Agentic SAMM: Framework for Secure Agentic System Development
Agentic SAMM (ASAMM) extends OWASP SAMM for agentic systems, where the SDLC evolves from a linear cycle to a spiral. Each spiral loop returns to design, implementation, and verification phases, but with an updated threat model accounting for changes in tools and environments. The framework addresses a threat taxonomy: context as the control plane (any content readable by the agent can become a command), tool invocation as the security boundary, and autonomous window as the temporal radius of potential damage.
A two-axis trust model, inspired by NATO STANAG, applies to agents, tools, MCP servers, and context sources. Levels from A1 (full permissions) to F6 (isolated execution only) enforce strict interaction rules.
Design Principles and 17 Controls
Design follows Auftragstaktik principles: the system prompt sets intent (Auftrag), not rigid algorithms. This enables agents to adapt, as Moltke noted: no plan survives first contact with the enemy.
ASAMM provides 17 controls across SAMM's 5 functions, mapped to NIST AI RMF and NCSC. Two implementation paths are available:
- Migration from an existing security program.
- Green-field deployment for new projects.
The framework is open source: humans contribute via GitHub Issues and PRs, agents create tickets when spotting gaps.
Key Takeaways for Mid/Senior Developers
ASAMM highlights a paradigm shift in security:
- Security boundary has shifted: traditional SDLC protects code and artifacts but ignores context flows, tool calls, delegated permissions, and runtime behavior.
- Context equals instruction: documents, tracker tasks, CI logs, or tool descriptions can turn into commands. Context provenance controls are needed beyond input validation.
- Authorization ≠ task alignment: fully privileged agents can drift from goals, bypassing traditional controls.
- Time as a risk factor: autonomous window multiplies by tool radius to define potential blast radius.
- Dev environment is the attack surface: IDE plugins, MCP servers, pre-commit hooks, and CI agents demand threat modeling.
Common Pitfalls in Practice
Developers often miss agentic system nuances. Typical oversights:
- Threat models are comprehensive but lack context sources and tool invocation paths.
- Code review covers 100% of PRs, ignoring prompts, tool schemas, and agent configs.
- DAST scans are clean but don't test adversarial context behavior.
- Least privilege on service accounts, without granularity on tool calls.
- SCA passes but misses framework dependencies, MCP servers, and model providers.
What Matters Most
- Spiral SDLC: Adapts threat models to system and tool evolution.
- Threat Taxonomy: Focuses on context, tools, and autonomous window.
- 17 Controls: Mapped to NIST AI RMF/NCSC for seamless integration.
- Open Source: Contributions via GitHub for humans and agents.
- GOST R 56939-2024: Russian adaptation with mappings available.
ASAMM fills gaps in existing frameworks, providing coverage for agentic attack surfaces. Implementation minimizes risks in production environments with autonomous agents.
— Editorial Team
No comments yet.