Whether you are getting started with OWASP SAMM assessments at your organization, or you are starting to do SAMM assessments for your clients, there are lots of resources scattered around the internet that provide guidance and practical tips. On this page we gather the most valuable of these OWASP SAMM resources:

 

The Whitepaper on effective SAMM Assessment Strategies:

This whitepaper was created in the context of Global AppSec 2024 in Lisbon, it is a collaboration between Toreon and Codific. The paper is written by professional SAMM assessors and OWASP SAMM core team members, specifically from their practical experience running SAMM assessments at companies large and small. The paper covers:

  • General introduction to SAMM
  • Assessment tools
  • Assessment types
  • Interview planning
  • The interview process
  • Post interview Validation
  • Sample interview questions
  • And much more

OWASP SAMM assessment guide

Download the white paper on Effective SAMM Assessment strategies.

 

The podcast on SAMM assessments

Also in 2024 four SAMM experts got together to share notes on how they run SAMM assessments, and… spoiler!… there is more than one good way to run SAMM assessments.

The experts on this podcast are:

Dr. Aram Hovespyan: The CEO of Codific, OWASP SAMM core team member. 

Prof. Brian Glas: SAMM expert @ Codific. OWASP SAMM core team member.

Rob van der Veer: SAMM expert @ SIG. OWASP SAMM contributor.

Maxim Baele: SAMM expert @ Toreon. OWASP SAMM core team member.  

The podcast covers:

  • Self assessment vs. internal team of assessors vs. external party
  • Interview practicalities
  • Getting to the truth
  • What should the interviewee prepare?
  • SAMM for mergers and acquisitions
  • How AI and LLMs can help with SAMM assessments.
  • And much more

You can find the podcast here:

SAMM Assessment: Everything you need to know from industry experts

Getting started with SAMMY.

Ready to get super practical with the SAMMY tool? Here is a playlist getting you started with:

  • How to get started with OWASP SAMM
  • How to collaborate on OWASP SAMM assessments
  • Establishing scope
  • Setting Target Postures
  • Comparing teams in OWASP SAMM in a fair way
  • Creating improvement roadmaps
  • And much more

You can find the playlist here:

 

How to Get Started with OWASP SAMM on SAMMY

The owaspsamm.org website.

This is the official website of the OWASP SAMM project. Here you will find a lot of resources on:

  • Guidance
  • Resources
  • Practitioners
  • Events
  • FAQ
  • And much more

OWASP SAMM resources

Go to owaspsamm.org

The OWASP SAMM fundamentals training.

Maybe the best OWASP SAMM resource is the OWASP SAMM fundamentals training.

OWASP SAMM Fundamentals Course

We cover the training on this page.