Need to assess and improve security in your SDLC? OWASP’s SAMM might be a good place to start. But what exactly is it?

OWASP’s Software Assurance Maturity Model (SAMM) is an open–source framework designed to help organisations enhance the security of their software development lifecycle (SDLC). It provides a structured approach to assessing and improving software security practices.

The goal? To make building secure software easier, more effective, and more efficient, with a measurable and actionable way to strengthen your security posture.

Let’s break it down.

–

01 – Key principles: prescriptive, versatile and agnostic

SAMM is a prescriptive model, offering specific guidance on implementing security activities. It’s versatile, meaning it’s suitable for organisations of all sizes and development approaches. Importantly, it’s also technology and process agnostic, making it adaptable to a wide range of environments.

02 – Why it was created

SAMM aims to address the need for a structured yet adaptable approach to security, striking the balance between frameworks that are either too rigid or too vague. Many organisations struggled to adapt existing models to their specific needs and risk tolerances. SAMM allows them to tailor their security strategy to their specific circumstances.

Another key goal was to make security measurable and actionable. Many organisations lack a clear way to evaluate the effectiveness of their security practices.

03 – How it’s structured

SAMM is built around 15 security practices, grouped into 5 business functions:

1. Governance: Managing software security activities;
2. Design: Defining goals and ensuring secure architecture;
3. Implementation: Building secure software;
4. Verification: Assessing and testing software for security issues;
5. Operations: Maintaining security throughout the software lifecycle.

Each business function contains three security practices, which are broken into two streams representing different aspects of the practice. These are further divided into three maturity levels, creating a clear roadmap for improvement.

Although this might sound complex, SAMM’s hierarchical structure (business function → security practice → stream → activity → maturity level) actually makes it very logical and easy to follow.

04 – The benefits of using it

SAMM provides a structured framework to analyse and improve software security posture. By identifying gaps and evaluating existing practices, organisations can create a balanced security programme aligned with their risk profile and business needs. Its flexibility ensures security initiatives support organisational goals without disrupting workflows.

With measurable maturity levels and clear metrics, SAMM also helps organisations track progress, demonstrate improvement, and justify security investments. It raises awareness and educates stakeholders on secure development practices, which helps foster a security–first culture. This holistic approach reduces risk, builds stakeholder confidence, and integrates security seamlessly into the SDLC.

05 – Potential drawbacks

There’s an argument that SAMM’s structured approach can feel overly rigid or complex for smaller organisations with limited resources. Without sufficient expertise or support, it might be difficult to implement improvements effectively. Additionally, the need for ongoing assessments and tracking may strain teams already stretched thin.

Another concern is the potential for bias or inconsistency in self–assessments, especially without external validation.

Despite these challenges, organisations that commit to SAMM often find the benefits far outweigh the drawbacks.

06 – How to get started

As an open–source framework, SAMM is supported by a wealth of resources and an active OWASP community. The best place to start is by familiarising yourself with the framework and conducting an initial assessment. Then define your target maturity levels and develop an implementation plan.

As with all security initiatives, ensure your approach aligns with your organisations business goals, has senior leadership buy–in, and is well communicated across the organisation.

–

Whether you’re just starting your security journey or looking to enhance your existing practices, SAMM offers a straightforward, free, and well–supported way to take your software security to the next level.