Guidance per Stream in the model
What’s SAMM guidance?
SAMM is a prescriptive security maturity model that is technology, process, and organization agnostic. The model fits any software development process, industry or environment. However, thanks to that, the prescriptive advice is high level by design. That’s where we bring the guidance documents into play. Their purpose is to provide concrete examples and recommendations to help organizations kickstart their security assurance programme based on SAMM.
The guidance documents contain references to other OWASP projects, external tools, description of best practices, and mappings to other standards. Each guidance snippet is related to a specific Stream and Maturity level, and has a clear rationale.
Team guidance and Community guidance
There are two types of guidance documents. Links to both are available in the Model section of the website, at the end of each Stream page.
It’s created by the SAMM core team based on their experience and expertise.
These are your contributions and can include any resources to help organizations achieve a certain maturity level in a given SAMM Stream. Third party tools are welcome, but do note that we will favor resources that list all alternative tool offerings rather than individual tools. The OWASP SAMM core team will curate community guidance, reviewing it before making it public.
How to contribute
To contribute to the Community guidance, complete the SAMM Guidance Google Form and submit it.
Next is a list of the fields in the document and a brief explanation for each.
Please, provide a valid email address. We’ll send you a link so you can edit your response. We won’t your email address for anything other than that.
Select a stream for which you would like to provide a guidance contribution. If your response is relevant to multiple streams simply mention it in your description. You don’t need to submit it multiple times.
Choose between the following:
- OWASP Projects and References
An OWASP project or reference that could be useful to achieve a certain maturity level in a given stream. Make sure to check the Team Guidance as we have already included most relevant OWASP projects there.
- Mappings to Standards and Other Models
Mapping to other standards (e.g., ISO27001) or models (BSIMM, NIST SSDF, etc) that could be useful for various purposes
- Best Practices
Description of best practices to achieve a certain maturity level in a given stream
- External Tools and Resources
An external tool or resource that can help one achieve a certain maturity level in a given stream
- Prerequisites or Dependencies A prerequisite or dependency that is necessary for achieving a certain maturity level in a given stream
Provide an indication for which maturity level your guidance is mostly applicable. You may select multiple levels. Examples: Level 1, Level 1 Level 2
The title for your guidance submission.
Examples: OWASP ZAP, BSIMM13 - [T1.1: 71] Conduct software security awareness training, NIST Guide for Conducting Risk Assessments).
You may provide an optional URL for your submission. The generator for the guidance documents will integrate this link in the title as a hyperlink.
Examples:, https://www.zaproxy.org, https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final)
Provide a brief and to-the-point description for your guidance submission.
Example: The MAS project provides a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test.
Describe how this item contributes to the given practice in a specific maturity level in SAMM.
Example: Tool XYZ tackles a number of the secret management quality criteria for Levels 2 and 3, i.e., regular secrets update, logging and alerting access to secrets, keeping secrets separate from the source code files.
You may provide additional tags to improve the searchability of your submission.
Examples: #BSIMM, #Mapping, #Tool, #DevSecOps