Codific has grown out of a research team at Imec Distrinet Kuleuven, one of the most renomated research labs in the academic security world, especially known for its research on thread modeling. At Codific we always look for the places where a profound analytical approach to abstract security principles meets practical implementation models in the industry. This led us to OWASP SAMM, the best system to measure, monitor and manage security processes at a software organization. So we decided to get involved.

Core contributors to OWASP SAMM

Several of our team members are core contributors to the OWASP SAMM Flagship project. This means that they are co-authors of the model and of all the documentation around it. This has grown out of an intrinsic belief in the model and a desire to contribute. Additionally the core contributors have gotten to know each other and many of them are now collaborators of Codific in different modalities. 

At least once a year the core team members get together somewhere in the world and lock themselves in a house for a few days to solve the hard problems in the project.


OWASP SAMM reporting in SAMMY
The default report in SAMMY

It started as an internal tool to continuously use OWASP SAMM to monitor the security posture of all our teams. The tool divides the process into different roles and integrates with task managers such as Jira. The three steps, assessment, validation and improvement turn it into a circular process of continuous improvement. The dashboards give great visibility for internal reporting. Soon other people wanted to use our tool and we now offer a free version that is widely used across the industry. You can find it here.  


In our HR-Tech tool called SARA we have built a versatile PDF engine that can quickly turn complex information into comprehensible PDFs. As there was a need for always up to date PDFs of the SAMM model we we built an adapted engine for OWASP. This engine pulls all the latest information from online repositories and produces the PDF guide to the latest version of the model.

You can download the OWASP SAMM model 2.0 PDF here. 

Model mappings

A lot of work has been done mapping OWASP SAMM to NIST and ISO standards, the idea is that having done a SAMM assessment most of the legwork towards other standards should be done and easily transferable. There is another OWASP projects called OpenCRE, that maps different frameworks. Our team contributes to the integration and collaboration with OpenCRE.  

OWASP SAMM Fundamentals course

OWASP SAMM Fundamentals screenshot
Aram delivering the OWASP SAMM fundamentals course

The Codific team, and especially Aram spend many hours creating the OWASP SAMM fundamentals course. The training consists of 79 lessons with a total of 5 hours of video content. It also includes two practical case studies to practice SAMM assessments. The instructor of the course is Aram. 

Find out everything about the free OWASP SAMM training here.

The Benchmark project

OWASP SAMM Benchmark Screenshot

Our team members also play a fundamental role in the SAMM Benchmarking initiative. We have set up the infrastructure to anonymously collect and aggregate data and are now fully in collection mode. Please feel free to donate data to the benchmark. Once we have robust benchmark data this will be made available and integrated into the SAMMY tool.

Core Team Guidance

Around the SAMM model there is Core Team Guidance and Community Guidance. This guidance helps users with interpretation and implementation of each stream. The Codific team has written large parts of the core team guidance. The Community guidance is open to everyone, feel free to contribute. 

You can find the guidance at the bottom of each stream.

Where to find the guidance.


We also put our money where our mouth is at. Codific is a “Lead Sponsor” (that is the highest level) of the project, providing financial support for the maintenance and further development of OWASP SAMM.

Codific joins the OWASP SAMM project as a lead sponsor