Introduction

Maturity Frameworks

OWASP SAMM (owaspsamm.org)  is a structured framework to assess and enhance Software Security Development Lifecycle (SSDLC) maturity across business functions.

Action

Assessment Process

The OWASP SAMM maturity model supports assessing the current software assurance posture, defining a target strategy, and providing a roadmap with implementation guidance.

Your Title Goes Here

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

1. Initial consultation

Purpose

Ensure a proper start of the project

Activities

Define the scope Set the target of the effort: the entire enterprise, a particular application or project, a particular team.
Identify stakeholders Ensure that important stakeholders are identified and well aligned to support the project.
Spread the word Ensure availability of the important stakeholders and communicate concrete action plan and timeline.
2. SAMM Assessment

Purpose

Identify and understand the maturity of your chosen scope in each of the 15 software security practices

Activities

Evaluate current practices Organize interviews with relevant stakeholders to understand the current state of practices within your organization. You could evaluate this yourself if you understand the organization sufficiently enough. SAMM provides lightweight and detailed assessments, where the latter is an evidence-based evaluation, use the detailed one only if you want to have absolute certainty about the scores.
Determine maturity level Based on the outcome of the previous activity, determine for each security practice the maturity level according to the SAMM maturity scoring system. Activities are scored by a multiple choice system and are averaged out for the security practice area, then added together to determine the overall score.
3. Maturity Report

Purpose

Once the evaluation is complete, we provide a comprehensive report that highlights your current software assurance posture. This report outlines your organization’s strengths, as well as any gaps or areas needing improvement.

Activities

Document Current Practices Set the target of the effort: the entire enterprise, a particular application or project, a particular team.
Prepare a shareble report Prepare an executive summary and detail report with graphics explaining current situation
4. Improvement Roadmap

Purpose

Develop a target score that you can use as a measuring stick to guide you to act on the most important activities for your situation

Activities

Activity prioritization Discuss and identify improvement opportunities that will deliver the biggest impact to the organization
Define the target Set or update the target by identifying which activities your organization should implement ideally. Typically, this will include more lower-level than higher-level activities. Ensure that the total set of selected activities makes sense, and take into account dependencies between activities.

Deep dive

The Model

Each activity has three levels of maturity. Each level has a detailed description of its benefit, acceptance criteria and a guideline.

Why

Benefits and use cases

Get ready for the cybersecurity standards and frameworks with specific, measurable and achievable steps using OWASP SAMM

NIST SP 800-53

Requires secure development practices, particularly in the SA (System and Services Acquisition) family, which includes controls for system development life cycle security.

NIST Cybersecurity Framework (CSF)

Encourages secure development practices under the “Protect” function, particularly in the area of Secure Software Development and Supply Chain Risk Management.

ISO/IEC 27001

Requires the implementation of secure development policies under control A.14.2 (Security in Development and Support Processes).

CIS Controls (Center for Internet Security)

Control 16: Application Software Security, includes requirements for adopting secure development practices in the software development lifecycle.

EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act mandates the implementation of a secure development lifecycle (SDLC) to ensure that software products and connected devices meet cybersecurity standards throughout their entire lifecycle.

FISMA (Federal Information Security Management Act)

Requires federal agencies to implement security controls, including secure development practices, as part of their risk management and information system security lifecycle.

PCI DSS (Payment Card Industry Data Security Standard)

Version 4.0 includes specific requirements for secure software development, mandating organizations to integrate security throughout the SDLC for payment applications.

Executive Order 14028 (Improving the Nation’s Cybersecurity)

This U.S. Executive Order mandates the use of secure development practices for government contractors and agencies, particularly regarding supply chain security and software development.

HIPAA (Health Insurance Portability and Accountability Act)

The HIPAA Security Rule requires covered entities to implement policies and procedures that secure ePHI, which can include secure development lifecycle practices in software handling health data.

CMMC (Cybersecurity Maturity Model Certification)

Requires the implementation of secure development practices at higher maturity levels to protect federal contract information and controlled unclassified information.

FedRAMP (Federal Risk and Authorization Management Program)

Mandates that federal cloud service providers follow secure development practices as part of their overall security controls for government systems.

price

OWASP SAMM Assessment packages

Future proof development lifecycle

Compact

€5700+VAT

High level assessment of one selected scope with a visual report

Initial consultation
Assessment of 5 business functions
Current SSDLC posture and gap report
Roadmap suggestion based on assessment interviews

Complete

€6900+VAT

Collaboration to assess, document and prepare a tailored roadmap

Everything in Compact, plus:
• Tailored roadmap planning based on client’s security risk appetite
• 3 Post-Assessment calls to validate improvements and discuss strategy

Customized

 

Let’s talk

Collaboration that can include evidence check, project management, writing new SSDLC policies or your any other unique needs.

Schedule a call →

Download Brochure

Schedule a call →

Request a quote

Make it happen

Request a quote

We will prepare a quotation document for your purchasing team within 24 hours.
No spam afterwards (really).

Next steps

Implement controls

We partnered up with the Codific SAMMY to deliver best tools and processes to ensure success of your maturity program.

Codific SAMMY Assessment flow - horizontal

Let’s discuss collaboration!

Schedule a call →

Details

FAQ

Your Title Goes Here

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

How ISO and SAMM complement each other?

The October 2022 revision of the ISO/IEC 27001 standard introduced simplified domains, practical language, and new controls, including a separate control for secure coding. This update highlights the complementary nature of ISO 27001 and OWASP SAMM, particularly in enhancing software security1. While ISO 27001 provides a broad framework for an information security management system (ISMS), SAMM offers detailed guidance on secure software development2. Implementing both standards together can maximize their effectiveness, with ISO 27001 ensuring organizational buy-in and risk management, and SAMM providing actionable advice for secure development. This combination helps organizations improve their security posture and meet audit requirements more effectively.

How to determine an assessment scope?

To determine the right scope for a SAMM assessment, start small by evaluating your goals and involving all relevant stakeholders to ensure alignment with your organization’s security strategy. Consider the specific business context, including customer type, geographic location, and regulatory obligations. Tailor the scope to your needs and resources, starting with a single team if it’s your first assessment. Ensure consistency in practices and management styles within the chosen scope, and document the context for repeatability. This approach helps build a solid foundation for future growth and broader assessments.

How SAMM maps to other standards?

The OWASP Software Assurance Maturity Model (SAMM) has mappings to OpenCRE, NIST SSDF, BSIMM and other standards and guidelines. OpenCRE, or Open Common Requirement Enumeration, provides a common framework for comparing different security standards2. By linking SAMM streams to OpenCRE, users can easily find relevant resources and see how SAMM aligns with standards like NIST SSDF, ISO27K, PCI-DSS, OWASP ASVS, and NIST 800-533. For example, the Threat Assessment stream in SAMM connects to the CRE for ‘Threat modeling processes,’ which maps to several standards, including NIST SSDF PW1.1 and ISO27K A.14.2.54. This integration helps users navigate the complex landscape of security standards more effectively.

How SAMM relates to NIST SSDF?

Comprehensive Mapping: OWASP SAMM provides a detailed mapping to NIST SSDF, helping organizations understand the relationship between SAMM streams and SSDF tasks.
Simplified Implementation: SAMM is designed to flatten the learning curve, making it easier for organizations to start implementing SSDF guidelines1.
Coverage and Compliance: Implementing OWASP SAMM covers all NIST SSDF tasks, ensuring comprehensive security compliance2.
Informative References: The mapping uses Informative References to show the relationships between SAMM activities and SSDF tasks, aiding in better understanding and implementation.

Difference between SAMM and BSIMM

Purpose:

BSIMM: Descriptive model used to observe and report software security activities across organizations1.
SAMM: Prescriptive model designed to help organizations build and improve their software security practices.

Flexibility
BSIMM: Provides a common vocabulary to compare different security initiatives without prescribing specific actions2.
SAMM: Allows customization for different organization sizes and development styles, with defined maturity levels.

Maturity Levels:
BSIMM: Activities are categorized by frequency of observation, not by depth or breadth.
SAMM: Defines three maturity levels for each security practice, from initial understanding to comprehensive mastery3.

Usage:
BSIMM: Best used for benchmarking and understanding industry practices.
SAMM: Helps organizations analyze, build, and measure their security programs iteratively.