OWASP SAMM: your map and itinerary in the security journey.

Updated: 18 January, 2024

24 December, 2021


SAMMY, implementing SAMM

This article was originally posted in 2021 when Codific started its journey with OWASP SAMM. By this update in 2024 we have gotten much more involved with OWASP. Most notably we have created the official OWASP SAMM training. If you are convinced that SAMM is the way to go we suggest you take the course. If you are still evaluating the “what” and “why” of SAMM, then keep reading.

Cybersecurity (or just security) is a topic that is on every company’s agenda. Even for industries only remotely-related to the internet (e.g., industrial manufacturing), at a certain scale, employing a full-time cybersec team is a must. However security is such a monumentally complex matter that even the champions like Google and Apple don’t always get it right. Still, security (at least software security) is actually a scientific discipline. Hence, getting it right is a matter of a methodological approach.

If you have no clue about software security the number one phrase to remember is security is a journey, not a destination. Nothing is 100% secure and it’s all about threats and risks. However that is not the story you are looking to tell your customers. Practically, you’d like to claim that your software systems (and your organization) is more secure than that of your competitors. So how do you do that?

  1. How do you do “as good as it gets” in software security?
  2. How do you claim that your product (and organization) is more secure than that of the competition?


Ransomware, supply chain attacks and zero-day vulnerabilities are the most common buzzwords. Yet they are as relevant to software security as a mask is to the Covid pandemic.

The good news: all you need to go from zero to hero in software security is there. Software Assurance Maturity Model (SAMM) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security, that can be integrated into their existing Software Development Lifecycle (SDLC). SAMM covers the complete spectrum of software security from A to Z. SAMM is nothing short of a job description for your organization’s AppSec director.

The bad news: going from zero to hero even with SAMM is still a challenge. There are 5 business functions, 3 security practices per business function, 2 streams and 3 maturity levels. In other words to be a hero you might need to cover up to 90 activities. The good news is that you don’t have to be a champion in all of them. However some of these security practices might take a considerable amount of time. Hence, the scope is immense and that is precisely why you need OWASP SAMM. SAMM provides a framework to plan and build your improvement strategy in small and prioritized increments.

OWASP SAMM Structure

Extract from the OWASP SAMM Training

Check out the free OWASP SAMM Fundamentals training.

Codific SAMMY

We obviously strongly believe in SAMM and this is why we have developed a SAMM supporting toolset. SAMMY is a platform to help organizations implement their security assurance program. It introduces a number of our own process flavors to SAMM:

  • Highlighting streams and security practices as first-class citizens.
  • Hiding higher maturity levels if the organization is not there yet.
  • Includes organizational target postures.
  • Includes gap analysis and roadmap management.
  • Integration with task managers such as Jira and Teams.
  • Focus on evidence to prove the score at a given maturity level for a given stream.
  • Growth score per stream / security practice to further stress the tailored approach behind SAMM.
  • Gamification provides additional incentive to all users within an organization to get involved in software security.

SAMMY is being used by large multinationals around the world to manage their security programme.

Here is a brief walkthrough of SAMMY. We would love to hear your feedback and if you are interested in trying out a beta please contact us at sammy [at] codific.com

SAMMY - gamify security


What are the things we build with SAMM and SAMMY?

Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.

Top universities, academies and hospitals use Videolab to put the care in healthcare. Communication skills, empathy and other soft skills are trained by sharing patient interviews recordings for feedback.

SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.

SAMMY Is a Software Assurance Maturity Model management tool. It helps your organization assess and improve its security posture. That way other companies can help us build a simple and safe digital future. And we off course use it ourselves in all our application, including SAMMY.

We believe in collaboration and open innovation, we would love to hear about your projects an see how we can contribute in developing secure software and privacy by design architecture. Contact us.

Originally posted December 2021, updated January 2024


Aram is the founder and the CEO of Codific. With over 15 years of experience, he has a proven track record in building complex software systems by explicitly focusing on software security. Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the refinement and streamlining of the LINDDUN privacy engineering methodology have been incorporated into ISO and NIST standards. Aram is also a core contributor to OWASP SAMM project and the architecture and security mentor for all our teams.
If you have questions, reach out to me hereContact