What is OWASP SAMM?
The following is a summary from the OWASP SAMM:
- SAMM stands for Software Assurance Maturity Model.
- Our mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture.
- We want to raise awareness and educate organizations on how to design, develop, and deploy secure software through our self-assessment model.
- SAMM supports the complete software lifecycle and is technology and process agnostic.
- We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.
SAMM Maturity Levels
SAMM defines three maturity levels as objectives.
The OWASP SAMM Model 2.0
SAMM is a prescriptive model, an open framework which is simple to use, fully defined, and measurable. The solution details are easy enough to follow even for non-security personnel. It helps organizations analyze their current software security practices, build a security program in defined iterations, show progressive improvements in secure practices, define, and measure security-related activities.
SAMM was defined with flexibility in mind so that small, medium, and large organizations using any style of development can customize and adopt it. It provides a means of knowing where your organization is on its journey towards software assurance and understanding what is recommended to move to the next level of maturity.
SAMM does not insist that all organizations achieve the maximum maturity level in every category. Each organization can determine the target maturity level for each Security Practice that is the best fit and adapt
Source: OWASP SAMM 2.0
The Origin of SAMM
The Software Assurance Maturity Model (SAMM) was originally developed, designed, and written by Pravir Chandra (chandra-at-owasp-dot-org), an independent software security consultant. Creation of the first draft was made possible through funding from Fortify Software, Inc. This document is currently maintained and updated through the OpenSAMM Project led by Pravir Chandra. Since the initial release of SAMM, this project has become part of the Open Web Application Security Project (OWASP).
Pravir Chandra (Fortify Software)
Pravir Chandra is director of strategic services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. Prior to Fortify, he was affiliated with Cigital as a principal consultant, where he led large software security programs at Fortune 500 companies. Pravir was also co-founder and chief security architect at Secure Software, Inc. before the company was acquired by Fortify Software. His book, Network Security with OpenSSL, is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project with the Open Web Application Security Project (OWASP) Foundation. Also, Pravir currently serves as a member of the OWASP Global Projects Committee.
OWASP SAMM Versions
- OWASP SAMM VERSION 2 – PUBLIC RELEASE
- OWASP SAMM v2.0 Released, Tuesday, February 11, 2020
- OWASP SAMM v1.5 Released, April 13, 2017
- OWASP SAMM v1.1 Released, March 16, 2016
- Original OpenSAMM release, March 25, 2009