OWASP/Training/OWASP Software Assurance Maturity Model

Revision as of 20:34, 14 April 2010 by Nishi (Talk | contribs)

Jump to: navigation, search
OWASP Software Assurance Maturity Model
Overview & Goal
SAMM is an open framework that helps formulate and implement a strategy for software security. The main drivers for a SAMM is, an organization’s behavior changes slowly over time. It is based on princliple that somebody has to learn to walk first before they can run.
  • That is the reason changes has to be iterative while working toward long-term goals
  • There is no single recipe that works for all organizations
  • A solution must provide enough details for non-security-people
  • Overall, must be simple, well-defined, and measurable
Contents Materials

SAMM can help an organization in evaluating existing software security practices and build a balanced software security assurance program in well-defined iterations. It can demonstrate concrete improvements to a security assurance program. It can also help in defining and measuring security-related activities.

At the highest level, SAMM defines four critical Business Functions:

  • Governance
  • Construction
  • Verification and
  • Deployment

Each Business Function is the nuts-and-bolts of software development. For each Business Function, SAMM defines three Security Practices. So overall, there are twelve Security Practices that will help an organization build secure applications.


[http:// TBD]