Step 2: Assess

Identify and understand the maturity of your chosen scope in each of the 15 software security practices.

Step 2: Assess

Activities

Evaluate current practices
Organize interviews with relevant stakeholders to understand the current state of practices within your organization. You could evaluate this yourself if you understand the organization sufficiently. SAMM provides lightweight and detailed assessments: the detailed assessment is evidence-based, so use it only when you need absolute certainty about the scores.

Determine maturity level
Based on the outcome of the previous activity, determine the maturity level for each security practice according to the SAMM maturity scoring system. Activities are scored by a multiple-choice system and averaged out for the security practice area, then added together to determine the overall score.

Your scores from this step are the input for step 3. Use them to decide where you want to be.

Resources

SAMM assessment tools
SAMM assessment : assessment questions and maturity level calculation
Assessment guide : guidelines and best practices for conducting a SAMM assessment
Example interview questions
OWASP Maturity Models

Best practices

Ensure consistent assessment across different stakeholders and teams by using the same questions and interviewer.
Consider using different formats to gather data, for example workshops versus interviews.
Ensure interviewees understand the particulars of each activity.
Identify which activities are not applicable to the organization, and account for this in the overall scoring.
Decide in advance whether you will award partial credit, and document any judgment calls.
Repeat questions to several people to improve assessment quality.
Consider making interviews anonymous to encourage honesty.
Don’t take questions too literally.