Effective CISSP Questions

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Which of the following is not true?
A. SAMM defines five maturity levels as objectives.
B. SAMM supports the complete software lifecycle.
C. SAMM is a prescriptive model that is technology and process agnostic.
D. SAMM categorizes software development activities into five critical business functions.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. SAMM defines five maturity levels as objectives.

SAMM defines three maturity levels as objectives.


  • SAMM stands for Software Assurance Maturity Model.
  • Our mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture.
  • We want to raise awareness and educate organizations on how to design, develop, and deploy secure software through our self-assessment model.
  • SAMM supports the complete software lifecycle and is technology and process agnostic.
  • We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.


The OWASP SAMM Model 2.0

SAMM is a prescriptive model, an open framework which is simple to use, fully defined, and measurable. The solution details are easy enough to follow even for non-security personnel. It helps organizations analyze their current software security practices, build a security program in defined iterations, show progressive improvements in secure practices, define, and measure security-related activities.

SAMM was defined with flexibility in mind so that small, medium, and large organizations using any style of development can customize and adopt it. It provides a means of knowing where your organization is on its journey towards software assurance and understanding what is recommended to move to the next level of maturity.

SAMM does not insist that all organizations achieve the maximum maturity level in every category. Each organization can determine the target maturity level for each Security Practice that is the best fit and adapt

Source: OWASP SAMM 2.0

The Origin of SAMM

The Software Assurance Maturity Model (SAMM) was originally developed, designed, and written by Pravir Chandra (chandra-at-owasp-dot-org), an independent software security consultant. Creation of the first draft was made possible through funding from Fortify Software, Inc. This document is currently maintained and updated through the OpenSAMM Project led by Pravir Chandra. Since the initial release of SAMM, this project has become part of the Open Web Application Security Project (OWASP).

Source: OpenSAMM

Pravir Chandra (Fortify Software)

Pravir Chandra is director of strategic services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. Prior to Fortify, he was affiliated with Cigital as a principal consultant, where he led large software security programs at Fortune 500 companies. Pravir was also co-founder and chief security architect at Secure Software, Inc. before the company was acquired by Fortify Software. His book, Network Security with OpenSSL, is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project with the Open Web Application Security Project (OWASP) Foundation. Also, Pravir currently serves as a member of the OWASP Global Projects Committee.

Source: CMU-SEI




My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

軟件保障成熟度模型(SAMM)是一個開放框架,可幫助組織制定和實施針對組織所面臨的特定風險量身定制的軟件安全策略。 以下哪一項是不正確的?
A. SAMM定義了五個成熟度級別作為目標。
B. SAMM支持完整的軟件生命週期。
C. SAMM是與技術和流程無關的說明性模型。
D. SAMM將軟件開發活動分為五個關鍵業務功能。

2 thoughts on “CISSP PRACTICE QUESTIONS – 20200914

Leave a Reply