SAMM USER DAY 2025


Wednesday, May 28th
Barcelona, SPAIN

SAMM Fundamentals Course

A free, self-paced course to get you started with SAMM

Visit the SAMM Fundamentals Course page

From our blog

Be an OWASP SAMM contributor and tell us about your experience using our maturity model in guest articles. Get in touch with us to share your SAMM story.

SAMM Scoring: Percent to Target and Progress to Date Metrics

By Aram Hovsepyan on January 21, 2025

SAMM Scoring: Percent to Target and Progress to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.

Continue reading

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis

By Aram Hovsepyan on January 20, 2025

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices. Today in its latest version, Microsoft SDL comprises 10 security practices, each containing a set of requirements designed to reduce security risks across the software development lifecycle.

Continue reading

SAMM BSIMM Mapping

By Aram Hovsepyan, Maxim Baele on December 10, 2024

Building Security In Maturity Model (BSIMM) Mapped to OWASP SAMM The full mapping sheet between BSIMM 14 and OWASP SAMM. Introduction The Building Security In Maturity Model (BSIMM) and OWASP Software Assurance Maturity Model (SAMM) share a common history. Both were conceived around 2008-2009 and are based on OpenSAMM, which was created by Pravir Chandra. Over time, however, these two models have evolved independently, with distinct conceptual differences. We have previously explored these differences in detail .

Continue reading

OWASP SAMM now connects to OpenCRE

By The SAMM Project Team on September 20, 2023

We are excited to announce that each OWASP-SAMM stream now uses OpenCRE.org to link to other standards and guidelines. OpenCRE stands for Open Common Requirement Enumeration, and it aims to provide a common language and framework for mapping and comparing different security standards, guidelines, and frameworks. By linking SAMM to OpenCRE, we’ve made it easier for our users to find relevant and useful resources with every stream, as well as to see how SAMM aligns with other security standards such as NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-53.

Continue reading

Get SAMM news delivered to you

Our Sponsors

Software powers the world, but insecure software threatens safety, trust, and economic growth.
Your support powers SAMM and helps us achieve our mission.

GOLD SPONSORS

codific

SILVER SPONSORS

checkmarx concord indelible microfocus minded security ncc group pwc security innovation splunk Toreon

Find out about sponsorship