OWASP SAMM
What is OWASP SAMM?
OWASP SAMMThe OWASP Software Assurance Maturity Model, a framework for measuring and improving an organization's secure-software-development practices over time.
The OWASP Software Assurance Maturity Model (SAMM) is a prescriptive, measurable framework that helps organizations formulate and implement a software security program tailored to their risk profile. SAMM v2 is structured around five business functions (Governance, Design, Implementation, Verification, and Operations), each broken into security practices with three maturity levels and concrete activities. Teams use the SAMM toolbox to assess current maturity, define target levels, and build roadmaps that align AppSec investments with business risk. SAMM is technology-agnostic, used as a complement to ISO 27001, NIST SSDF, and BSIMM, and is widely adopted by enterprises and regulators seeking objective AppSec maturity evidence.
● Examples
- 01
A CISO running an annual SAMM assessment to justify investments in threat modeling and SAST capabilities.
- 02
Mapping SAMM practices to NIST SSDF tasks to demonstrate compliance with a US federal customer requirement.
● Frequently asked questions
What is OWASP SAMM?
The OWASP Software Assurance Maturity Model, a framework for measuring and improving an organization's secure-software-development practices over time. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP SAMM mean?
The OWASP Software Assurance Maturity Model, a framework for measuring and improving an organization's secure-software-development practices over time.
How does OWASP SAMM work?
The OWASP Software Assurance Maturity Model (SAMM) is a prescriptive, measurable framework that helps organizations formulate and implement a software security program tailored to their risk profile. SAMM v2 is structured around five business functions (Governance, Design, Implementation, Verification, and Operations), each broken into security practices with three maturity levels and concrete activities. Teams use the SAMM toolbox to assess current maturity, define target levels, and build roadmaps that align AppSec investments with business risk. SAMM is technology-agnostic, used as a complement to ISO 27001, NIST SSDF, and BSIMM, and is widely adopted by enterprises and regulators seeking objective AppSec maturity evidence.
How do you defend against OWASP SAMM?
Defences for OWASP SAMM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP SAMM?
Common alternative names include: Software Assurance Maturity Model, SAMM.
● Related terms
- compliance№ 775
OWASP ASVS
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
- compliance№ 781
OWASP Top 10
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
- appsec№ 982
Secure Coding
The practice of writing source code in ways that minimize security defects, following defensive patterns, language-specific rules and recognized guidelines.
- appsec№ 1150
Threat Modeling
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.