Skip to content

OWASP SAMM

OWASP SAMM

Software Assurance Maturity Model

1. Overview: A Framework for Measuring and Improving Security Capability Across the Entire Software Development Lifecycle, OWASP SAMM

    flowchart LR
    A["Security activities performed ad hoc<br/>No capability measurement baseline<br/>Unclear improvement direction"] --"5 business functions,<br/>15 security practices"--> B["Systematic measurement<br/>of current security maturity"] --"Build a roadmap,<br/>improve step by step"--> C["Embed a software<br/>security culture"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: A software security assurance framework developed by OWASP that organizes security activities across an organization’s entire software development process into 5 business functions and 15 security practices, measures the maturity of each practice on a 0-3 scale, and provides a roadmap for diagnosing current capability and reaching a target level.

Characteristics: (Methodology-agnostic) Independent of the development methodology (Waterfall, Agile, DevOps) — applicable to any development environment. (Selective adoption) Practices can be selectively adopted to fit organizational size and industry — prioritize among the 15 and adopt them incrementally. (Open-source framework) An open-source framework that can be used complementarily with BSIMM and ISO/IEC 27034.


2. Core Structure of OWASP SAMM

A. The 5 Business Functions and 15 Security Practices

    flowchart TD
    subgraph GOV["Governance"]
        direction LR
        G1["Strategy &<br/>Metrics"]
        G2["Policy &<br/>Compliance"]
        G3["Education &<br/>Guidance"]
    end
    subgraph DES["Design"]
        direction LR
        D1["Threat<br/>Assessment"]
        D2["Security<br/>Requirements"]
        D3["Security<br/>Architecture"]
    end
    subgraph IMP["Implementation"]
        direction LR
        I1["Secure<br/>Build"]
        I2["Secure<br/>Deployment"]
        I3["Defect<br/>Management"]
    end
    subgraph VER["Verification"]
        direction LR
        V1["Architecture<br/>Assessment"]
        V2["Requirements-<br/>Driven Testing"]
        V3["Security<br/>Testing"]
    end
    subgraph OPS["Operations"]
        direction LR
        O1["Incident<br/>Management"]
        O2["Environment<br/>Management"]
        O3["Operational<br/>Management"]
    end

    style GOV fill:#E3F2FD,stroke:#1976D2,color:#1E3A5F
    style DES fill:#F3E5F5,stroke:#7B1FA2,color:#4A148C
    style IMP fill:#FFF3E0,stroke:#F57C00,color:#E65100
    style VER fill:#FFEBEE,stroke:#D32F2F,color:#B71C1C
    style OPS fill:#E8F5E9,stroke:#388E3C,color:#1B5E20
  
Business FunctionSecurity PracticeCore Purpose
GovernanceStrategy & MetricsEstablish security strategy and manage measurement indicators
Policy & ComplianceEstablish security policy and regulatory compliance framework
Education & GuidanceBuild developer and security team capability
DesignThreat AssessmentThreat modeling (STRIDE) and risk identification
Security RequirementsDefine functional/non-functional security requirements
Security ArchitectureArchitecture design based on security principles
ImplementationSecure BuildManage vulnerable components, SAST, SBOM
Secure DeploymentSecure configuration, secrets management, CI/CD security
Defect ManagementTrack and remediate security vulnerabilities
VerificationArchitecture AssessmentSecurity review and architecture review at design time
Requirements-Driven TestingVerify that security requirements are met
Security TestingDAST, penetration testing, automated security scanning
OperationsIncident ManagementDetect, respond to, and recover from security incidents
Environment ManagementInfrastructure security configuration and patch management
Operational ManagementOngoing security monitoring and improvement

B. Security Capability Assessment by Maturity Level

    flowchart LR
    L0["Level 0<br/>Not started<br/>Security activity<br/>not performed"]
    L1["Level 1<br/>Initial<br/>Basic security<br/>awareness/practice"]
    L2["Level 2<br/>Managed<br/>Formalized<br/>process in operation"]
    L3["Level 3<br/>Optimized<br/>Continuous improvement<br/>measurement/optimization"]

    L0 --> L1 --> L2 --> L3

    style L0 fill:#f5f5f5,stroke:#ccc,color:#555
    style L1 fill:#FFF3E0,stroke:#F57C00,color:#000
    style L2 fill:#E3F2FD,stroke:#1976D2,color:#000
    style L3 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
  

Characteristics and Achievement Criteria by Maturity Level

LevelNameCharacteristicsExample Achievement Criteria (Secure Build)
Level 0Not performedThe security practice is not performed at allNo dependency vulnerability scanning performed
Level 1InitialPerformed in an ad hoc, informal wayKnown vulnerable components identified at build time
Level 2ManagedPerformed via a formalized, documented processSAST/SCA automation integrated into CI/CD
Level 3OptimizedOptimized through continuous improvement and measurement metricsAutomatic SBOM generation, vulnerability SLA management

SAMM Assessment Procedure

    flowchart LR
    S1["Current-state assessment<br/>Measure level<br/>of 15 practices"]
    S2["Score calculation<br/>Maturity score<br/>per business function"]
    S3["Set target level<br/>Reflect org strategy<br/>determine priority"]
    S4["Build roadmap<br/>Phased improvement plan<br/>resource/schedule allocation"]
    S5["Execute & reassess<br/>Periodic maturity measurement<br/>continuous improvement"]

    S1 --> S2 --> S3 --> S4 --> S5
    S5 -->|"reassess annually"| S1

    style S1 fill:#E3F2FD,stroke:#1976D2,color:#000
    style S2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style S3 fill:#FFF3E0,stroke:#F57C00,color:#000
    style S4 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style S5 fill:#E8F5E9,stroke:#388E3C,color:#000
  

3. Expected Benefits and Practical Application of Adopting OWASP SAMM

CategoryKey Expected BenefitApplication & Practical Use
Security capability diagnosisObjective measurement and benchmarking of current software security levelTrack maturity trends with an annual SAMM self-assessment
DevSecOps integrationIntegrates security automation of implementation/verification functions into CI/CDEmbed SAST/DAST/SCA tools into the pipeline
Executive reportingMeasure and report the value of security investment in business languageVisualize security posture with a radar chart of maturity across the 5 functions
ComplianceLink SAMM practices with ISMS-P, ISO 27034, and PCI-DSS requirementsUse SAMM evidence to prepare for certification audits