SAMMY is our application security management tool. It started as an internal tool to keep track of our security posture and activities using OWASP SAMM. We soon notices that many other organization were looking for a tool to manage their security posture with OWASP SAMM, so we made the tool freely available on our website.

The tool’s efficient workflow quickly attracted interest, and users requested support for additional frameworks.

SAMMY now includes: OWASP SAMMNIST SP 800-34, NIST 800-53, NIST SSDF, NIST CSF 2.0, CCB Cyberfundamentals Framework, ISO27001:2022, IEC 62443-4-1,Devsecops Maturity Model (DSOMM) and BSIMM 14

Additionally there is a customizable layer of controls and mappings in between frameworks so as to avoid duplicating assessment work in the different frameworks.

How does SAMMY implement OWASP SAMM?

SAMMY - Assesment - Icon

Assessment

SAMMY is used as a tool to assess the 90 activities covered in the OWASP SAMM framework. Maturity is expressed with an overall score, a score for each of the 5 business functions and a score for each of the 15 security practices. Scores range from 0 to 3.

SAMMY - Validation - Icon

Validation

The second step in the process is the validation of the scores by a second person, internal in the case of internal controls or external in case of an external auditor. The validator will review the evidence provided by the assessor and compare it with the established threshold for each maturity level. If the assessment is rejected the validator provides information as to why, and how the assessment should be completed. If the assessment is approved then the maturity score on the practice is validated. It now contributes to the overall scores and the practice is considered in the prioritization of future improvements. More about prioritization further down.

SAMMY - Role Assignment - Icon

Role assignment

Per activity roles can be assigned to different people. For assessment this is typically the person who is responsible for the activity, or the person that is in the best position to evaluate it. The validator can be one overall expert, internal or external, or different experts per business function or security practice. Improvement cycles are assigned per security practice.

SAMMY - Quantitative Prioritization - Icon

Quantitative Prioritization

There are in total 90 activities covered in OWASP SAMM 2.0, together they cover everything you need to keep an eye on. But aspiring to the maximum level of maturity in all activities is neither realistic nor wise because it would be forbiddingly expensive. To address this issue SAMMY provides multiple prioritization parameters that include, industry specific relevance, assessors and validators priority weighting and relative gaps between security activities. With these metrics an ordered list of TODOs for improvement is created.

SAMMY - Improvement cycles and roadmaps - Icon

Improvement cycles and roadmaps

Improvement cycles can be assigned in a push (top down) or pull ( bottom up) way. Either way a security activity is picked from the list of priorities and a new target maturity level and a deadline is defined. With this done for multiple security activities at any given time the security posture and the security posture roadmap can easily be defined.

How does SAMMY implement all these other frameworks?

SAMMY now includes: OWASP SAMM, NIST SP 800-34, NIST 800-53, NIST SSDF, NIST CSF 2.0, CCB Cyberfundamentals Framework, ISO27001:2022, IEC 62443-4-1,Devsecops Maturity Model (DSOMM) and BSIMM 14

The workflow for other frameworks is similar to the one above for OWASP SAMM. Generally the validation step is optional, and evidence can be attached for each answer in the assessment. This is particularly useful in the case of compliance frameworks such as ISO27001.

How does SAMMY map between frameworks?

There are two types of mappings, direct mappings and transient mappings. The direct mappings are of the highest quality, we have for example a direct mapping between OWASP SAMM and NIST SSDF that has been validated by NIST. We also have direct mappings to NIST CSF2.0 and IEC 62443-4-1.

Transient mappings rely on OpenCRE, which is another OWASP project that maps different frameworks together. SAMMY will look at the best mapping available for each pair of frameworks and use that to map the assessment responses. In the coming months and years we will develop more high quality direct mappings. 

OWASP SAMM mappings

Who uses SAMMY to manage their security posture?

More than 1500 organizations use the free online version of SAMMY.

SAMMY can be used by organizations large and small. Anyone who builds software, either to sell or to run their own business, and by now who doesn’t? Codific is a small startup of around 20 employees, and the tool was first developed internally for our own use. With the rise of OWASP SAMM more and more organizations are adopting the tool. Amongst them for example Zebra Technologies that have around 10.000 employees spread across 128 countries. Zebra Technologies security posture is managed with SAMMY.

If you want to learn more about OWASP SAMM you can take the free SAMM training.

Can I get started with SAMM & SAMMY right now?

Yes.

You can get the open source version 2 on Github:

or you can use version 3 online for free:

Do you need more?

Would you like to run V3 on prem? Integrate with your other tools? Have customized of workflows and reports? Or just want to make sure to have a SLA with us?

Free

For small
organizations

$0
per user /month
(limits apply)

Free
features:

3 Users Maximum
3 Scopes
1 Target Scope(s)
Standard reporting (limited use)
Multiple assessment frameworks
Mappings with OpenCRE
Full data privacy

Premium

For growing
organizations

$25
per user /month
(limits apply)

Everything from
Free plus:

10 Users Maximum
10 Scopes
10 Target Scopes
Unlimited standard reports
All assessment frameworks
Control frameworks
Control management
Premium direct mappings
Mapping reports
JIRA integration

Pro

For medium-sized
organizations

$65 starts from
per user /month
invoiced annually

Everything from
Premium plus:

No User Limitation
Unlimited Scopes
Unlimited Target Scopes
Unlimited Customized Reports
Custom SSO
SLA
Priority support

Enterprise

For enterprise
organizations

$150 starts from
per user /month
invoiced annually

Everything from
Pro plus:

Custom Models
Custom Integrations
Custom Features
Dedicated / On-Prem Deployment

* Pricing depends on nr. of users, nr. of scopes and the assessment models.