Software Assurance Maturity Model

SAMM provides an effective and measurable way for all types of organizations to analyze and improve their software security posture.

Getting started

Are you new to SAMM? We’ll walk you through the first steps to get you going.

SAMM assessment

Analyze your security posture using our maturity measurement tool.

Benchmarking

Where is your organization on the map? Contribute. Be a part of SAMM.

SAMM PDF

We have created a PDF version of the SAMM model.

View SAMM PDF

From our blog

Be an OWASP SAMM contributor and tell us about your experience using our maturity model in guest articles. Get in touch with us to share your SAMM story.

Read more

Determining scope when implementing SAMM

By The SAMM Project Team on May 24, 2023

When performing a SAMM assessment, should the scope be the whole organization or should it be smaller, like a business unit or even a single team or application? The short answer? Start small. Getting started Start by evaluating your goals. What do you want to achieve? Do you aim to identify and prioritize areas of improvement in your organization’s security posture? Do you seek to establish a baseline for measuring the effectiveness of your security program over time?

Continue reading

Read more

How ISO and SAMM complement each other

By The SAMM Project Team on March 21, 2023

October 2022 brought us the third revision of the ISO/IEC 27001 standard. The revisions included simplifying the domains and controls, using more practical language, and introducing new controls. The addition of a separate control for “Secure Coding.” provides an opportunity to highlight how OWASP SAMM and ISO 27001 are complementary standards. In this blog post, we shine light on how they intersect and how, implemented together, you can maximize their effectiveness and value.

Continue reading

Read more

The "Not Applicable" Question

By The SAMM Project Team on February 28, 2023

The Core Team’s Thoughts Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time. Is it valid to declare an Activity Not Applicable?

Continue reading

Read more

Tackling App Security with SAMM-NIST SSDF Mapping

By The SAMM Project Team on February 6, 2023

The Application Security Challenge The increasing dependence on software in our daily lives has made the challenge of ensuring its security more pressing. Despite being a critical concern, cybersecurity is often not a priority for organizations until there is an incident or breach. This has resulted in the cost of cyber insurance doubling in the past two years and the total cost of cybercrime in 2022 reaching $7 trillion .

Continue reading

Get SAMM news delivered to you

Our Sponsors

Software powers the world, but insecure software threatens safety, trust, and economic growth.
Your support powers SAMM and helps us achieve our mission.

checkmarx codific concord indelible microfocus minded security ncc group pwc security innovation splunk toreon

Find out about sponsorship