¶ ↑
12. If you don’t want users to have to validate their emails, update ‘app/models/user.rb’ and remove the ‘:confirmable’ option.¶ ↑
13. Start up the local server¶ ↑
$ rails s