OWASP SAMM Guidance

Updated: 26 June, 2025 11 June, 2025 Most security issues in software stem from one simple problem: teams try to fix them too late. The Secure Software Development Lifecycle (SSDLC) changes that by bringing security into each phase of development, not just the end. In this article, we explain what the SSDLC is, why it matters, and how to make it work in practice using clear steps and proven frameworks. Key takeaways The Secure Software Development Lifecycle (SSDLC) is a practical approach to embedding security into every phase of software development. Implementing the SSDLC helps teams reduce risk, improve software quality, and address vulnerabilities earlier and more effectively. The SSDLC includes seven key phases, from planning and analysis to maintenance, each requiring tailored security practices. OWASP SAMM offers a structured way to implement the SSDLC and is widely adopted by the security community. Supporting functions like governance and operations, while […]

3 June, 2025 Dependency management has become one of the most critical aspects of modern software development. Third-party dependencies now make up the majority of most codebases. What once felt like the holy grail of software reuse in the early 2000s is now the default. That shift has fuelled faster development, but it also introduced a massive security problem. According to Verizon’s Data Breach Investigation Report from 2024 the number of breaches caused by third parties has increased 68% from 2023. That is surprising as we have tools to systematically scan applications for dependencies and flag known vulnerabilities. Software Composition Analysis (SCA) tools have become a commodity.  Frankly, my team could build a basic SCA tool in a week. The real challenge lies elsewhere. You need the right people, mature processes and clear ownership. And you need tools that fit your workflow, not tools that force you to create one.[…]

Updated: 20 May, 2025 24 April, 2025 Subscribe to the AppSec Newsletter Email Address *First Name *

10 April, 2025 Threat modeling shaped my AppSec career. It helped me wrestle with one of security’s most deceptively simple questions: “Is your system secure?”. “No” is clearly not a good answer. But “yes” is even worse. It signals that someone has no idea how security really works. Learning how to do threat modeling gave me a better way to answer that question: “Here are the threats and the risks we identified. And here’s how we are mitigating them.” Over the past few years, threat modeling has gone through a strange evolution. Once ignored, it is now getting attention. Yet many organizations still struggle to do it right. Some even claim that threat modeling is dead and suggest we should start calling it “attack modeling” instead. Others have embraced it, but often in ways that miss the point entirely. What I have seen time and time again is that most threat[…]

Updated: 20 May, 2025 4 April, 2025 Modern software development moves fast, and so do the security challenges that come with it. For many organizations, building secure software isn’t just about following a checklist. It’s about having a structured, practical, and realistic approach to improving security over time. That’s where the OWASP Software Assurance Maturity Model (SAMM) comes in. OWASP SAMM provides a flexible framework for assessing and growing your organization’s software security posture. Whether you’re starting from scratch or looking to refine a mature program, SAMM helps you align security with business risk, measure progress, and plan concrete improvements. In this guide, we’ll walk you through what OWASP SAMM is, how it’s structured, and how it compares to other popular frameworks. You’ll also learn how to get started with implementation and where SAMM fits within the broader application security landscape.   Five key takeaways of this article OWASP SAMM[…]

Updated: 25 June, 2025 4 April, 2025 Understanding OWASP SAMM is only the beginning. The real value comes from using it to drive measurable improvements in your software security posture. But OWASP SAMM implementation isn’t just about filling out an assessment, it’s about creating a practical, risk-aligned process your teams can follow over time. In this guide, we walk through a step-by-step approach to implementing OWASP SAMM using SAMMY. You’ll see how to define scope, assess maturity, set meaningful targets, and track progress. All supported by real features and screenshots from SAMMY’s Playground environment. You’ll also see how SAMM is applied in a real-life case study and learn about common mistakes to avoid during implementation. Whether you’re just getting started or looking to strengthen an existing program, this blog will help you turn SAMM from a static model into a living, continuous improvement cycle.   Listen to the summary of[…]

Updated: 4 March, 2025 25 February, 2025 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 4 March, 2025 12 February, 2025 Subscribe to the AppSec Newsletter Email Address *First Name *

Updated: 4 April, 2025 28 November, 2024 Over the past year, our SAMMY tool has grown significantly. It now supports not just OWASP Software Assurance Maturity Model (SAMM) but also many other frameworks and standards. Whether you need a cybersecurity framework, quality framework, maturity model, or compliance standard, SAMMY unifies them all. This versatility often raises a key question: “Which framework is best for an application security program?” OWASP SAMM stands out, but what about Building Security In Maturity Model (BSIMM) or NIST Secure Software Development Framework (SSDF)? SAMM looks excellent on paper, but SSDF comes from NIST, a highly respected organization. Meanwhile, BSIMM is popular among large enterprises. I have already written a blog on BSIMM vs SAMM. BSIMM is not cheap and even if your organization has the budget, SAMM is likely a better pick. In this post, I will focus on comparing OWASP SAMM and NIST SSDF. Key[…]

Updated: 4 April, 2025 2 November, 2024 OWASP Software Assurance Maturity Model (SAMM) is one of the only comprehensive frameworks available for application security program management. Aside from BSIMM, there’s not much else around. Moreover, SAMM is open-source, making it accessible to everyone with zero barriers to entry. However there’s a catch: implementing OWASP SAMM comes with a learning curve. Beginner and even intermediate users seem to struggle with certain aspects of the model. Based on my experience, users have the hardest time figuring out: How to deal with quality criteria (or the “definition of done”) and what they mean; How to come up with a meaningful prioritization for the improvement roadmap; What type of evidence is required for demonstrating “compliance”; How to interpret the model for domains other than web application development; How can SAMM help for a smaller company. In this blog, I will offer 12 foolproof ways[…]

Updated: 4 April, 2025 20 October, 2024 What is supplier risk management about? Outsourcing software development has become a cornerstone for many organizations, enabling them to accelerate innovation, reduce costs, and tap into specialized expertise. However, outsourcing also introduces specific risks, particularly in ensuring strong application security throughout the development process. This is where supplier risk management plays a critical role. By systematically addressing supplier-related risks, organizations can maintain a secure software supply chain while reaping the benefits of outsourced development. In this blog, I will explore best practices for supplier risk management in the context of outsourced software development, offering actionable steps to ensure security is embedded across the software development lifecycle (SDLC). Here’s a quick overview of three key pillars of managing supplier risks in outsourced development, adapted from OWASP SAMM, listed in order of progressive difficulty: Supplier Evaluation: Assess potential suppliers against your organization’s security requirements, ensuring[…]

Updated: 4 April, 2025 19 October, 2024 Introduction to software security requirements Despite clearly understanding the importance of security requirements, organizations seem to struggle with figuring out how to implement security requirements for their SDLC (secure software development lifecycle). In this blog, we will provide an in-depth analysis and insights on how to do this right. Requirements in general and security requirements in particular establish the common theme throughout the software development lifecycle (SDLC). The whole product and solution development starts with business analysts specifying what needs to be developed. Requirements are the building blocks for those specification documents.  The architects create a software architecture that implements those requirements.  Developers implement those requirements conform to the specified architecture.  Then verification engineers and quality assurance (QA) teams validate that the implementation correctly addresses all the requirements.  Finally, the customers use the product and achieve their initial goal. In a nutshell, requirements[…]