The mission of OWASP Software Assurance Maturity Model (SAMM) is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.
SAMMwise is an open source Web App to calculate the Maturity score of an individual, enterprise, or project using the SAMM model. The application walks you through the assessment, allows you to save and re-use previously completed assessments, and presents the results in a similar style to the spreadsheet.
The quickest way to get up and running is to pull down the image from dockerhub using the following commands:
docker pull stephenmorgan/owasp-sammwise
docker run -p 3000:3000 stephenmorgan/owasp-sammwise
Refer to the Build Options section below for how to build and run the application.
Both the docker and npm options will run the application on port 3000. The application can be accessed by navigation to http://localhost:3000 in your browser.
Survey
The survey page (/survey) allows for users to perform an assessment. A SAMM survey rating your given project or enterprise against five domains: Governance, Design, Implementation, Verification, and Operations. Each domain consists of three subdomains which themselves consist of six questions. (TODO:) Further information about each question or domain can be viewed by hovering over the informational icons.
There is an optional sixth survey panel where you can enter project metadata that will be included in the results page.
Please refer to the OWASP Foundation documentation for guidance on the use of Software Assurance Maturity Model.
Report
Upon completion of a survey, you will be redirected to the report page and presented with the results of the survey.
It is possible to save the results of your survey, the bottom of the results page allows you to save the results to the browsers local storage, or download a copy of the json to your device. This latter option allows for the offline sharing of results.
Changes to re-uploaded results will be visualised in the report graphs.
Use the included docker-compose.yml file to quickly get up and running. Requires docker and docker-compose on the source system.
docker-compose up
Requires npm 10.3 or higher to run. First pull down the required dependencies
npm install
Then run the following depending on your use case:
npm run dev
(developer mode)
OR
npm run build
npm run start
Please submit a Pull Request for bug fixes and feature enhancements.