Understanding the Software Assurance Maturity Model (SAMM)

What is SAMM?

• 💡 SAMM stands for Software Assurance Maturity Model, a prescriptive, open-source model designed to guide strategies tailored to an organization's specific risks.
• 🎯 The framework consists of 15 security practices structured into three maturity levels, helping organizations measure their progress against best practices.

Origin and Evolution of SAMM

• 🔑 Initially developed by Pravir Chandra in 2009, SAMM provides a way to measure how well practitioners are doing across five business functions: governance, design, implementation, verification, and operations.
• 🚀 In 2016, Chandra donated SAMM to the Open Web Application Security Project (OWASP), leading to the release of version 1.5 in 2017 with improved scoring granularity.
• 📈 OWASP released version 2.0 in 2020, upgrading maturity criteria to favor automation and better alignment with development teams.

SAMM vs. BSIMM

• 🧩 SAMM prescribes what organizations should be doing to improve software security.
• 📊 In contrast, the BSIMM (Build Security In Maturity Model) reports what organizations are actually doing based on observed initiatives and activities.

Benefits of a Maturity Model

• 🧠 A maturity model like SAMM helps quantify improvements in software development security, moving beyond a vague sense of 'better'.
• 🔍 It defines concretely how to perform individual security activities and, crucially, how to measure them for consistent efficacy across the organization.
• ✅ This approach ensures a focus on the quality of execution rather than a mere "checkbox approach" to security tasks like code review.