Blogs

Navigating the AI Frontier: How OWASP SAMM Secures the Next Generation of Software

By The SAMM Project Team in AI

January 20, 2026

A recent episode of the SAMM Podcast , featuring SAMM Core Team members Sebastien Deleersnyder (Seba) and Nariman Aga-Tagiyev with Bart De Win as host (link), explored a critical question: As organizations rapidly adopt AI and build AI-powered applications, how does the OWASP Software Assurance Maturity Model (SAMM) apply to securing this new frontier? Here is a look into the discussion on the current applicability of SAMM, the unique risks of AI, and the model’s path forward.

Continue reading

Introducing the SAMM Benchmark Report

By The SAMM Project Team in benchmark

May 7, 2025

Unlocking New Insights in Application Security The world of software security evolves rapidly, with new challenges and best practices emerging every day. For organizations striving to build robust application security programs, the ability to compare practices and measure progress against industry peers is invaluable. This is where the SAMM Benchmark Report steps in—a comprehensive analysis based on real-world data that provides actionable insights into the current state of application security maturity.

Continue reading

Enabling teams with the OWASP SAMM Skills Framework

By The SAMM Project Team in mapping

February 9, 2025

Introduction Picture this: your team is tasked with building secure, compliant software, but you’re not sure where to begin and who to involve. In today’s cloud-driven world, even solid security plans can stall if teams don’t know what tasks they own or believe they do not have the right skills to get started. Across teams, many organizations lack a clear view on ownership and shared responsibilities, whether they work with company internal service providers or external public service providers.

Continue reading

SAMM Scoring: Percent to Target and Progress to Date Metrics

By Aram Hovsepyan in assessment

January 21, 2025

SAMM Scoring: Percent to Target and Progress to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.

Continue reading

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis

By Aram Hovsepyan in mapping

January 20, 2025

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices. Today in its latest version, Microsoft SDL comprises 10 security practices, each containing a set of requirements designed to reduce security risks across the software development lifecycle.

Continue reading

SAMM BSIMM Mapping

By Aram Hovsepyan, Maxim Baele in mapping

December 10, 2024

Building Security In Maturity Model (BSIMM) Mapped to OWASP SAMM The full mapping sheet between BSIMM 14 and OWASP SAMM. Introduction The Building Security In Maturity Model (BSIMM) and OWASP Software Assurance Maturity Model (SAMM) share a common history. Both were conceived around 2008-2009 and are based on OpenSAMM, which was created by Pravir Chandra. Over time, however, these two models have evolved independently, with distinct conceptual differences. We have previously explored these differences in detail .

Continue reading

OWASP SAMM now connects to OpenCRE

By The SAMM Project Team in assessment

September 20, 2023

We are excited to announce that each OWASP-SAMM stream now uses OpenCRE.org to link to other standards and guidelines. OpenCRE stands for Open Common Requirement Enumeration, and it aims to provide a common language and framework for mapping and comparing different security standards, guidelines, and frameworks. By linking SAMM to OpenCRE, we’ve made it easier for our users to find relevant and useful resources with every stream, as well as to see how SAMM aligns with other security standards such as NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-53.

Continue reading

Determining scope when implementing SAMM

By The SAMM Project Team in assessment

May 24, 2023

When performing a SAMM assessment, should the scope be the whole organization or should it be smaller, like a business unit or even a single team or application? The short answer? Start small. Getting started Start by evaluating your goals. What do you want to achieve? Do you aim to identify and prioritize areas of improvement in your organization’s security posture? Do you seek to establish a baseline for measuring the effectiveness of your security program over time?

Continue reading

How ISO and SAMM complement each other

By The SAMM Project Team in assessment

March 21, 2023

October 2022 brought us the third revision of the ISO/IEC 27001 standard. The revisions included simplifying the domains and controls, using more practical language, and introducing new controls. The addition of a separate control for “Secure Coding.” provides an opportunity to highlight how OWASP SAMM and ISO 27001 are complementary standards. In this blog post, we shine light on how they intersect and how, implemented together, you can maximize their effectiveness and value.

Continue reading

The "Not Applicable" Question

By The SAMM Project Team in assessment

February 28, 2023

The Core Team’s Thoughts Since the initial publication of SAMM 2.0, several SAMM users have asked how to address Activities or Quality Criteria they believe are not applicable to their assessment’s scope. At the recent SAMM Core Team Summit in Boston, we discussed this question at some length, and this article summarizes that conversation. The topic really involves several questions, which we’ll address one at a time. Is it valid to declare an Activity Not Applicable?

Continue reading

Search

Categories

Tags