1

OWASP SAMM
QUICK START GUIDE

Project leaders: Pravir Chandra, Sebastien

Deleersnyder, Bart De Win & Kuai Hinojosa

Creative Commons (CC) Attribution

Free Version at: https://www.owasp.org
 2

OWASP SAMM QUICK START GUIDE

SAMM (Software Assurance Maturity Model) is the OWASP framework to help orga-
nizations assess, formulate and implement a strategy for software security, which can
be integrated into their existing Software Development Lifecycle (SDLC). SAMM is fit
for most contexts: whether your organization is mainly developing, outsourcing or rather
focusing on acquiring software, whether you are using a waterfall or an agile method,
the same model can be applied. This quick start guide walks you through the core steps
to execute your SAMM-based secure software practice.
 3

BACKGROUND
Before diving into actionable steps for a quick start, let’s first briefly describe the model itself. SAMM is based around
a set of 12 security practices, which are grouped into 4 business functions. Every security practice contains a set of
activities, structured into 3 maturity levels (1 - 3). The activities on a lower maturity level are typically easier to execute
and require less formalization than the ones on a higher maturity level. The diagram below illustrates this with example
activities found under “Education and Guidance” security practice (which is part of the Governance business function):

MATURITY

LEVEL

LEVEL 3

2
Most comprehensive,
LEVEL most repeatable, and most
formally verifiable
Things are more
1 structured and
going well
“Mandate comprehensive
security training and certify
personnel for baseline
Approaches are “Educate all personnel in knowledge.” At this highest
more reactive or the software life-cycle with level, you are not only pro-
ad hoc role-specific guidance on viding the tar inning from
secure development.” Here, level 2, but also requiring
you are taking an active that everyone on the team
role, and you are working can prove that they have a
“Offer development with the entire team. You comprehensive under-
staff access to resources may have individuals standing of security and
covering the topics of responsible for training their role in achieving it
secure programming and others, and you may be
development.” Here, you collecting informal feed-
are only “offering” materi- back on how effective your RISK
als, and only to a subset of training programs are. MITIGATION
your team.

The structure and setup of the SAMM maturity model are made to support (i) the assessment of the current software as-
surance posture, (ii) the definition of the strategy (i.e. the target) that the organization should take, (iii) the formulation of
an implementation roadmap of how to get there and (iv) prescriptive advice on how to implement particular activities. In
that sense, the value of SAMM lies in providing a means to know where your organization is on its journey towards soft-
ware assurance, and to understand what is recommended to move to a next level of maturity. Note that SAMM does not
insist that all organizations achieve maturity level 3 in every category. Indeed, you determine the target maturity level for
each “Security Practice” that is the best fit for your organization and its needs. SAMM provides a number of templates
for typical organizations to this end, but it is recommended that these be adapted to the needs of your organization.
 4

HOW TO APPLY?
The diagram below illustrates the typical approach of using SAMM in an organization, starting with preparation, going
through assessment, setting the target, planning, implementation to roll-out. SAMM is particularly well suited to support
continuous improvement, in which case the cycle is executed continuously (typically in periods of 3 to 12 months). Note
that it is not necessary to always execute all these steps though. SAMM could be used to perform just the assessment,
or to only define the long-term goals for instance.

PREPARE
ASSESS
1
2

ROLL-OUT 6
3 SET THE TARGET

IMPLEMENT 5
4

DEFINE THE PLAN

 5

So how do you go about executing the different steps described above? To get started, the following table provides more infor-
mation for each step in terms of the goal, the different activities to be executed and the most important supporting resources.

STEP PURPOSE ACTIVITIES RESOURCES BEST PRACTICES

Define the scope

Ensure a proper Consider involving at least: • Pre-screen software
1 start of the
project
Set the target of the effort: the
entire enterprise, a particular
• Executive Sponsor
• Security Team
development maturity
to have realistic expec-
application or project, a particular • Developers tations
team. • Architects
PREPARE
• Business Owners • The smaller the scope,
Identify stakeholders • QA Testers the easier the exercise
• Managers
Ensure that important
stakeholders are identified and
SAMM wiki:
well aligned to support the
https://www.owasp.org/
project.
index.php/OWASP_SAMM_
Spread the word Project

Inform people about the initiative SAMM downloads:

and provide them with informa- https://www.owasp.org/
tion to understand what you will index.php/OWASP_SAMM_
be doing Project#tab=Downloads

Evaluate current practices

Identify and SAMM toolbox: • Ensure consistent
2 understand the
maturity of your
Organize interviews with relevant
stakeholders to understand the
https://www.owasp.org/
index.php/OWASP_SAMM_
assessment for different
stakeholders and teams
chosen scope in current state of practices within Project#tab=Downloads by using the same ques-
ASSESS each of the 12 your organization. You could eval- tions and interviewer
software securi- uate this yourself if you under- Both of these resources
ty practices stand the organization sufficiently provide you with: • Consider using different
well. SAMM provides lightweight • Assessment questions formats to gather data
and detailed assessments (where • Maturity level calculation e.g., workshops vs.
the latter is an evidence-based interviews
evaluation) – use the detailed one
only if you want to have absolute • Ensure interviewees
certainty about the scores. understand the particu-
larities of activities
Determine maturity level

Based on the outcome of the • Understand which

previous activity, determine for activities are not appli-
each security practice the matu- cable to the organization
rity level according to the SAMM and take this into account
maturity scoring system. In a in the overall scoring
nutshell, when all activities below
and within a maturity level have • Anticipate/document
been implemented, this level whether you plan to
can be used for the overall score. award partial credit, or
When extra higher-level activities just document various
have been implemented without judgement calls
reaching a full next level, add a
“+” to the rating. • Repeat questions to
several people to
improve the assessment
quality

• Consider making
interviews anonymous
to ensure honesty

• Don’t take questions too

literally
 6

STEP PURPOSE ACTIVITIES RESOURCES BEST PRACTICES

Define the target

Develop a target See the How-To-Guide for • Take into account the
3 score that you
can use as a
Set or update the target by
identifying which activities your
predefined templates organisation’s risk
profile
measuring stick organization should implement Software Assurance Maturity
to guide you to ideally. Typically this will include Model (SAMM) Roadmap • Respect dependencies
SET THE TARGET
act on the “most more lower-level than higher-lev- Chart Worksheet (part of the between activities
important” ac- el activities. Predefined roadmap OpenSAMM Benchmarking
tivities for your templates can be used as a as a comparative source • As a rough measure,
situation source for inspiration. Ensure the overall impact of
that the total set of selected activ- a software assurance
ities makes sense and take into effort is estimated at
account dependencies between 5 to 10% of the total
activities. development cost.

Estimate overall impact

Estimate the impact of the chosen

target on the organization. Try to
express in budgetary arguments.

Determine change schedule

Develop or SAMM Resources: • Identify activities that
4 update your
plan to take your
Choose a realistic change strate-
gy in terms of number and dura-
https://www.owasp.org/
index.php/SAMM-Resources
can be completed quick-
ly and successfully early
organization to tion of phases. A typical roadmap in the project
the next level consists of 4 to 6 phases for 3 to SAMM project plan template:
DEFINE THE PLAN
12 months. https://www.owasp.org/ • Start with awareness /
index.php/OWASP_SAMM_ training
Develop/update the roadmap plan Project#tab=Downloads
• Adapt to coming release
Distribute the implementation
cycles / key projects
of additional activities over the
different roadmap phases, taking
into account the effort required to
implement them.. Try to balance
the implementation effort over
the different periods, and take
dependencies between activities
into account.

Implement activities
Work the plan Useful OWASP resources per •Treat legacy software
5 Implement all activities that are
part of this period. Consider their
activity are described at
https://www.owasp.org
separately. Do not man-
date migration unless
impact on processes, people, really important.
IMPLEMENT knowledge and tools. The SAMM
model contains prescriptive • Avoid operational
advice on how to do this. OWASP bottle-necks (in par-
projects may help to facilitate ticular for the security
this. team)

Evangelize improvements
Ensure that • Categorize applications
6 improvements
are available
Make the steps and improve-
ments visible for everyone
according to their
impact on the organiza-
and effectively involved by organizing trainings tion. Focus on high-im-
ROLL-OUT used within the and communicating with man- pact applications.
organization agement stakeholders.
• Use team champions
Measure effectiveness to spread new activities
throughout the organi-
Measure the adoption and
zation
effectiveness of implemented im-
provements by analyzing usage
and impact.
 7

As part of a quick start effort, the first four phases (preparation, assess, setting the target and defining the plan) can be
executed by a single person in a limited amount of time (1 to 2 days). Making sure that this is supported in the organiza-
tion, as well as the implementation and roll-out phases typically require much more time to execute.

OWASP RESOURCES
The following SAMM resources are referenced in the SAMM Quick Start Guide:

• SAMM wiki: https://www.owasp.org/index.php/OWASP_SAMM_Project

• SAMM downloads: https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Downloads

• SAMM toolbox: https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Downloads

• Browse SAMM online: https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Browse_Online

• SAMM project plan template: https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Downloads

• OWASP resources: https://www.owasp.org/index.php/Main_Page

To apply SAMM you will find a lot of great resources at OWASP. We have created a SAMM resources collection
on the OWASP wiki.
Go to https://www.owasp.org/index.php/SAMM-Resources to discover all our SAMM Resource online.
This wiki category links OWASP and other resources to SAMM Security practices.

FINAL NOTES
The best way to grasp SAMM is to start using it. his document has presented a number of concrete steps and
supportive material to execute on. Now it’s your turn. We warmly invite you to spend a day or two on following the
first steps, and you will quickly understand and appreciate the added value of the model. Enjoy!

Suggestions for improvements are very welcome. And if you’re interested, consider to join the mailinglist or be-
come part of the SAMM community.

Discover SAMM online - https://www.owasp.org/index.php/SAMM

Subscribe to our SAMM mailing list - https://lists.owasp.org/mailman/listinfo/samm

Follow us on Twitter - https://twitter.com/OwaspSAMM