Stream Guidance

Guidance per Stream in the model

What’s SAMM guidance?

SAMM is a prescriptive security maturity model that is technology, process, and organization agnostic. The model fits any software development process, industry or environment. However, thanks to that, the prescriptive advice is high level by design. That’s where we bring the guidance documents into play. Their purpose is to provide concrete examples and recommendations to help organizations kickstart their security assurance programme based on SAMM.

The guidance documents contain references to other OWASP projects, external tools, description of best practices, and mappings to other standards. Each guidance snippet is related to a specific Stream and Maturity level, and has a clear rationale.

Team guidance and Community guidance

There are two types of guidance documents. Links to both are available in the Model section of the website, at the end of each Stream page.

Team guidance

It’s created by the SAMM core team based on their experience and expertise.

Community guidance

These are your contributions and can include any resources to help organizations achieve a certain maturity level in a given SAMM Stream. Third party tools are welcome, but do note that we will favor resources that list all alternative tool offerings rather than individual tools. The OWASP SAMM core team will curate community guidance, reviewing it before making it public.

How to contribute

To contribute to the Community guidance, complete the SAMM Guidance Google Form and submit it.

Next is a list of the fields in the document and a brief explanation for each.

Email address

Please, provide a valid email address. We’ll send you a link so you can edit your response. We won’t your email address for anything other than that.

Stream

Select a stream for which you would like to provide a guidance contribution. If your response is relevant to multiple streams simply mention it in your description. You don’t need to submit it multiple times.

Maturity Level

Provide an indication for which maturity level your guidance is mostly applicable. You may select multiple levels. Examples: Level 1, Level 1 Level 2

Title

The title for your guidance submission.
Examples: OWASP ZAP, BSIMM13 - [T1.1: 71] Conduct software security awareness training, NIST Guide for Conducting Risk Assessments).

URL

You may provide an optional URL for your submission. The generator for the guidance documents will integrate this link in the title as a hyperlink.
Examples:, https://www.zaproxy.org, https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final)

Description

Provide a brief and to-the-point description for your guidance submission.
Example: The MAS project provides a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test.

Rationale

Describe how this item contributes to the given practice in a specific maturity level in SAMM.
Example: Tool XYZ tackles a number of the secret management quality criteria for Levels 2 and 3, i.e., regular secrets update, logging and alerting access to secrets, keeping secrets separate from the source code files.