OWASP SAMM

What Is OWASP SAMM?

OWASP SAMM (Software Assurance Maturity Model) is a framework for assessing and improving an organization’s software security practices. It provides a structured model for evaluating current maturity across security activities, identifying gaps, and building a roadmap toward a stronger application security program.

The software assurance maturity model is designed to be prescriptive enough to guide action but flexible enough to apply across organizations of different sizes, industries, and technical maturity levels. Unlike testing standards that define what to verify in a specific application, SAMM evaluates how well the organization’s overall program supports secure software delivery. 

Teams using SAMM alongside application security assessment practices gain both a program-level view (SAMM) and an application-level view (testing results) of their security posture.

The Five Business Functions in OWASP SAMM

The OWASP SAMM framework organizes security activities into five business functions, each representing a core area of a software security program. These include:

• Governance: Covers strategy, policy, compliance, and education. This function ensures the organization has defined security objectives, allocated resources, and established training programs.
• Design: Covers threat assessment and security requirements. This function ensures that security is considered during the architecture and design phase, before code is written.
• Implementation: Covers secure build practices, secure coding, and defect management. This function ensures that development teams write secure code and manage findings effectively.
• Verification: Covers architecture review, security testing, and requirements-driven testing. This function ensures that applications are validated against security requirements.
• Operations: Covers incident management, environment management, and operational security. This function ensures that deployed applications are monitored, maintained, and protected in production.

Each business function contains three security practices, and each practice has defined activities at three maturity levels. The model contains 15 practices total, providing granular coverage of the entire SDLC security lifecycle.

How SAMM Maturity Levels Work

Each SAMM practice is assessed at one of three maturity levels, representing increasing sophistication and consistency. These levels include:

• Level 1 (Initial): The organization performs basic security activities on an ad hoc basis. Practices exist but are inconsistent, reactive, and depend on individual effort rather than organizational process.
• Level 2 (Managed): Security activities are defined, documented, and consistently applied. The organization has established processes, assigned ownership, and begun measuring results.
• Level 3 (Optimized): Security activities are fully integrated, automated where possible, continuously measured, and improved based on data. The organization treats security as a core competency with dedicated resources and executive support.

A SAMM assessment scores each practice at one of these three levels. The resulting scorecard provides a heatmap of organizational maturity, making strengths and weaknesses immediately visible.

Maturity levels are not prescriptive targets. An organization does not need Level 3 in every practice. The appropriate target depends on the organization’s risk profile, regulatory requirements, and business context. Most mid-sized organizations aim for Level 2 across all practices, with Level 3 in practices most relevant to their risk profile.

Using OWASP SAMM to Build an AppSec Roadmap

The primary operational value of SAMM security is its ability to translate assessment results into a prioritized improvement roadmap.

The process follows a defined cycle. 

First, conduct the assessment by scoring each of the 15 practices against the maturity level criteria. OWASP provides a toolbox (online assessment tool and spreadsheets) that guides evaluators through the scoring process.

Second, identify the gaps between current maturity and target maturity. The assessment produces a clear picture of which practices lag behind the organization’s goals.

Third, prioritize improvements based on risk impact, implementation effort, and organizational readiness. Not all gaps are equally urgent. A team with no secure software development training (Governance Level 1) and no security testing (Verification Level 1) should address both, but the sequencing depends on which gap creates more immediate risk.

Fourth, implement improvements in time-boxed iterations (typically quarterly). SAMM is designed for incremental progress, not a single transformation initiative.

Fifth, reassess periodically to measure progress and adjust priorities. The application security maturity model is a continuous loop, not a one-time audit.

OWASP SAMM vs. BSIMM: Key Differences

SAMM and BSIMM (Building Security In Maturity Model) are the two most widely referenced software security maturity models. They serve similar purposes but take different approaches.

SAMM is prescriptive. It defines what organizations should do at each maturity level and provides a roadmap for improvement. It is open-source, freely available, and maintained by the OWASP community. SAMM is best suited for organizations building or improving their AppSec program who want a structured framework to follow.

BSIMM is descriptive. It measures what organizations actually do by collecting data from participating firms and publishing observed practices. BSIMM does not prescribe what teams should do; it reports what mature programs do in practice. It is commercially maintained and updated annually based on assessments of participating organizations.

The practical difference is that SAMM answers “what should we do?” and BSIMM answers “what are our peers doing?” Organizations early in their AppSec journey typically benefit more from SAMM’s prescriptive guidance. Organizations with established programs use BSIMM to benchmark against industry peers.

Both models can be used together. SAMM provides the improvement framework. BSIMM provides the peer comparison data. Neither replaces the other.

FAQs

Is OWASP SAMM a certification or just a framework?

It is a framework. There is no formal OWASP SAMM certification. Organizations use it for self-assessment, internal benchmarking, and roadmap planning, not for external certification.

How long does a full SAMM assessment typically take?

A full assessment across all 15 practices typically takes one to two weeks, depending on the number of stakeholders interviewed and the availability of documentation.

Which SAMM maturity level should most mid-sized organizations aim for?

Level 2 across all practices is a reasonable target. Level 3 should be reserved for practices most critical to the organization’s risk profile and regulatory requirements.

Can OWASP SAMM be used alongside other frameworks like NIST SSDF?

Yes. SAMM and NIST SSDF complement each other. SAMM provides a maturity assessment model. SSDF provides specific secure development practices. Many organizations map SSDF practices to SAMM activities.

How often should an organization reassess its SAMM score?

Annually is the most common cadence. Organizations undergoing rapid program changes may benefit from semi-annual assessments to track progress against their improvement roadmap.