The Model

SAMM model overview

Strategy and MetricsThreat AssessmentSecure BuildArchitecture AssessmentIncident Management
Policy and ComplianceSecurity RequirementsSecure DeploymentRequirements-driven TestingEnvironment Management
Education and GuidanceSecurity ArchitectureDefect ManagementSecurity TestingOperational Management


The mission of OWASP Software Assurance Maturity Model (SAMM) is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

The original model (v1.0) was written by Pravir Chandra and dates back from 2009. Over the last 10 years, it has proven a widely distributed and effective model for improving secure software practices in different types of organizations throughout the world. Translations and supporting tools have been contributed by the community to facilitate adoption and alignment. With version 2.0, we further improve the model to deal with some of its current limitations.

After a period of intensive discussions and with input from practitioners and the OWASP community during summits in Europe and the US on the best way forward, we take a new approach for version 2.0 based on the input we gathered.

For an overview of the version 2 changes, read our SAMM version 2 release notes.

We’ve also created a PDF version of the model.