OWASP SAMM
OWASP SAMM
Software Assurance Maturity Model
1. Overview: A Framework for Measuring and Improving Security Capability Across the Entire Software Development Lifecycle, OWASP SAMM
flowchart LR
A["Security activities performed ad hoc<br/>No capability measurement baseline<br/>Unclear improvement direction"] --"5 business functions,<br/>15 security practices"--> B["Systematic measurement<br/>of current security maturity"] --"Build a roadmap,<br/>improve step by step"--> C["Embed a software<br/>security culture"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: A software security assurance framework developed by OWASP that organizes security activities across an organization’s entire software development process into 5 business functions and 15 security practices, measures the maturity of each practice on a 0-3 scale, and provides a roadmap for diagnosing current capability and reaching a target level.
Characteristics: (Methodology-agnostic) Independent of the development methodology (Waterfall, Agile, DevOps) — applicable to any development environment. (Selective adoption) Practices can be selectively adopted to fit organizational size and industry — prioritize among the 15 and adopt them incrementally. (Open-source framework) An open-source framework that can be used complementarily with BSIMM and ISO/IEC 27034.
2. Core Structure of OWASP SAMM
A. The 5 Business Functions and 15 Security Practices
flowchart TD
subgraph GOV["Governance"]
direction LR
G1["Strategy &<br/>Metrics"]
G2["Policy &<br/>Compliance"]
G3["Education &<br/>Guidance"]
end
subgraph DES["Design"]
direction LR
D1["Threat<br/>Assessment"]
D2["Security<br/>Requirements"]
D3["Security<br/>Architecture"]
end
subgraph IMP["Implementation"]
direction LR
I1["Secure<br/>Build"]
I2["Secure<br/>Deployment"]
I3["Defect<br/>Management"]
end
subgraph VER["Verification"]
direction LR
V1["Architecture<br/>Assessment"]
V2["Requirements-<br/>Driven Testing"]
V3["Security<br/>Testing"]
end
subgraph OPS["Operations"]
direction LR
O1["Incident<br/>Management"]
O2["Environment<br/>Management"]
O3["Operational<br/>Management"]
end
style GOV fill:#E3F2FD,stroke:#1976D2,color:#1E3A5F
style DES fill:#F3E5F5,stroke:#7B1FA2,color:#4A148C
style IMP fill:#FFF3E0,stroke:#F57C00,color:#E65100
style VER fill:#FFEBEE,stroke:#D32F2F,color:#B71C1C
style OPS fill:#E8F5E9,stroke:#388E3C,color:#1B5E20
| Business Function | Security Practice | Core Purpose |
|---|---|---|
| Governance | Strategy & Metrics | Establish security strategy and manage measurement indicators |
| Policy & Compliance | Establish security policy and regulatory compliance framework | |
| Education & Guidance | Build developer and security team capability | |
| Design | Threat Assessment | Threat modeling (STRIDE) and risk identification |
| Security Requirements | Define functional/non-functional security requirements | |
| Security Architecture | Architecture design based on security principles | |
| Implementation | Secure Build | Manage vulnerable components, SAST, SBOM |
| Secure Deployment | Secure configuration, secrets management, CI/CD security | |
| Defect Management | Track and remediate security vulnerabilities | |
| Verification | Architecture Assessment | Security review and architecture review at design time |
| Requirements-Driven Testing | Verify that security requirements are met | |
| Security Testing | DAST, penetration testing, automated security scanning | |
| Operations | Incident Management | Detect, respond to, and recover from security incidents |
| Environment Management | Infrastructure security configuration and patch management | |
| Operational Management | Ongoing security monitoring and improvement |
B. Security Capability Assessment by Maturity Level
flowchart LR
L0["Level 0<br/>Not started<br/>Security activity<br/>not performed"]
L1["Level 1<br/>Initial<br/>Basic security<br/>awareness/practice"]
L2["Level 2<br/>Managed<br/>Formalized<br/>process in operation"]
L3["Level 3<br/>Optimized<br/>Continuous improvement<br/>measurement/optimization"]
L0 --> L1 --> L2 --> L3
style L0 fill:#f5f5f5,stroke:#ccc,color:#555
style L1 fill:#FFF3E0,stroke:#F57C00,color:#000
style L2 fill:#E3F2FD,stroke:#1976D2,color:#000
style L3 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
Characteristics and Achievement Criteria by Maturity Level
| Level | Name | Characteristics | Example Achievement Criteria (Secure Build) |
|---|---|---|---|
| Level 0 | Not performed | The security practice is not performed at all | No dependency vulnerability scanning performed |
| Level 1 | Initial | Performed in an ad hoc, informal way | Known vulnerable components identified at build time |
| Level 2 | Managed | Performed via a formalized, documented process | SAST/SCA automation integrated into CI/CD |
| Level 3 | Optimized | Optimized through continuous improvement and measurement metrics | Automatic SBOM generation, vulnerability SLA management |
SAMM Assessment Procedure
flowchart LR
S1["Current-state assessment<br/>Measure level<br/>of 15 practices"]
S2["Score calculation<br/>Maturity score<br/>per business function"]
S3["Set target level<br/>Reflect org strategy<br/>determine priority"]
S4["Build roadmap<br/>Phased improvement plan<br/>resource/schedule allocation"]
S5["Execute & reassess<br/>Periodic maturity measurement<br/>continuous improvement"]
S1 --> S2 --> S3 --> S4 --> S5
S5 -->|"reassess annually"| S1
style S1 fill:#E3F2FD,stroke:#1976D2,color:#000
style S2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style S3 fill:#FFF3E0,stroke:#F57C00,color:#000
style S4 fill:#FFEBEE,stroke:#D32F2F,color:#000
style S5 fill:#E8F5E9,stroke:#388E3C,color:#000
3. Expected Benefits and Practical Application of Adopting OWASP SAMM
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Security capability diagnosis | Objective measurement and benchmarking of current software security level | Track maturity trends with an annual SAMM self-assessment |
| DevSecOps integration | Integrates security automation of implementation/verification functions into CI/CD | Embed SAST/DAST/SCA tools into the pipeline |
| Executive reporting | Measure and report the value of security investment in business language | Visualize security posture with a radar chart of maturity across the 5 functions |
| Compliance | Link SAMM practices with ISMS-P, ISO 27034, and PCI-DSS requirements | Use SAMM evidence to prepare for certification audits |