OWASP SAMM Guidance

25 November, 2025 As software systems grow more complex, proving that they are secure has become as important as making them work. Many organizations rely on multiple frameworks to guide development and compliance, yet few provide a clear, testable way to measure application security itself. This is where the OWASP Application Security Verification Standard (ASVS) stands out. ASVS defines what to verify in an application to demonstrate real assurance. It gives development and security teams a framework for building, testing, and maintaining secure software, supported by measurable requirements instead of abstract principles. In this article, we’ll explore what ASVS is, how version 5.0 modernizes the framework, and how it fits alongside frameworks like OWASP SAMM, NIST 800-53, and CIS Controls. You’ll also see how tools such as SAMMY make ASVS implementation practical.   Key Takeaways OWASP ASVS gives a clear, shared set of security requirements so teams know exactly what […]

24 October, 2025 Automated Application Security Testing (AAST) refers to the use of software tools to identify vulnerabilities in applications with minimal human intervention. These tools continuously scan source code, dependencies, and running applications to detect flaws that could be exploited by attackers. By automating repetitive testing tasks, security and development teams can maintain coverage and consistency across every build and release. Automated testing can occur at different stages of the software development lifecycle. Static Application Security Testing (SAST) analyzes source code before it runs. Dynamic Application Security Testing (DAST) evaluates running applications in real time. Interactive Application Security Testing (IAST) combines both approaches. Software Composition Analysis (SCA) scans all software components, including open-source, proprietary, and internal libraries, and in modern platforms extends to container and SBOM analysis for complete visibility. Automation allows organizations to keep pace with agile and DevOps development cycles by embedding security directly into CI/CD pipelines[…]

Updated: 30 September, 2025 24 September, 2025 Developers are under pressure to deliver fast, but often without the tools to build securely. As vulnerabilities slip through, the need for practical, hands-on secure code training becomes clear. That’s where secure code training comes in. Whether you’re building web apps, APIs, or embedded systems, the people writing the code are your first line of defense. Equipping them with practical, role-specific skills is one of the most effective ways to reduce software risk early. We’ll break down what secure code training is, why it’s essential for modern development teams, and how to do it right. We also look at how Secure Code Warrior supports secure code training in practice. While SCW delivers the training experience, our SAMMY platform helps organizations track maturity and progress, shifting from checkbox compliance toward a culture of security, training, and awareness. What is secure code training? Secure code[…]

Updated: 1 December, 2025 20 September, 2025 Application security (AppSec) remains one of the toughest challenges modern organizations are facing. Despite heavy investments and the adoption of frameworks like OWASP SAMM, OWASP DSOMM, and BSIMM, many companies struggle to make meaningful progress. Teams keep on patching and mitigating vulnerabilities, yet the backlog keeps growing. But why is that? We have massive knowledge basis, AI-powered tools, and widespread training programs. What’s going wrong? Are we making some small mistakes here and there or are we focusing on the wrong things entirely? Over the past three years, I’ve worked alongside several OWASP SAMM core team members to conduct structured evaluations across several organizations. We have seen the same critical issues across most of them. Most mistakes boil down to two root causes. First, tools alone do not solve problems, they create some. Their purpose is to support people and processes, not replace[…]

Updated: 24 September, 2025 28 August, 2025 Finding vulnerabilities is not the hard part anymore. Every build and every pipeline produces a flood of scanner results. The real challenge is turning that flood into a focused set of security defects that actually get fixed. That is where security defect tracking comes in. Before tracking can work, teams need strong vulnerability management. This means taking raw findings from many tools and turning them into something usable by aggregating, normalizing, removing duplicates, and triaging by risk and context. This produces a confirmed set of vulnerabilities that require remediation. Those items become security defects and move into issue tracking in tools such as Jira for fixing. DefectDojo excels at this stage. It aggregates findings across your stack, normalizes vulnerabilities, deduplicates them, supports triage and then hands off to your issue tracker. In this post we start with what defect tracking is, explain why[…]

Updated: 1 December, 2025 30 July, 2025 Your DevSecOps pipeline is fast, automated, and built to scale. But is security truly integrated, or just assumed? The OWASP DevSecOps Maturity Model (DSOMM) helps teams answer that question with clarity and structure. DSOMM provides a way to assess how well your security practices align with the way your teams actually build and operate software. It helps identify blind spots, track progress, and support consistent improvement. In this post, we will explore how the model works, how it compares to other maturity frameworks, and how you can begin applying it to improve security across your DevSecOps workflows. For those looking to operationalize DSOMM assessments, we also introduce SAMMY, a platform built for maturity tracking and team collaboration. Listen to the summary of this article on The AppSec Management Podcast:    Key Takeaways DSOMM is a maturity model focused on integrating security directly[…]

Updated: 1 December, 2025 29 July, 2025 About 4 years ago I have joined the OWASP Software Assurance Maturity Model (SAMM) project as a core team member. Ever since I have been regularly coming across the OWASP DevSecOps Maturity Model (DSOMM). It seems that many people have the impression that SAMM is at odds vs DSOMM. But is that so? What are the key differences between the two frameworks? Who are the key stakeholders in the context of these frameworks? Which framework shall you pick as an organization? In this blog, I will dive deep into the key differences of the two frameworks. I have been coming across so much AI-generated noise lately that I am officially allergic to it. It is also very clear that AI can never figure out these insights on its own without some serious prompting. So I have decided to keep AI out of this.[…]

Updated: 7 October, 2025 17 July, 2025 In this technical article, we will explore how to improve your DevSecOps processes by integrating Checkmarx ZAP in your GitLab’s CI/CD pipeline. Note that doing this for Github is largely similar with Github actions. Application security is becoming a priority on a worldwide scale. Both the US (NIST SSDF and Memorandum M-22-18) and the EU (CRA) have recently introduced legislations to aim at high common level of application security and cybersecurity. Meanwhile, the application security state-of-the-practice in large and small firms is far from ideal (to put it mildly). The attack sophistication and absolute numbers are increasing. Paradoxically, we have known the systematic solution to the security challenge. We (the actual security experts) name it a secure software development lifecycle or an AppSec program. There are several AppSec programs out there (NIST SSDF, Microsoft SDLC, BSIMM, etc) with OWASP SAMM being by far the simplest one[…]

Updated: 24 September, 2025 11 June, 2025 Most security issues in software stem from one simple problem: teams try to fix them too late. The Secure Software Development Lifecycle (SSDLC) changes that by bringing security into each phase of development, not just the end. In this article, we explain what the SSDLC is, why it matters, and how to make it work in practice using clear steps and proven frameworks. Key takeaways The Secure Software Development Lifecycle (SSDLC) is a practical approach to embedding security into every phase of software development. Implementing the SSDLC helps teams reduce risk, improve software quality, and address vulnerabilities earlier and more effectively. The SSDLC includes seven key phases, from planning and analysis to maintenance, each requiring tailored security practices. OWASP SAMM offers a structured way to implement the SSDLC and is widely adopted by the security community. Supporting functions like governance and operations, while[…]

Updated: 30 September, 2025 3 June, 2025 Dependency management has become one of the most critical aspects of modern software development. Third-party dependencies now make up the majority of most codebases. What once felt like the holy grail of software reuse in the early 2000s is now the default. That shift has fuelled faster development, but it also introduced a massive security problem. According to Verizon’s Data Breach Investigation Report from 2024 the number of breaches caused by third parties has increased 68% from 2023. That is surprising as we have tools to systematically scan applications for dependencies and flag known vulnerabilities. Software Composition Analysis (SCA) tools have become a commodity.  Frankly, my team could build a basic SCA tool in a week. The real challenge lies elsewhere. You need the right people, mature processes and clear ownership. And you need tools that fit your workflow, not tools that force[…]

Updated: 25 September, 2025 24 April, 2025   Official framework, regulation and standard pages mentioned in this article CRA GDPR OWASP SAMM Regulation (EU) 2024/2847 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 2 September, 2025 10 April, 2025 Threat modeling shaped my AppSec career. It helped me wrestle with one of security’s most deceptively simple questions: “Is your system secure?”. “No” is clearly not a good answer. But “yes” is even worse. It signals that someone has no idea how security really works. Learning how to do threat modeling gave me a better way to answer that question: “Here are the threats and the risks we identified. And here’s how we are mitigating them.” Over the past few years, threat modeling has gone through a strange evolution. Once ignored, it is now getting attention. Yet many organizations still struggle to do it right. Some even claim that threat modeling is dead and suggest we should start calling it “attack modeling” instead. Others have embraced it, but often in ways that miss the point entirely. What I have seen time and time again[…]