SAMM Introduction

View the original Working Session content

What is the Software Assurance Maturity Model for?

SAMM helps manage application security activities throughout the software development life cycle (SDLC).

What does SAMM do?

  • Gives you a blueprint of OWASP best practices
  • Lets you measure how well you follow them
  • Supports you in making a software security strategy adapted to the risk profile of your organization.

Where and When in the SDLC is Software Security Needed?

Application security activities can be divided into two main parts. Each part can be further divided into two phases with their own security activities.

Proactive – phases that happen earlier in the SDLC

  1. Design phase: security requirements, threat modeling
  2. Build phase: coding guidelines, code reviews, static test tools.

Reactive – phases that happen later in the SDLC

  1. Test: security testing, dynamic test tools
  2. Production: vulnerability scanning, web application firewalls (WAF).

What Must a Software Assurance Maturity Model Offer for Security?

  • Adaptability – continue to work for organizations, whose behavior changes over time
  • Choice – there is no ‘one-size-fits-all’ solution, instead enable risk-based choices that are relevant to each organization
  • Ease of application – give as many clear instructions as needed for non-technical people to ensure security is implemented as needed
  • Measurability – show organizations how far they have come and how much is left to do.

How does SAMM Map onto Business Functions?

Software development is now largely a business-centric activity. For practical organization of software security practices, four business functions are defined:

  • Governance
  • Construction
  • Verification
  • Deployment.

Within each business function, three security practices are defined.


  • Strategy and Metrics
  • Education and Guidance
  • Policy and Compliance.


  • Security Requirements
  • Threat Assessment
  • Secure Architecture


  • Design Review
  • Security Testing
  • Code Review


  • Environment Hardening
  • Vulnerability Management
  • Operational Enablement

These 12 security practices link the organization and the software assurance. Each security practice can be improved independently of the others.

Each security practice in turn consists of a set of activities:

  • Each activity can be rated for maturity (level 1, 2, or 3) in a SAMM assessment interview
  • Together, these ratings give an overall maturity rating.

What is Coming in the Next Version (v2) of SAMM?

  • Continue to improve consistency
  • Continue to refine logical flow of security activities within security practices
  • Integrate agile software development and DevOps practices into the model
  • Continue to evolve business function definitions for better fit and flexibility.

How Can You Start Using SAMM?

  • Quick start guide
  • How-to guide
  • Join the Project Slack channel.


Session page 2017 Session page 2017 Outcomes

Session organiser(s)

Sebastien Deleersnyder Sebastien Deleersnyder


Chris Cooper Chris Cooper , David Cervigni David Cervigni Mark-David McLaughlin Mark-David McLaughlin

Attached materials: