OWASP SAMM Project

= Main = 

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP SAMMv2 beta released for community review We are very proud to announce a new version of SAMM! Check it out on our new website: https://owaspsamm.org/. Please, read our notes on how to provide feedback.

OWASP SAMM v1.5 available in the downloads section! We are now working on the Beta release of OWASP SAMMv2, our work in progress is available online on our new web site.

Join our monthly calls
 * The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST.
 * Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661
 * The call is open for everybody interested in SAMM or who wants to work on SAMM.

Join us on the OWASP SAMM project Slack channel
 * Join our project slack channel on https://owasp.slack.com/messages/C0VF1EJGH
 * If you do not have an OWASP Slack workspace account yet, contact one of our project leaders to get an invite link.

2018 OWASP SAMM Summit (4-8 JUNE 2018, London)
 * Join our 2018 OWASP SAMM Summit near London as part of the Open Security Summit.
 * We will organize working sessions in a 5-day sprint to draft SAMM v2.0.
 * Register online here
 * Sponsor the SAMM2, more details here

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
 * Evaluate an organization’s existing software security practices
 * Build a balanced software security assurance program in well-defined iterations
 * Demonstrate concrete improvements to a security assurance program
 * Define and measure security-related activities throughout an organization

Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

Follow OWASP SAMM on twitter: @owaspsamm


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download v1.5
All SAMM v1.5 files (.zip) SAMM Core Model How-To Guide Quick Start Guide SAMM Toolbox SAMM Toolbox Example OWASP SAMM on GitHub

Quick Download v1.1.1
SAMM Core Model How-To Guide Quick-Start Guide Updated SAMM Tool Box OWASP SAMM on GitHub

News and Events
Please see the News and Talks tabs

Change Log

 * OWASP SAMM v1.5 Released! (Press Release)
 * OWASP SAMM v1.1 Released! (Press Release)
 * OpenSAMM v1.1 RC - available for review

Email List
Questions? Please ask on the SAMM Mailing List

Project Leaders
Seba Deleersnyder Bart De Win

Classifications

 * }

= Browse Online =

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.



Click on any badge to learn more
= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
 * All SAMM v1.5 files (.zip) Zip file containing all the v1.5 files below;
 * SAMM Core Model document, explaining the maturity model;
 * How-To Guide with implementation guidance;
 * Quick-Start Guide with different steps to improve your secure software practice;
 * SAMM Toolbox to perform SAMM assessments and create SAMM roadmaps;
 * SAMM Tool Box Example to provide an example SAMM assessment;

Download SAMM v1.1
 * SAMM Core Model document, explaining the maturity model;
 * How-To Guide with implementation guidance;
 * Quick-Start Guide with different steps to improve your secure software practice;
 * Updated SAMM Tool Box to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
 * in English - PDF, English - XML
 * in Spanish - PDF, Spanish - XML
 * in Japanese - PDF, not available as XML
 * in Chinese - PDF, not available as XML

Available resources to apply SAMM:
 * Browse OWASP and other resources for SAMM Security practices: Category:SAMM-Resources

Trainings:
 * Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
 * Slide deck download here
 * Training description download here

Assessments:
 * SAMM v1.5 Toolbox
 * Download the new v1.5 Toolbox with the updated scoring model SAMM v1.5 Toolbox
 * SAMM v1.1 Toolbox
 * download the v1.1 toolbox, including the updated questions here
 * Assessment Interview Template by Nick Coblentz for SAMM V1.0
 * This spreadsheet breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
 * Roadmap Chart Template by Colin Watson for SAMM V1.0
 * This spreadsheet provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
 * Assessment Worksheet by Christian Frichot for SAMM V1.0
 * This is an easy-to-use spreadsheet containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
 * Project Plan Template by Jim Weiler for SAMM V1.0
 * This is a project plan template (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
 * BSIMM-6 mapping to SAMM activities:
 * Spreadsheet download here
 * Presentation with start of analysis download here
 * BSIMM mapping to SAMM during the 2011 Summit:
 * This spreadsheet contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
 * Javascript visualization framework for SAMM on github

= Community =



= Summit =



Our last summit was in November 2018 in Minneapolis, check out the details here.

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details >here< !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details >here< !!

Summit Notes: "The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers." Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company
 * 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
 * Summit outcome is described here

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
 * The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available here.

Previous workshop notes:
 * The notes for the SAMM Workshop in New York on 21-Nov-2013 are available here.
 * The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available here.

= Talks = Upcoming talks featuring SAMM are listed here:


 * OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
 * OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
 * InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:


 * OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - youtube) - 2017
 * OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - here) - 2015
 * OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download presentation) - 2014
 * AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download presentation, see video) - 2014
 * AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download presentation) - 2013
 * OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download presentation) - 2013
 * AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download presentation) - 2011
 * AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download presentation) - 2009
 * Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download presentation) - 2009
 * Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download presentation) - 2009

= News =

Latest News on SAMM
 * OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
 * OWASP SAMM v1.5 Released!
 * SAMM Summit 2016 read the wrap-up here
 * OWASP SAMM v1.1 Released! See the Press Release.
 * OpenSAMM v1.1 RC - available for review

= Languages =

SAMM v1.0 is available in the following languages:


 * English
 * Spanish
 * Japanese
 * Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the presentation. Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download here.

You can use Crowdin to help improve these translations or add new ones right now!

= Roadmap =

Updated roadmap: Next 1.5 release, updated scoring: Targeted completion date: February 28, 2017
 * Clarification of maturity levels (syntactic changes to keep the text consistent)
 * Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
 * Show improvements with every activity introduced
 * Adapt for the new scoring method
 * Update questions for 4-tiers
 * Review and where necessary clarify current questions
 * Consider v1.1 remarks that were not withheld for the previous release

SAMM version 2.0 Timing: Workshops as part of OWASP Project Summit June 2017
 * Core model changed
 * Visualisations + flavours for a few development methodologies
 * Update quickstart guide, TB, HTG.
 * Success metrics: How well does the model work: Linked to the benchmarking project.

= Get Involved =

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

Feedback
Please use the Mailing List for feedback:
 * What do like?
 * What don't you like?
 * How can we make SAMM easier to use?
 * How could SAMM be improved?

Localization
Are you fluent in another language? Can you help translate SAMM into that language?

You can use Crowdin to do that!

= Project Sponsors =

SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.

SAMM Adopters
SAMM is the premier open source software assurance framework. You can find a list of SAMM adopters online.

Call for SAMM2 Sponsors
OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists.

We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.

By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the Open Security Summit 2019) and recognition on the OWASP SAMM web site and the next release of SAMM (version 2.0).

For more information: Contact [mailto:seba@owasp.org seba@owasp.org]

Acknowledgements
We would like to thank the following sponsors who donated funds to our project: