OWASP SAMM: your map and itinerary in the security journey.

24 December, 2021


SAMMY, implementing SAMM

Cybersecurity (or just security) is a topic that is on every company’s agenda. Even for industries only remotely-related to the internet (e.g., vehicle manufacturing) employing a full-time cybersec team is a must. However security is such a monumentally complex matter that even the champions like Google and Apple don’t always get it right. Still, security (at least software security) is actually a scientific discipline. Hence, getting it right is a matter of a methodological approach.

If you have no clue about software security the number one phrase to remember is security is a journey, not a destination. Nothing is 100% secure and it’s all about threat, risks and impact. However that is not the story you are looking to tell your customers. Practically, you’d like to claim that your software system (and your organization) is more secure than that of your competitors. So how do you do that?

  1. How do you do “as good as it gets” in software security?
  2. How do you claim that your product (and organization) is more secure than that of the competition?


Ransomware, supply chain attacks and zero-day vulnerabilities are the most common buzzwords. Yet they are as relevant to software security as a mask is to the Covid pandemic.

The good news: all you need to go from zero to hero in software security is there. Software Assurance Maturity Model (SAMM) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security, that can be integrated into their existing Software Development Lifecycle (SDLC). SAMM covers the complete spectrum of software security from A to Z, от А до Я, Ա մինչեւ Ֆ (or any other alphabet of your liking). SAMM is nothing short of a job description for your organization’s CISO / CTO.

The bad news: going from zero to hero even with SAMM is still a challenge. There are 5 business functions, 3 security practices per business function, 2 streams and 3 maturity levels. In other words to be a hero you might need to cover 90 activities some of which might take several man-months or even years. However that is the harsh reality behind becoming a champion in software security. The scope is immense and that is precisely why SAMM provides a framework to plan and build your improvement strategy in small and prioritized increments.

Codific SAMMY

SAMM is the software security bible.

We obviously strongly believe in SAMM and this is why we have started developing a SAMM supporting toolset. SAMMY is a platform to help organizations implement their security assurance program. SAMMY introduces a number of our own process flavors to SAMM:

  • Highlighting streams and security practices as first-class citizens.
  • Hiding higher maturity levels if the organization is not there yet.
  • Focus on evidence to prove the score at a given maturity level for a given stream.
  • Growth score per stream / security practice to further stress the tailored approach behind SAMM.
  • Gamification as to provide additional incentive to all users within an organization to get involved in software security.

Here is a brief walkthrough of SAMMY. We would love to hear your feedback and if you are interested in trying out a beta please contact us at sammy [at] codific.com

What are the things we build with SAMM and SAMMY?

Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.

Videolab is used by top universities, academies and hospitals to put the care in healthcare. Communication skills, empathy and other soft skills are trained by sharing patient interviews recordings for feedback.

SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.

SAMMY Is a Software Assurance Maturity Model management tool. It helps your organization assess and improve its security posture. That way other companies can help us build a simple and safe digital future. And we off course use it ourselves in all our application, including SAMMY.

We believe in collaboration and open innovation, we would love to hear about your projects an see how we can contribute in developing secure software and privacy by design architecture. Contact us.

December 2021



Aram is the founder and the CEO of Codific. With over 15 years of experience, he has a proven track record in building complex software systems by explicitly focusing on software security. Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the refinement and streamlining of the LINDDUN privacy engineering methodology have been incorporated into ISO and NIST standards. Aram is also a core contributor to OWASP SAMM project and the architecture and security mentor for all our teams.

If you have questions, reach out to me here