Software Assurance Maturity Model

SAMM provides an effective and measurable way for all types of organizations to analyze and improve their software security posture.

Getting started

Are you new to SAMM? We’ll walk you through the first steps to get you going.

SAMM assessment

Analyze your security posture using our maturity measurement tool.

Benchmark

Where is your organization on the map? Contribute. Be a part of SAMM.

SAMM Fundamentals Course

A free, self-paced course to get you started with SAMM

Visit the SAMM Fundamentals Course page

From our blog

Be an OWASP SAMM contributor and tell us about your experience using our maturity model in guest articles. Get in touch with us to share your SAMM story.

Read more

OWASP SAMM now connects to OpenCRE

By The SAMM Project Team on September 20, 2023

We are excited to announce that each OWASP-SAMM stream now uses OpenCRE.org to link to other standards and guidelines. OpenCRE stands for Open Common Requirement Enumeration, and it aims to provide a common language and framework for mapping and comparing different security standards, guidelines, and frameworks. By linking SAMM to OpenCRE, we’ve made it easier for our users to find relevant and useful resources with every stream, as well as to see how SAMM aligns with other security standards such as NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-53.

Continue reading

Read more

Determining scope when implementing SAMM

By The SAMM Project Team on May 24, 2023

When performing a SAMM assessment, should the scope be the whole organization or should it be smaller, like a business unit or even a single team or application? The short answer? Start small. Getting started Start by evaluating your goals. What do you want to achieve? Do you aim to identify and prioritize areas of improvement in your organization’s security posture? Do you seek to establish a baseline for measuring the effectiveness of your security program over time?

Continue reading

Read more

How ISO and SAMM complement each other

By The SAMM Project Team on March 21, 2023

October 2022 brought us the third revision of the ISO/IEC 27001 standard. The revisions included simplifying the domains and controls, using more practical language, and introducing new controls. The addition of a separate control for “Secure Coding.” provides an opportunity to highlight how OWASP SAMM and ISO 27001 are complementary standards. In this blog post, we shine light on how they intersect and how, implemented together, you can maximize their effectiveness and value.

Continue reading

Read more

The "Not Applicable" Question

By The SAMM Project Team on February 28, 2023

The Core Team’s Thoughts Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time. Is it valid to declare an Activity Not Applicable?

Continue reading

Get SAMM news delivered to you

Our Sponsors

Software powers the world, but insecure software threatens safety, trust, and economic growth.
Your support powers SAMM and helps us achieve our mission.

checkmarx codific concord indelible microfocus minded security ncc group pwc security innovation splunk toreon

Find out about sponsorship