Why activities in Assessment Toolbox, OWASP SAMM v2.0 and on site are different?

[Shkarbatov]

Why activities are different in Verification => Architecture Analysis => Architecture Compliance and on site, there Architecture Mitigation instead of Architecture Compliance and in OWASP-SAMM-v2.0.pdf?

In SAMM Assessment Interview we have Architecture Compliance instead of Architecture Mitigation/

[23bartman]

Hi Shkarbatov. Thanks for your question. There are two things that could be causing this:

1. Since version 2.0 of OpenSAMM, we want to support faster updates to the model. See also this blogpost: https://owaspsamm.org/blog/2021/03/23/samm-suite/. The website is currently showing the latest minor version of the model, which might differ from SAMM 2.0 and the assessment toolbox (which are still aligned). With our new versioning system, we will be able to implement necessary changes faster, and we're using a semantic versioning model for this. It is the idea that website and toolbox are always aligned (when you're using the same version), the fact that they differ is just a temporary situation. Sorry for that.
2. we're in the middle of transferring between Github repo's. This might also lead to some (temporary) glitches.

Kind regards, Bart.