SAMMY empowers organizations to efficiently manage their application security programs with comprehensive support for: SAMM, BSIMM 14, NIST SSDF, NIST 800-34, NIST CSF 2.0, CyFun, DSOMM, ISO27001, IEC 62443-4-1, CIS Critical Security Controls, NIST 800-53, ISO 27002, and Cloud Controls Matrix.
To further simplify assessments, SAMMY offers a customizable layer of controls and mappings between these frameworks, reducing redundancy and ensuring a seamless security management process.
What can you do with SAMMY?
Evaluate
SAMMY allows organizations to carry a variety of application security assessments.
Self-assessments
Evaluate your security posture internally using different frameworks.
Top-down assessments
Let management assess the security posture of the teams
Bottom-up assessments
Let the teams assess their security posture and report to management
External assessments
Gain insights from third-party security experts and auditors.
M&A Assessments
Evaluate security risks during mergers and acquisitions.
Manage
Improvement Roadmaps
Create, assign and set deadlines for your application security improvement plans.
Compliance Efforts
Evaluate, analyse gaps and set plans to ensure compliance with frameworks like ISO 27001.
Maturity
Manage maturity across your whole organization using frameworks like OWASP SAMM or BSIMM.
Targets and Objectives
Set clear targets and provide detailed guidance on how to reach for all your teams.
Communicate
Live Dashboard:
Get a complete dashboard of different reports that are updated live as you carry out assessments, validate them and set improvement plans and targets.
Internal Reporting:
Report internally on absolute maturity scores, track progress towards set targets and compare across different teams. Gap analysis reports can also be exported to Excel.
External reporting:
Automatically generate beautifully formatted PDF reports that provide a complete picture of your assessments.
What frameworks can you use SAMMY for?
Maturity Frameworks
- OWASP SAMM
- OWASP DSOMM
- BSIMM 14
- NIST SSDF
Program Frameworks
- NIST SSDF
- NIST CSF 2.0
- NIST SP 800-34
- ISO 27001
- IEC 62443-4-1
- CyberFundamentals Framework (CyFun)
Control Frameworks
- NIST SP 800-53
- CIS Critical Security Controls
- ISO 27002
- Cloud Controls Matrix
The framework you need isn’t here? We can easily add it, just contact us.
Start using SAMMY to manage your application security with your framework of choice
Managing AppSec
Organizations
Assessments
The SAMMY Community
SAMMY not only provides a cutting-edge tool for application security management, but it also contributes to the community in other ways.
Involvement in OWASP SAMMY v2: Open SAMMY
The predecessor to the current version of SAMMY was donated to the OWASP Community and is now a community-driven OWASP Project called Open SAMMY.
Open SAMMY is an open-source version of SAMMY that allows organizations to manage their AppSec using OWASP SAMM and very soon, OWASP DSOMM as well.
OpenSAMMY is one of many of Codific’s contributions to the OWASP Community. Learn more about Codific @ OWASP.
Our Partner Programs
SAMMY’s Partner Programs bring together organizations from the application security community to drive the shared goal of improving application security.
Implementation Partners Program
SAMMY is built entirely in-house by AppSec specialists, but security consultancy requires more capacity than we can handle alone. To bridge this gap, we’ve partnered with top industry consultants—many of whom have contributed to OWASP standards and guidelines—to provide deep expertise and drive SAMMY adoption. These are called our Implementation Partners.
Want to become an Implementation Partner? Contact us
Recommended Vendors Program
OWASP SAMM is the main framework used in SAMMY, but finding the right vendors to support security maturity can be challenging. To address this, we created the Recommended Vendor program, carefully selecting vendors whose solutions align with SAMM’s 30 streams. These vendors are vetted based on alignment, ease of use, proven results, and reputation, ensuring SAMMY users get the best support.
Want to become a Recommended Vendor? Apply here
Free Training and Guidance
As AppSec specialists, we give back to the community by offering free, accessible guidance and training. To maximize value, we focus on the AppSec program we know best: OWASP SAMM.
OWASP SAMM Training
Learn OWASP SAMM through specialized training, empowering teams to build and maintain secure software.
OWASP SAMM Guidance
Get expert OWASP SAMM guidance to enhance your security framework and align with industry best practices.
Do you need more?
Would you like to run SAMMY on prem? Integrate with your other tools? Have customized of workflows and reports? Or just want to make sure to have a SLA with us?
Free
For small
organizations
per user /month
(limits apply)
Free
features:
3 Scopes
1 Target Scope(s)
Multiple Assessment Frameworks
Mappings with OpenCRE
Full Data Privacy
Premium
For growing
organizations
per user /month
(limits apply)
Everything from
Free plus:
10 Scopes
10 Target Scopes
All Assessment Frameworks
Control Frameworks
Control Management
Premium Direct Mappings
Mapping Reports
JIRA Integration
Pro
For medium-sized
organizations
(invoiced annually)
Everything from
Premium plus:
Unlimited Scopes
Unlimited Target Scopes
Branded Reports
Standart Single Sign-On
SLA
Priority Support
Enterprise
For enterprise
organizations
for a
custom quote
Everything from
Pro plus:
Custom Integrations
Custom Features
Custom Reports
Custom Single Sign-On
Dedicated / On-Prem Deployment