OWASP SAMM — Software Assurance Maturity Model

Why it Matters

OWASP SAMM empowers organizations to systematically assess and improve the maturity of their secure software development processes.

Key benefits include:

• Strengthen software security governance

Foster clear policies and accountability, enabling leadership to oversee and guide secure development practices across projects.

• Enhance regulatory compliance support

Align software assurance processes with industry and legal requirements, helping meet obligations and reducing risk of non-compliance.

• Promote continuous process improvement

Establish structured maturity assessments and roadmaps to systematically identify gaps and drive ongoing security enhancement.

• Improve incident detection and response

Enable organizations to recognize and address software-related vulnerabilities more rapidly throughout the software lifecycle.

• Support integration with broader frameworks

Facilitate alignment and interoperability with standards such as ISO 27001 and NIST, streamlining security and risk management efforts.

How it Works

OWASP SAMM (Software Assurance Maturity Model) structures software security around five business functions: Governance, Design, Implementation, Verification, and Operations. Each function is divided into security practices, with detailed activities and maturity levels that define progressive security capabilities. The maturity model framework allows organizations to assess, benchmark, and improve their application security posture using defined criteria for each function and practice.

In practice, organizations leverage OWASP SAMM to evaluate current software security controls, identify gaps in security practices, and prioritize areas for improvement based on risk management needs and regulatory requirements. Teams conduct self-assessments, align SAMM activities to internal governance structures, monitor progress towards security goals, and ensure ongoing compliance with industry standards by iteratively enhancing development lifecycle processes.

Using SmartSuite, organizations operationalize OWASP SAMM by leveraging pre-built control libraries mapped to SAMM practices, tracking assessment results in risk registers, and managing remediation efforts through policy governance workflows. Evidence collection and compliance tracking functions enable continuous monitoring, audit readiness, and reporting on software assurance maturity across security and compliance programs.

Key Elements

• Governance Practice Area

Outlines policies, organizational management, and strategy for secure software development.

• Design Practice Area

Describes architectural and threat modeling processes to integrate security early in the development lifecycle.

• Implementation Practice Area

Specifies secure coding practices and management of software dependencies during system creation.

• Verification Practice Area

Organizes review and testing activities to ensure software meets security requirements throughout development.

• Operations Practice Area

Structures deployment, configuration, and maintenance processes to sustain operational security post-release.

• Maturity Levels

Defines progressive stages of process advancement to measure software assurance capability and improvement.

Framework Scope

OWASP SAMM is adopted by development teams, security leaders, and compliance professionals overseeing secure software development and application environments. The framework governs software security processes across the SDLC, and is typically used when managing software-related risks, meeting security best practices, or enhancing organizational resilience within cybersecurity and compliance programs.

Framework Objectives

OWASP SAMM provides organizations with a comprehensive model for advancing software security and managing application security risks.

Strengthen governance and oversight of software development cybersecurity practices

Establish consistent security controls and risk management processes throughout the SDLC

Enhance data protection and privacy in software applications and systems

Support regulatory compliance and alignment with industry security standards

Enable operational resilience by identifying and mitigating software-related vulnerabilities

Demonstrate improved audit readiness with measurable maturity assessments

Framework in Context

OWASP SAMM provides a maturity model for software security programs and maps well to NIST SSDF, OWASP ASVS and BSIMM, enabling crosswalks to technical controls. Organizations use SAMM to assess and benchmark secure SDLC practices, build governance, prioritize improvements, and demonstrate program maturity for compliance, vendor assurance, or operational security enhancements.

Common Framework Mappings

Organizations map OWASP SAMM to complementary frameworks to align software security practices with enterprise controls, threat models, standards, and development lifecycle requirements for auditability and risk reduction.

Mapped frameworks include:

BSIMM (Building Security In Maturity Model)

CIS Critical Security Controls

ISO/IEC 27001

ISO/IEC 27034

MITRE ATT&CK

NIST Secure Software Development Framework (SSDF)

OWASP Application Security Verification Standard (ASVS)

OWASP Top Ten