Back in August 2019 we announced that we were an official sponsor and contributor to the Software Assurance Maturity Model (SAMM). We are pleased to follow up today to announce that SAMM version 2 has been released!
Now an official OWASP flagship project, SAMM culminates nearly two decades of effort by hundreds of software security experts to establish an effective and measurable way for any organization to improve the security of their software.
We are excited to have played a role in the development of v2, and are looking forward to using SAMM to help our clients assess, build, measure, and benchmark their software security programs.
We won’t reiterate all the great improvements in SAMM v2 – for that you can read the official announcement here. We did however want to highlight some key areas that we find most useful and meaningful in the framework:
- The new SAMM Benchmarking Initiative enables collaboration between organizations to help answer “How am I doing compared to peers?” There is now a process to collect and analyze contributed data, and we look forward to regular reporting of comparative analyses across industries, highlights of key trends, and identification of new areas of exploration based on the data. Experts from the OWASP Top 10 data collection effort are driving this initiative, so we have high hopes for the quality and quantity of the effort here –get involved and contribute your data!
- The SAMM Toolbox has been updated to enable easier review of your application security activities against well-defined quality criteria and calculate a maturity score. It follows the well-known spreadsheet-driven approach from version 1.5, but updated with the new Business Functions, Activities, and Streams that allow much greater precision in evaluating and scoring real-world programs. Organizations can easily self-assess, and/or get evaluated by an independent assessor (NCC Group can perform SAMMv2 assessments!)
- A new contribution and publication architecture that draws from a single contribution source on GitHub that automatically generates/synchronizes the SAMM website, PDFs, the toolbox, and applications. All the model content has been converted to YAML files, allowing easy consumption of SAMM by applications and tools. It has never been easier to contribute to SAMM and for those contributions to meaningfully influence software security at hundreds of organizations.
SAMM remains one of the longest-lived and most-recognized frameworks for defining and measuring software security programs. SAMM’s alignment with OWASP has increased its reach and adoption, and its open status differentiates it from proprietary competitors. SAMM’s core model maps to the timeless “design-code-test-operate + govern” pattern, which has sustained it for nearly two decades and continues to resonate.
We have followed the same “design-code-test-operate + govern” framework for many years in our SDL consulting work for clients of all sizes, and we continue to use SAMM for portions of our own software security program service offerings. If you see the need for a more mature SDL in your company, reach out to us and we’d be happy to help take your organization to the next level.