The OWASP SAMM (Software Assurance Maturity Model) is an open framework that helps organizations implement software security strategies tailored to their risks. It provides resources to evaluate existing practices, build balanced security programs through iterations, and measure improvements. The SAMM model defines security practices for different business functions and maturity levels to allow for continuous, risk-based improvements tailored to each organization.

1. OWASP SAMM v1.5

2. What is SAMM?
• The Software Assurance Maturity Model (SAMM) is an open framework
to help organizations formulate and implement a strategy for software
security that is tailored to the specific risks facing the organization.
• The resources provided by SAMM will aid in:
– Evaluating an organization’s existing software security practices.
– Building a balanced software security assurance program in well-defined
iterations.
– Demonstrating concrete improvements to a security assurance program.
– Defining and measuring security-related activities throughout an
organization.

3. Using a Maturity Model
• Changes must be iterative while
working toward long-term goals
An organization’s
behavior changes
slowly over time
• A solution must enable risk-based
choices tailored to the organization
There is no single
recipe that works for
all organizations
• A solution must provide enough
details for non-security-people
Guidance related to
security activities must
be prescriptive
• OWASP Software Assurance
Maturity Model (SAMM)
Overall, must be
simple, well-defined,
and measurable

4. Why SAMM?
”The most that can be expected from any model
is that it can supply a useful approximation to
reality: All models are wrong; some models are
useful.” – George E. P. Box

5. Project History
OpenSAMM
1.0
OWASP
SAMM 1.1
OWASP
SAMM 1.5
OWASP
SAMM 2.0
OpenSAMMMarch 2009
March 2016 February 2017 2018-2019

6. SAMM Framework
• For each of the four Business Functions, three Security Practices are defined
• The security practices cover areas relevant to software security assurance

7. Example: Education & Guidance
7

8. Level definitions...
• Objective
• Activities
• Assessment
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels

9. Maturity Levels & Assessment Scores
Comprehensive mastery
at scale
Increased
efficiency/effectiveness
Ad-hoc provision
Practice unfulfilled • Transparent view over different levels
• Fine-grained improvements are visible
No
Few/Some
At Least Half
Many/Most

10. • Continuous Improvement
• Iterative
• Small Steps
ASSESS
questionnaire
GOAL
gap analysis
PLAN
roadmap
IMPLEMENT
OWASP
resources
SAMM Quick Start

11. Assess via Worksheet

12. Assess via Toolbox

13. Goal
• Gap analysis
• Demonstrating improvement
• Ongoing measurement

14. Plan
• Roadmaps: use the “building blocks”
• Templates for typical kinds of organizations
• Tune these to your own targets / speed

15. Implement: 150+ OWASP resources
Development Guide
Cheat Sheets
Quick Reference Guide
WebGoat, iGoat, GoatDroid,
AppSec Tutorials, Top Ten Education Testing Guide
Hackademic Challenges
Red Book

16. SAMM Toolbox – Interview

17. SAMM Toolbox – Scorecard

18. SAMM Toolbox – Roadmap

19. SAMM Toolbox – Roadmap Chart

21. SAMM Project Roadmap
v2.0 (In Progress):
• Model revision
• More Metrics!
• Application to agile
• Roadmap effort planning
• Benchmarking
Build the community:
• Grow list of SAMM adopters
• Workshops at conferences
• Dedicated SAMM Summit
• Contribute Anon Results
21

22. Get involved
• Project mailing list / work packages
• Use and donate (feed)back!
• Donate resources
• Sponsor SAMM

23. Follow OWASP SAMM
twitter.com/OwaspSAMM

24. Thank you!
Questions?
brian.glas@nvisium.com