This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 13:54, 10 January 2016 by Sdeleersnyder (talk | contribs)

Jump to: navigation, search
OWASP Project Header.jpg

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:

  • Evaluate an organization’s existing software security practices
  • Build a balanced software security assurance program in well-defined iterations
  • Demonstrate concrete improvements to a security assurance program
  • Define and measure security-related activities throughout an organization


Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

Want a very quick introduction? See the TBD - Quickstart Guide

For a slightly longer introduction see the latest project presentation.

Browse the SAMM model online here

Quick Download

Download OWASP SAMM!

News and Events

Please see the News and Talks tabs

Change Log

  • TBD

Email List

Questions? Please ask on the SAMM Mailing List

Project Leaders

Project Leaders
Seba Deleersnyder Pravir Chandra Kuai Hinojosa Bart De Win

Related Projects


Midlevel projects.png Owasp-defenders-small.png
C C A-S Alike 3.0
Project Type Files DOC.jpg


The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.


Click on any badge to learn more
Strategy & Metrics
SM1.png SM2.png SM3.png
Policy & Compliance
PC1.png PC2.png PC3.png
Education & Guidance
EG1.png EG2.png EG3.png
Threat Assessment
TA1.png TA2.png TA3.png
Security Requirements
SR1.png SR2.png SR3.png
Secure Architecture
SA1.png SA2.png SA3.png
Design Review
DR1.png DR2.png DR3.png
Code Review
CR1.png CR2.png CR3.png
Security Testing
ST1.png ST2.png ST3.png
Vulnerability Management
VM1.png VM2.png VM3.png
Environment Hardening
EH1.png EH2.png EH3.png
Operational Enablement
OE1.png OE2.png OE3.png

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details >here< !!


upcoming talks will be listed here:

  • OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
  • OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
  • InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

  • OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - here) - 2015
  • OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download presentation) - 2014
  • AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download presentation, see video) - 2014
  • AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download presentation) - 2013
  • OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download presentation) - 2013
  • AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download presentation) - 2011
  • AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download presentation) - 2009
  • Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download presentation) - 2009
  • Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download presentation) - 2009


Latest News on SAMM


SAMM is available in the following languages:

  • English
  • Spanish
  • Japanese
  • German

You can use Crowdin to help improve these translations or add new ones right now!


Project Roadmap:
Is available via this link

Release 1.1

The major features we are currently working on include:

  • Add quick start guide
  • Add tools & OWASP resources
  • Add use cases, experience
  • Revamp SAMM wiki

The date and exact items that will be included in 2.0 have not been finalized. The list of requested improvements is here


Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

Feature Requests



Please use the Mailing List for feedback:

  • What do like?
  • What don't you like?
  • How can we make SAMM easier to use?
  • How could SAMM be improved?


Are you fluent in another language? Can you help translate SAMM into that language?

You can use Crowdin to do that!


If you fancy having a go at adding functionality to ZAP then please get in touch via the zaproxy-develop Google Group.

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.


SAMM is developed and maintained by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM:


We would like to thank the following sponsors who donated funds to our project:

Belgium Chapter.PNG London Chapter.PNG

Aspectsecurity.png Astech Consulting logo.png Denim Group logo.jpg Gotham Digital Science logo.jpg

300px90px       NetSPI logo.png SI Logo Stacked Application Security.jpg LogoToreon.jpg Veracode-samm.png

OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.

Retrieved from ""