Software Assurance Maturity Model (SAMM):
A Prescriptive Roadmap for Security
Research Brief
The Software Assurance Maturity Model (SAMM) is an open-source framework designed to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing their business.
Unlike observational models that simply benchmark what others are doing, SAMM is fundamentally prescriptive. It provides a logical, step-by-step roadmap for organizations of any size to build, measure, and improve a secure software development lifecycle (SSDLC) from the ground up.
💡 What is OWASP SAMM?
Maintained by the Open Worldwide Application Security Project (OWASP), SAMM was built with flexibility and scalability in mind. It recognizes that there is no single "right" way to do application security; what works for a massive financial institution will not work for an agile startup.
Key Characteristics of SAMM:
- Prescriptive and Actionable: SAMM tells you exactly what steps you can take to improve your security posture, acting as a blueprint for program creation.
- Technology and Process Agnostic: The framework applies equally well whether you use Waterfall, Agile, DevOps, or CI/CD pipelines.
- Iterative Improvement: SAMM is designed to be implemented in phases, allowing organizations to demonstrate continuous, measurable improvement over time.
- Open Source and Accessible: The entire model, including assessment tools and implementation guides, is freely available to the public.
🏗️ The SAMM v2 Structure: Business Functions and Practices
SAMM v2 organizes the software development lifecycle into 5 overarching Business Functions, each containing 3 specific Security Practices. This creates a matrix of 15 core practices that cover the entirety of software security.
| Business Function | Security Practices |
|---|---|
| 1. Governance | Strategy & Metrics, Policy & Compliance, Education & Guidance |
| 2. Design | Threat Assessment, Security Requirements, Security Architecture |
| 3. Implementation | Secure Build, Secure Deployment, Defect Management |
| 4. Verification | Architecture Assessment, Requirements Testing, Security Testing |
| 5. Operations | Incident Management, Environment Management, Operational Management |
📈 Measuring Progress: Maturity Levels
For each of the 15 Security Practices, SAMM defines objective criteria to measure an organization's maturity on a scale of 0 to 3. This allows teams to assess exactly where they stand and what is required to reach the next tier.
- Maturity Level 0 (Implicit): The starting point. The practice is either unfulfilled or performed in an ad-hoc, inconsistent manner.
- Maturity Level 1 (Initial): Basic understanding and ad-hoc provision of the practice. The goal is to establish initial capabilities.
- Maturity Level 2 (Structured): The practice is standardized, documented, and consistently applied across the organization. Efficiency and effectiveness are improving.
- Maturity Level 3 (Optimized): The practice is highly mature, automated where possible, integrated deeply into the culture, and continuously improved through feedback loops.
Crucial Context: Reaching Level 3 across all practices is rarely the goal. A proper SAMM implementation defines a target maturity score based on the organization's unique risk profile and resources, often aiming for a blend of Level 1s and 2s in early phases.
⭐ Conclusion and Next Steps
OWASP SAMM is the premier framework for organizations looking for a clear, actionable path to building a software security program. By offering a standardized way to assess current capabilities and prescribe future improvements, SAMM allows security leaders to justify budgets, track progress, and systematically reduce software risk.
Because it is open-source and highly adaptable, SAMM serves as an ideal foundational framework before an organization is ready for the intense, peer-benchmarking scrutiny of models like BSIMM.