The OWASP Software Assurance Maturity Model (SAMM) enables organizations to formulate and implement a strategy for software security that is tailored to organization-specific risks. With SAMM, organizations can accurately evaluate their existing software security practices and steadily improve their security posture over time in well defined iterations designed to meet their unique needs. The SAMM scoring model also helps demonstrate concrete improvements to security related activities throughout an organization. SAMM is one of the very few mature and open resources available to assist organizations measure and build software security programs.
|Example SAMM Scorecard|
Anyone who has filled out a SAMM assessment has had a discussion on whether to mark an answer “yes” or “no”, when the answer is honestly something in between. By replacing the Yes/No answers with four graduated steps, SAMM v1.5 improves the granularity of scoring, allowing partial credit for achieving maturity benchmarks.This coupled with the matching scoring system, makes it easy to see maturity improvements from projects and initiatives on a dashboard. One of the main benefits of the updated scoring model is that you can visibly see improvement to your maturity score on the dashboard as initiatives are completed. This can go a long way in building support for your Application Security Program.
SAMM v1.5 has enhanced explanations of the maturity model with worksheets and guidance containing example case studies which allows organizations not only understand where they are, but to understand what has worked (and hasn't) for others in similar scenarios. This is a continuing effort with more improvements expected in v2.0. Implementing SAMM is easier with a new Quick Start guide and Tool Box that includes interview forms and the ability to generate road maps, charts, and graphs.