Skip to content

AsteriskLabs/ssa

Repository files navigation

SAMM Self Assessment

So what is the Samm Self Assessment tool?

The Samm Self Assessment tool is an implementation of the OpenSAMM (www.opensamm.org) process wrapped together into a little Rails application. Its aim is to simplify the measurement of your organisation against OpenSAMM, and to assist in the construction of a roadmap, and subsequent tracking of progress down that roadmap.

Why would you build this?

Well, simply put, we think that OpenSAMM is a great process to help organisations measure the maturity of security within their software development lifecycle. Plus, we wanted something lightweight that could be stood up on a standalone desktop (with Rails), or even hosted on the Internet (Heroku/EC2/etc)

Okay, so why would I measure software security maturity?

Without this measurement trying to improve the state of security within your software development lifecycle is going to be difficult. As they say: You can’t manage what you can’t measure.

Install Instructions

(This is a fairly standard Rails app, so, these instructions are somewhat generic)

1. Install Ruby 1.9.3 (I use RVM - rvm.io/)

2. Clone this repo:

$ git clone https://github.com/AsteriskLabs/ssa.git

3. Change into the ssa directory (RVM may warn if you want to trust the rvmrc file, this sets a new gemset for ‘ssa’)

$ cd ssa

4. Install dependencies with bundler, if you don’t have bundler ‘gem install bundler’ it

$ bundle

5. Copy the example DB config file (and edit it if you wish)

$ cp config/database.yml.example config/database.yml

6. Run the database migrations

$ rake db:migrate

7. Create the secret_token.rb file in ‘config/initializers’

$ vi config/initializers/secret_token.rb

8. Enter the following into the file

Ssa::Application.config.secret_token = "<RANDOM TOKEN>"

9. Rake can be used to generate a random value for you if you wish

$ rake secret

10. By default, registering a new account will require email validation, so update ‘config/initializers/mail.rb’ with appropriate settings.

11. Update ‘config/initializers/devise.rb’ with an appropriate ‘from’ email address

12. If you don’t want users to have to validate their emails, update ‘app/models/user.rb’ and remove the ‘:confirmable’ option.

13. Start up the local server

$ rails s

Thanks and things we couldn’t have built this without