OWASP SAMM version 2: Analyze and improve organizational security posture

The OWASP SAMM (Software Assurance Maturity Model) is a community-led open-sourced framework that allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational Software Development Lifecycle (SDLC).


SAMM has evolved to include automation while improving its alignment with development team workflows. Version 2 includes a Quick Start Guide, the SAMM Toolbox that performs assessments and creates roadmaps, and a new Benchmark Initiative that helps teams compare maturity and progress with like-organizations.

Using a single GitHub source, the SAMM team now automatically generates the Maturity Model that includes PDF documents, a website, along with the companion toolbox and applications. Model content has been converted to YAML files, improving automation while also allowing tools or other SAMM consumers to automatically use the model.

The new model supports maturity measurements both from coverage and quality perspectives. New quality criteria are added for all the activities.

“This is a really important release for the project team. After three years of preparation, the team, our SAMM community, and through the help of our sponsors we now have an effective and measurable way for all types of organizations to analyze and improve their software security posture,” said project co-leaders Seba Deleersnyder and Bart De Win.

“For nearly twenty years our community continues to deliver some of the most useful and innovative tools that help developers and teams secure software,” said Mike McCamon executive director of OWASP. He continued, “Along with our other Flagship Projects including the forthcoming 2020 OWASP Top Ten, we congratulate the extended OWASP SAMM team on this release.”

More about

Don't miss