OWASP SAMM Project
- Browse Online
- Get Involved
- Project Sponsors
Quick Download v1.1.1
News and Events
Questions? Please ask on the SAMM Mailing List
The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.
Click on any badge to learn more
|Strategy & Metrics||
|Policy & Compliance||
|Education & Guidance||
The latest work in progress can be found on Github: https://github.com/OWASP/opensamm
Download SAMM v1.1
- SAMM Core Model document, explaining the maturity model;
- How-To Guide with implementation guidance;
- Quick-Start Guide with different steps to improve your secure software practice;
- Updated SAMM Tool Box to perform SAMM assessments and create SAMM roadmaps;
Download SAMM v1.0:
- in English - PDF, English - XML
- in Spanish - PDF, Spanish - XML
- in Japanese - PDF, not available as XML
Available resources to apply SAMM:
- Browse OWASP and other resources for SAMM Security practices: Category:SAMM-Resources
- Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
- SAMM v1.1 RC1 toolbox
- download the latest toolbox, including the updated questions here
- Assessment Interview Template by Nick Coblentz for SAMM V1.0
- This spreadsheet breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
- Roadmap Chart Template by Colin Watson for SAMM V1.0
- This spreadsheet provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
- Assessment Worksheet by Christian Frichot for SAMM V1.0
- This is an easy-to-use spreadsheet containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
- Project Plan Template by Jim Weiler for SAMM V1.0
- This is a project plan template (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.
- BSIMM-6 mapping to SAMM activities:
- BSIMM mapping to SAMM during the 2011 Summit:
- This spreadsheet contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).
In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details >here< !!
Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit
In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details >here< !!
- 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
- Summit outcome is described here
"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers." Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company
Previous workshop Notes:
During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.
This is also an excellent opportunity to exchange experiences with your peers.
If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
- The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available here.
Previous workshop notes:
- The notes for the SAMM Workshop in New York on 21-Nov-2013 are available here.
- The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available here.
| This project has produced a book that can be downloaded or purchased.|
Feel free to browse the full catalog of available OWASP books.