Stream Guidance

Guidance per stream in the model

What’s SAMM guidance?

SAMM is a prescriptive security maturity model that is technology, process, and organization agnostic. The model fits any software development process, industry or environment. However, thanks to that, the prescriptive advice is high level by design. That’s where we bring the guidance documents into play. Their purpose is to provide concrete examples and recommendations to help organizations kickstart their security assurance programme based on SAMM.

The guidance documents contain references to other OWASP projects, external tools, description of best practices, and mappings to other standards. Each guidance snippet is related to a specific stream and maturity level, and has a clear rationale.

Team guidance and community guidance

There are two types of guidance documents. Links to both are available in the Model section of the website, at the end of each stream page.

Team guidance

Created by the SAMM core team based on their experience and expertise.

Community guidance

These are contributions from the community and can include any resources to help organizations achieve a certain maturity level in a given SAMM stream. Third party tools are welcome, but do note that we will favor resources that list all alternative tool offerings rather than individual tools. The OWASP SAMM core team will curate community guidance, reviewing it before making it public.

How to contribute

To contribute to the community guidance, complete the SAMM Guidance Google Form and submit it.

Below is a description of each field in the form.

Email address

Please provide a valid email address. We’ll send you a link so you can edit your response. We won’t use your email address for anything other than that.

Stream

Select a stream for which you would like to provide a guidance contribution. If your response is relevant to multiple streams simply mention it in your description. You don’t need to submit it multiple times.

Category

Choose between the following:

  • OWASP Projects and References: An OWASP project or reference that could be useful to achieve a certain maturity level in a given stream. Make sure to check the team guidance as we have already included most relevant OWASP projects there.
  • Mappings to Standards and Other Models: Mapping to other standards (e.g., ISO27001) or models (BSIMM, NIST SSDF, etc) that could be useful for various purposes.
  • Best Practices: Description of best practices to achieve a certain maturity level in a given stream.
  • External Tools and Resources: An external tool or resource that can help one achieve a certain maturity level in a given stream.
  • Prerequisites or Dependencies: A prerequisite or dependency that is necessary for achieving a certain maturity level in a given stream.

Maturity level

Provide an indication for which maturity level your guidance is mostly applicable. You may select multiple levels.

Title

The title for your guidance submission. Examples: OWASP ZAP, BSIMM13 - [T1.1: 71] Conduct software security awareness training.

URL

You may provide an optional URL for your submission. The generator for the guidance documents will integrate this link in the title as a hyperlink.

Description

Provide a brief and to-the-point description for your guidance submission.

Rationale

Describe how this item contributes to the given practice in a specific maturity level in SAMM.

Tags

You may provide additional tags to improve the searchability of your submission. Examples: #BSIMM, #Mapping, #Tool, #DevSecOps