OWASP SAMM
a maturity-model view of the Software Assurance Maturity Model

OWASP SAMM: a maturity model for the software security programme, not a vulnerability list

OWASP SAMM (Software Assurance Maturity Model) is the open framework that measures software security maturity across five business functions and fifteen security practices, on a three level scale. Where the OWASP Top 10 ranks the most critical risks and OWASP ASVS verifies what a secure web application looks like, SAMM measures the organisation that produces the application. SAMM is published by the Open Worldwide Application Security Project, is freely available under a Creative Commons licence, and is the model most product organisations reach for when they need a vendor-neutral way to describe and improve the maturity of their software security programme.

SAMM is most useful when an organisation needs to talk about software security maturity in the same way across engineering, leadership, audit, and the buyer side. A statement like “our programme is mature” is unfalsifiable. A statement like “we score Stream A at Level 2 and Stream B at Level 1 in Verification, with a target of 2 across both streams in twelve months” is operational. SAMM is the language that makes that operational statement possible. The OWASP framework reference covers the headline risk taxonomy; this page covers the maturity model that sits underneath the programme that addresses those risks.

The five business functions and the fifteen security practices

SAMM organises the software security programme into five business functions, each containing three security practices. The fifteen practices are the unit of assessment: each carries a maturity score, a target, an owner, and a roadmap. The business functions are the unit of communication: leadership cares about the function-level posture, engineering cares about the practice-level work.

For programmes that run authenticated DAST, SAST, and SCA as part of Verification, the authenticated scanning and code scanning features run those tests against the same engagement record that carries the SAMM scorecard, so Verification scores cite live evidence rather than a screenshot of a dashboard.

The three maturity levels: pick the target on purpose

SAMM scores each practice on a three-level scale. The level is a deliberate target, not a race: programmes are explicitly allowed (and encouraged) to set mixed targets across practices. A consumer product team and a financial services platform team in the same company can legitimately target different maturity levels in the same practice, because the risk surface and the regulatory weight are different.

Scoring mechanics: the toolbox, the streams, the scorecard

SAMM ships with a structured toolbox: one interview question set per practice, mapped to the maturity levels and the activity streams. The score is derived from the toolbox answers, with evidence captured per answer so the score is defensible. Scoring is the durable artefact; the slide deck that summarises it is not.

For deeper context on how the underlying findings discipline supports SAMM Verification and Implementation evidence, see the findings management workflow and the security findings deduplication guide, which together cover the data hygiene that turns scanner output into defensible Verification evidence.

How SAMM sits next to ASVS, BSIMM, NIST SSDF, and ISO 27001

SAMM is rarely used in isolation. It is the programme-level maturity layer that other frameworks depend on for context, or that wrap around it for a different audience. The contrast below is a working view, not a buyer comparison: the practitioner question is which frameworks to pair SAMM with, not which to pick instead of it.

Programmes operating under regulated procurement frameworks should pair SAMM with ISO 27001 Annex A.8 (technological controls covering secure development) where the ISMS is in scope, with SOC 2 Common Criteria where SaaS audit evidence is needed, and with PCI DSS Requirement 6 where payment data is in scope. The maturity claim travels across audits when the underlying evidence is the same; the auditor view is a filter on the same record, not a separate workspace.

SAMM for AppSec teams, DevSecOps programmes, and pentest firms

SAMM is read differently depending on which side of the engagement you sit on. AppSec teams use SAMM as the programme-level scorecard that ties the requirements they own (Design, Verification, parts of Implementation) into the wider engineering operating model. DevSecOps programmes use SAMM as the operating model that calibrates pipeline gates, environment hardening, and incident response, especially across the Implementation and Operations business functions. Pentest firms running maturity assessments for clients use SAMM as the structured scope of the assessment and as the language the deliverable speaks, so the buyer gets a defensible scorecard rather than a generic gap analysis.

The persona-specific entry points are SecPortal for application security teams, SecPortal for DevSecOps teams, and SecPortal for security consultants. Each anchors a different view of the same SAMM assessment record.

The roadmap: the deliverable that justifies the assessment

A SAMM assessment is not the deliverable. The scorecard names the current state. The deliverable is the gap between current and target maturity, expressed as a roadmap that names the practices to lift, the activities that lift them, the owner, and the timeline. The roadmap is what gets funded, what gets reviewed, and what carries over into the next cycle. The standard cadence is annual full reassessment, with quarterly progress checks on the subset of practices that are actively being lifted.

For deeper context on translating findings into structured remediation work that supports SAMM Implementation (Defect Management) scores, see the remediation tracking workflow and the vulnerability prioritisation framework, which together cover the triage and closure mechanics that distinguish a Level 1 defect management practice from a Level 2 one. For the Design business function (Threat Assessment practice), the threat model template is the copy-ready STRIDE artefact that lifts the practice from Level 1 (ad hoc threat modelling on individual systems) to Level 2 (per-application threat assessment with named reviewers, mitigation decisions, and verification evidence) by giving every system the same eight-section structure and review cadence.

Where SecPortal fits in a SAMM assessment cycle

SecPortal is the operating layer for a SAMM assessment cycle. The platform handles scope, toolbox answers, evidence, scorecard, target setting, roadmap, and re-scoring on cadence, so the assessment runs as a single record rather than a long email thread with attached spreadsheets. For consultancies running SAMM assessments on behalf of multiple clients, the security consulting workspace bundles the SAMM record with branded client portals, so each client sees their own live scorecard rather than a frozen PDF.

Looking for the engagement workflow that supports the assessment record itself? The penetration testing use case and the DevSecOps scanning use case capture how SecPortal turns SAMM Verification and Implementation evidence into structured records covering scope, scanner output, findings, retests, and the deliverable.

For programme-level context on how maturity assessments fit into the wider security delivery operating model, see the security workflow orchestration research and the scaling security consultancy with automation guide, which together cover the operating-model thinking that turns SAMM scores into a sustained programme rather than a one-off slide deck.