OWASP SAMM Guidance

Updated: 4 April, 2025 5 September, 2022 Security verification is about validating that a system or application adheres to predefined security requirements or standards. There are many types of security verification activities ranging from penetration testing to vulnerability scans by automated tools. One of the less known types of security verification is the stress testing. Stress testing is part of what Software Assurance Maturity Model (SAMM) calls “misuse/abuse testing”. Misuse/Abuse testing aims to detect unexpected design flaws and implementation bugs by focusing on the so-called negative tests trying to “break” something in the system. Wait, but isn’t stress testing mainly related to testing the scalability of the system? Well, it is! However availability is one of the core security qualities, alongside confidentiality and integrity. Hence, stress testing is an inherent part of security verification testing. In this blog we present our insights in implementing stress testing at Codific. We also […]

Updated: 9 March, 2026 9 June, 2022 Ever heard the saying “our team is our greatest asset”. I’d dare to say that this is rule number 1 through 10 if you are running a company. Any company! Well, except for a one-man show (where this is self-explanatory and you don’t really need a rule)! Thus security training and organizational culture are the pillars of your SDLC programme. Unless you are just trying to check the boxes this security practice should get the highest priority in your SAMM implementation roadmap. In this blog series, we present how Codific implements OWASP SAMM. In each blog we focus on a specific security practice and highlight the processes and tools we use to achieve a certain maturity level. If you would like to learn more about OWASP SAMM, take our free SAMM training. My journey in application security (AppSec) started almost 20 years ago[…]

Updated: 1 October, 2025 24 May, 2022 Secure architecture in a nutshell In application security, architecture is of paramount importance. The secure architecture practice focuses on security during the architectural design of the software system. It is the practice of application security architecture in OWASP SAMM.  The essence of this practice is to leverage proven patterns and principles both in terms of an architectural solution as well as technological implementation. On top of that you should ideally revisit the reference solutions, update them and propagate the changes back to your software systems in production. This practice is an essential step in claiming the security by design principle. In this blog series, we present how Codific implements OWASP SAMM. Obviously describing all details is out of scope especially for this practice. We will however present a high-level overview and describe some of the tools we leverage to achieve a specific maturity[…]

Updated: 9 March, 2026 26 April, 2022 Threat modeling yields the highest return on investment when it comes to your Application Security program. Even if your current security posture is close to a zero OWASP SAMM score, you should start by threat modeling first. As opposed to what many might think, threat modeling is not difficult nor time-consuming. It is by far the most underrated security practice out there. Intro In this blog series, we will present how Codific implements OWASP SAMM. We focus on a specific security practice in each blog and highlight the processes and tools we use to achieve a certain maturity level. If you want to learn more about OWASP SAMM consider taking the free SAMM training. Extract from the OWASP SAMM Fundamentals training. My journey in application security (AppSec) started almost 20 years ago at the DistriNet research lab of the University of Leuven. Back[…]

Updated: 1 October, 2025 24 January, 2022