OWASP Developer Guide

Software Assurance Maturity Model

SAMM logo

11.1.1 Software Assurance Maturity Model

The Software Assurance Maturity Model (SAMM) project provides an effective and measurable way for an organization to analyze their secure development lifecycle, and identify any gaps or improvements. SAMM is one of the OWASP’s flagship projects, and can be downloaded from the SAMM project site.

What is SAMM?

SAMM is regarded as the prime maturity model for software assurance. SAMM provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. SAMM supports the complete secure software development lifecycle and is technology and process agnostic.

The SAMM model is hierarchical. At the highest level SAMM defines five business functions; activities that software development must fulfill to some degree:

Each business function in turn has three security practices, which are areas of security-related activities that build assurance for the related business function.

Security practices have activities, grouped in logical flows and divided into two streams (A and B). Streams cover different aspects of a practice and have their own objectives, aligning and linking the activities in the practice over the different maturity levels.

For each security practice, SAMM defines three maturity levels which generalize to foundational, mature and advanced. Each level has a successively more sophisticated objective with specific activities, and more strict success metrics.

Why use it?

The structure and setup of the SAMM model support:

  • assessment of the organization’s current software security posture
  • definition of the organization’s targets
  • definition of an implementation roadmap to get there
  • prescriptive advice on how to implement particular activities

These give the security activities expected at each maturity level, and provide input to the gap analysis.

How to use it

The OWASP Spotlight series provides an overview of using the SAMM: ‘Project 9 - Software Assurance Maturity Model (SAMM)’.

Security gap analysis can benefit from an assessment which measures the quality of the software assurance maturity process. The SAMM Assessment tools include spreadsheets and online tools such as SAMMwise and SAMMY.

The SAMM model describes these fundamentals of software security, which it calls Business Functions. Each of these five fundamentals are further split into three Business Practices:

Business Function Business Practices    
Governance Strategy and Metrics Policy and Compliance Education and Guidance
Design Threat Assessment Security Requirements Secure Architecture
Implementation Secure Build Secure Deployment Defect Management
Verification Architecture Assessment Requirements-driven Testing Security Testing
Operations Incident Management Environment Management Operational Management

Each Business Practice is further subdivided into two streams which provide different objectives for the same practice.

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

\newpage