Using OWASP SAMM and OWASP DSOMM together in practice
Aram Hovsepyan, Timo Pagel
Abstract
Security is widely recognized as one of the top global risks, yet many organizations struggle managing that risk effectively. One of the key reasons is that application security efforts often consist of fragmented tools and isolated practices rather than a coherent program focused on people, processes, and tools.
Within the OWASP community, two mature models exist to support application security programs, OWASP Software Assurance Maturity Model (SAMM) and OWASP DevSecOps Maturity Model (DSOMM). However, practitioners frequently struggle to understand how these models differ, where they overlap, and how they should be applied in practice. As a result, SAMM and DSOMM are often perceived as competing frameworks. Moreover, their breadth and depth can be overwhelming for teams encountering them for the first time, reinforcing the myth that they must choose one or the other.
This talk provides a structured, high level introduction to both OWASP SAMM and OWASP DSOMM, focusing on their shared principles as well as their key differences. By introducing a simple taxonomy of security scopes, the session explains why multiple security frameworks are necessary and clarifies where SAMM and DSOMM each fit. SAMM is positioned as a model focused on organizational security capabilities and application program maturity, supporting management and strategic decision making, while DSOMM focuses on DevSecOps implementation and operational practices, providing concrete guidance for technical teams and engineering workflows.