OWASP SAMM

Introducing the SAMM Benchmark Report

Unlocking New Insights in Application Security The world of software security evolves rapidly, with new challenges and best practices emerging every day. For organizations striving to build robust application security programs, the ability to compare practices and measure progress against industry peers is invaluable. This is where the SAMM Benchmark Report steps in—a comprehensive analysis based on real-world data that provides actionable insights into the current state of application security maturity.

Continue reading

Enabling teams with the OWASP SAMM Skills Framework

By The SAMM Project Team on February 9, 2025

Introduction Picture this: your team is tasked with building secure, compliant software, but you’re not sure where to begin and who to involve. In today’s cloud-driven world, even solid security plans can stall if teams don’t know what tasks they own or believe they do not have the right skills to get started. Across teams, many organizations lack a clear view on ownership and shared responsibilities, whether they work with company internal service providers or external public service providers.

Continue reading

SAMM Scoring: Percent to Target and Progress to Date Metrics

By Aram Hovsepyan on January 21, 2025

SAMM Scoring: Percent to Target and Progress to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.

Continue reading

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis

By Aram Hovsepyan on January 20, 2025

Microsoft SDL and OWASP SAMM Mapping: A Comprehensive Analysis Introduction The Microsoft Security Development Lifecycle (SDL) was introduced in 2004 as Microsoft’s response to the security challenges that plagued its Windows operating system. As the first formal secure SDLC framework, it laid the foundation for many secure software development practices. Today in its latest version, Microsoft SDL comprises 10 security practices, each containing a set of requirements designed to reduce security risks across the software development lifecycle.

Continue reading