OWASP SAMM Guidance

Updated: 9 March, 2026 2 November, 2024 OWASP Software Assurance Maturity Model (SAMM) is one of the only comprehensive frameworks available for application security program management. Aside from BSIMM, there’s not much else around. Moreover, SAMM is open-source, making it accessible to everyone with zero barriers to entry. However there’s a catch: implementing OWASP SAMM comes with a learning curve. Beginner and even intermediate users seem to struggle with certain aspects of the model. Based on my experience, users have the hardest time figuring out: How to deal with quality criteria (or the “definition of done”) and what they mean; How to come up with a meaningful prioritization for the improvement roadmap; What type of evidence is required for demonstrating “compliance”; How to interpret the model for domains other than web application development; How can SAMM help for a smaller company. In this blog, I will offer 12 foolproof ways […]

Updated: 9 March, 2026 20 October, 2024 What is supplier risk management about? Outsourcing software development has become a cornerstone for many organizations, enabling them to accelerate innovation, reduce costs, and tap into specialized expertise. However, outsourcing also introduces specific risks, particularly in ensuring strong application security throughout the development process. This is where supplier risk management plays a critical role. By systematically addressing supplier-related risks, organizations can maintain a secure software supply chain while reaping the benefits of outsourced development. In this blog, I will explore best practices for supplier risk management in the context of outsourced software development, offering actionable steps to ensure security is embedded across the software development lifecycle (SDLC). Here’s a quick overview of three key pillars of managing supplier risks in outsourced development, adapted from OWASP SAMM, listed in order of progressive difficulty: Supplier Evaluation: Assess potential suppliers against your organization’s security requirements, ensuring[…]

Updated: 9 March, 2026 19 October, 2024 Introduction to software security requirements Despite clearly understanding the importance of security requirements, organizations seem to struggle with figuring out how to implement security requirements for their SDLC (secure software development lifecycle). In this blog, we will provide an in-depth analysis and insights on how to do this right. Requirements in general and security requirements in particular establish the common theme throughout the software development lifecycle (SDLC). The whole product and solution development starts with business analysts specifying what needs to be developed. Requirements are the building blocks for those specification documents.  The architects create a software architecture that implements those requirements.  Developers implement those requirements conform to the specified architecture.  Then verification engineers and quality assurance (QA) teams validate that the implementation correctly addresses all the requirements.  Finally, the customers use the product and achieve their initial goal. In a nutshell, requirements[…]

Updated: 9 March, 2026 5 October, 2024 The OWASP Software Assurance Maturity Model (SAMM) is rapidly becoming the go-to framework for application security programs, and it’s easy to see why. SAMM offers a structured, measurement-driven approach to improving product security. As a well-established framework since 2009, it helps organizations evaluate their software security maturity on a scale from 0 to 3. However, many organizations face challenges after completing their initial SAMM assessment. There’s growing interest in understanding how other organizations are progressing, making real-world data one of the hottest topics in the SAMM community. SAMM Benchmarking project aims to provide exactly that. During the past OWASP Global AppSec Conference in San Francisco the SAMM Core Team has shared the latest benchmark data. In this blog, we provide an in-depth analysis and interpretation of the OWASP SAMM Benchmark data. Key takeaways Most of the currently limited benchmark data (30 assessments) is[…]

Updated: 30 September, 2025 2 October, 2024 Cybersecurity in general and application security (AppSec) in particular are extremely challenging topics. They run broad and deep and success in one area is just not enough. A systematic solution is provided by the myriad of various (compliance) cybersecurity standards, frameworks  and maturity models. CIS Controls, Cloud Controls Matrix (CCM), ISO27001, NIST SSDF, NIST CSF, BSIMM, OWASP SAMM, Cybersecurity Fundamentals, OWASP DSOMM just to name a few. Amongst one of the most promising solutions is the OWASP Software Assurance Maturity Model that is rapidly becoming an industry standard within the AppSec domain. Nonetheless organizations often have to deal with more than one overlapping, complementing and even competing standards. Hence, mapping cybersecurity compliance standards and frameworks is essential in order to make sure that organizations are not reinventing the wheel. Amongst the key pressing questions nearly every organization has to deal with are: How[…]

Updated: 30 September, 2025 10 May, 2024 Want to get started with SAMM?  We have just the thing! Take the free OWASP SAMM training course to learn all about SAMM assessments and security. The SAMM training consists of 79 lessons with a total of 5 hours of video content. It also includes two practical case studies to practise SAMM assessments. The instructor of the course is our CEO Dr. Aram Hovsepyan. Upon completion of the course you will receive a certificate of completion. Find out more here.

Updated: 26 September, 2025 12 April, 2024 How to use OWASP SAMM for effective communication on security? Reporting with OWASP SAMM is very impactful when done correctly. This blog is based on first and second hand experience of implementing SAMM (Software Assurance Maturity Model) as a security programme at organizations large and small. We focus on how security leaders at the organization can communicate upwards, how SAMM can help with this, what challenges arise and how these have been mitigated at different organizations. We start from the perspective of senior leadership. What senior leadership wants. Senior leadership wants clarity, simplicity, and reliability in the information they receive. Clarity to have good visibility on the situation at hand and its implications. Simplicity in order to easily digest information and know what conclusions to draw. Reliability or the ability to trust the numbers. Yet for each of these criteria there are challenges[…]

Updated: 1 October, 2025 20 March, 2024 Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. OWASP provides actionable guidance on SDLC best practices. This blog outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Though you may not always see them, Zebra is everywhere. Whether it’s on that recently delivered package, or the water bottle you just scanned at the supermarket – even in the shoulder pads of NFL players, Zebra is there.   Key Takeaways Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led[…]

Updated: 1 December, 2025 28 February, 2024 Application security requires a systematic approach and requires dealing with software security throughout every stage of the software development lifecycle (SDLC). However organizations typically struggle to create an effective improvement roadmap and end up in the rabbit hole of fixing security tool generated vulnerabilities. We believe that leveraging OWASP Application Security Verification Standard (ASVS) as a security requirements framework as well as a guide to unit and integration testing is by far the best pick in terms of ROI. Using security requirements driven testing and by turning security requirements into “just requirements” organizations can enable a common language shared by all stakeholders involved in the SDLC. We have analyzed the complete ASVS to determine how much of it we could automate using various testing strategies. Our analysis indicates that 162 (~58%) of ASVS can be automatically verified using unit, integration, acceptance tests. We[…]

Updated: 1 October, 2025 26 September, 2023 NIST has finalized the Cybersecurity Framework (CSF) 2.0. CSF 2.0 focuses on understanding, assessing, prioritising, communicating, and above all reducing cybersecurity risks in organisations. CSF can be leveraged to describe an organisation’s current as well as target security posture. Organisations can also (in theory) compare their CSF scores between each other…. wait a minute. I’ve heard that before! I bet you did as well, especially if you’ve read our blogs on OWASP SAMM. So, I’ve decided to dive deep and provide a comparison of NIST CSF 2.0 and OWASP SAMM frameworks. Key takeaways: Security is a relative concept. Both CSF 2.0 and SAMM are risk-based approaches. Security is everyone’s job and communication is key in both frameworks. CSF and SAMM are focused on security and not compliance. CSF is broad and covers all types of cybersecurity risks an organisation may face. SAMM is[…]

Updated: 2 September, 2025 26 April, 2023 OWASP is the Open Worldwide Application Security Project. It is a non-profit foundation that works to improve the security of software. One of its most recognized contributions to the field of application security (AppSec) is the Software Assurance Maturity Model (SAMM). SAMM is an AppSec programme that provides organizations an effective and measurable way to analyze and improve their secure software development lifecycle (SSDLC). This model is divided into five business functions, each of which are subdivided into three security practices. In this blog post we will focus on the OWASP SAMM Policy and Compliance practice of the Governance business function, what it is and how you can evaluate and improve your security posture in this practice, using our management tool, SAMMY. Most importantly, we will include insights from the OWASP SAMM Fundamentals Course which is taught by Aram Hovsepyan. He is the[…]

Updated: 9 March, 2026 23 March, 2023 In the dynamic digital realm, security is not a luxury, it is an imperative. As software development evolves and applications grow more intricate, the risk of vulnerabilities and cyberattacks escalates. The Secure Software Development Lifecycle (SSDLC) provides a systematic approach to embed security into every stage of development, safeguarding applications and protecting valuable data. When aligned with OWASP’s guidance, this approach is can be referred to as the OWASP SDLC, a secure SDLC guided by the community’s most trusted security practices. This blog explores how organizations can implement a secure SDLC using guidance from the Open Web Application Security Project (OWASP). While OWASP does not prescribe a standalone SDLC, the community offers a mature and structured recommendation through the OWASP Software Assurance Maturity Model (SAMM). In many ways, OWASP SAMM represents OWASP’s vision of a secure SDLC, combining technical best practices with broader[…]