Software Assurance Maturity Model

SAMM provides an effective and measurable way for all types of organizations to analyze and improve their software security posture.

SAMM USER DAY 2025


Wednesday, May 28th
Barcelona, SPAIN

Call for submissions

Getting started

Are you new to SAMM? We’ll walk you through the first steps to get you going.

SAMM assessment

Analyze your security posture using our maturity measurement tool.

Benchmark

Where is your organization on the map? Contribute. Be a part of SAMM.

SAMM Fundamentals Course

A free, self-paced course to get you started with SAMM

Visit the SAMM Fundamentals Course page

From our blog

Be an OWASP SAMM contributor and tell us about your experience using our maturity model in guest articles. Get in touch with us to share your SAMM story.

Read more

Enabling teams with the OWASP SAMM Skills Framework

By The SAMM Project Team on February 9, 2025

Introduction Picture this: your team is tasked with building secure, compliant software, but you’re not sure where to begin and who to involve. In today’s cloud-driven world, even solid security plans can stall if teams don’t know what tasks they own or believe they do not have the right skills to get started. Across teams, many organizations lack a clear view on ownership and shared responsibilities, whether they work with company internal service providers or external public service providers.

Continue reading

Read more

SAMM Scoring: Percent to Target and Progress to Date Metrics

By Aram Hovsepyan on January 21, 2025

SAMM Scoring: Percent to Target and Progress to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.

Continue reading

Read more

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis

By Aram Hovsepyan on January 20, 2025

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices. Today in its latest version, Microsoft SDL comprises 10 security practices, each containing a set of requirements designed to reduce security risks across the software development lifecycle.

Continue reading

Read more

SAMM BSIMM Mapping

By Aram Hovsepyan, Maxim Baele on December 10, 2024

Building Security In Maturity Model (BSIMM) Mapped to OWASP SAMM The full mapping sheet between BSIMM 14 and OWASP SAMM. Introduction The Building Security In Maturity Model (BSIMM) and OWASP Software Assurance Maturity Model (SAMM) share a common history. Both were conceived around 2008-2009 and are based on OpenSAMM, which was created by Pravir Chandra. Over time, however, these two models have evolved independently, with distinct conceptual differences. We have previously explored these differences in detail .

Continue reading

Get SAMM news delivered to you

Our Sponsors

Software powers the world, but insecure software threatens safety, trust, and economic growth.
Your support powers SAMM and helps us achieve our mission.

GOLD SPONSORS

codific

SILVER SPONSORS

checkmarx concord indelible microfocus minded security ncc group pwc security innovation splunk Toreon

Find out about sponsorship