OWASP SAMM (Software Assurance Maturity Model) is a free, vendor-neutral framework for measuring and improving an organization's software security practices. Version 2.0 shipped in September 2020, replacing the original OpenSAMM released in March 2009, and it's maintained by the OWASP Foundation alongside projects like the OWASP Top 10 and ASVS. SAMM breaks software security into 5 business functions, 15 security practices, and 30 underlying "streams," each scored on a maturity scale from 0 to 3. Unlike a pass/fail audit, SAMM produces a maturity profile — a snapshot of where your SDLC is strong (say, Level 2 in Threat Assessment) and where it's weak (Level 0 in Security Testing) — that maps directly to a prioritized roadmap. For compliance teams juggling SOC 2, ISO 27001, and customer security questionnaires, SAMM is the closest thing to a shared vocabulary for "how mature is your AppSec program, actually."
What Is OWASP SAMM Used For?
OWASP SAMM is used to benchmark and improve an organization's secure software development practices through a repeatable, measurable assessment rather than a one-time checklist. Teams run a SAMM assessment to answer three questions: where are we today, where do we need to be, and what's the fastest path between the two. A mid-size fintech with 40 engineers might score Level 1 in "Security Requirements" (informal, ad hoc) but Level 3 in "Vulnerability Management" (a mature, SLA-driven patching process) — SAMM surfaces that imbalance so investment goes to the weakest link, not the practice that already looks good in a slide deck. Because the model is free and framework-agnostic, it's commonly cited as evidence of a structured AppSec program in vendor security reviews, RFPs, and SOC 2 Type II narratives, where auditors want to see intentional maturity, not just tool sprawl.
How Is OWASP SAMM Structured?
OWASP SAMM v2 is structured around 5 business functions, each containing exactly 3 security practices, for 15 practices total. The functions are Governance (strategy, policy, education), Design (threat assessment, security requirements, secure architecture), Implementation (secure build, secure deployment, defect management), Verification (architecture assessment, requirements-driven testing, security testing), and Operations (incident management, environment management, operational management). Each of the 15 practices splits into 2 streams — 30 streams in total — that represent different angles on the same practice. For example, the "Threat Assessment" practice has a "Application Risk Profile" stream and an "Threat Modeling" stream, because knowing your risk exposure and actually modeling threats are related but separable capabilities. This 5-15-30 structure is what makes SAMM assessments granular enough to drive a real backlog instead of a vague "improve security" mandate.
How Do SAMM Maturity Levels Work?
SAMM maturity levels work on a 0-to-3 scale applied independently to each of the 30 streams, where 0 means the practice isn't performed at all and 3 means it's optimized, metrics-driven, and improving over time. Level 1 is typically ad hoc or reactive (someone does threat modeling occasionally, informally), Level 2 means the practice is formalized with defined process and consistent execution across teams, and Level 3 adds measurement, automation, and continuous improvement loops — think automated SBOM generation on every build feeding a tracked remediation SLA, rather than a security engineer manually checking dependencies before a release. Organizations score each stream separately and then aggregate to a practice-level and function-level view, usually visualized as a radar or bar chart. OWASP publishes a free "SAMM Assessment Toolbox" spreadsheet that scores roughly 80 assessment questions across the 30 streams, so most teams can complete a baseline self-assessment in a few days without hiring a consultant.
How Does SAMM Compare to BSIMM?
SAMM and BSIMM (Building Security In Maturity Model) both measure software security maturity, but SAMM is a prescriptive, open framework anyone can apply from scratch, while BSIMM is a descriptive, data-driven model built from observed practices at roughly 130 participating firms and licensed commercially through Synopsys (now Black Duck). SAMM tells you what a Level 2 threat-modeling practice should look like and lets you self-assess against that target; BSIMM tells you what firms in your industry vertical are actually doing, based on interview data, and benchmarks you against that peer set. SAMM is free, published under a Creative Commons license, and designed for organizations of any size — a 20-person startup can run it as easily as a bank. BSIMM assessments are typically paid engagements aimed at larger enterprises that want peer benchmarking data. Many security teams reference SAMM in public-facing compliance documentation specifically because it's free to cite and independently verifiable, whereas BSIMM scores are usually kept confidential between the assessed firm and Synopsys.
Who Requires or References OWASP SAMM?
No regulator mandates OWASP SAMM by name, but it's widely referenced as supporting evidence in SOC 2, ISO 27001, and PCI DSS secure-development narratives because it demonstrates a documented, measurable SDLC security program. Auditors evaluating SOC 2's CC8.1 (change management) or ISO 27001's Annex A.14 (secure development) controls frequently accept a SAMM maturity assessment as evidence that an organization has moved past informal, undocumented practices. Enterprise procurement teams — particularly in fintech, healthcare, and government-adjacent SaaS — increasingly ask vendors directly for their OWASP SAMM or BSIMM score during security questionnaires, alongside SOC 2 reports and penetration test summaries. OWASP itself maintains the SAMM Community and publishes case studies from organizations like Deutsche Telekom and various financial institutions that have run public assessments, which is part of why SAMM shows up in RFP language even though it carries no legal or regulatory force on its own.
How Do You Get Started With a SAMM Assessment?
You get started with a SAMM assessment by downloading the free Assessment Toolbox from owaspsamm.org, answering its roughly 80 questions honestly across all 30 streams, and plotting the resulting scores against your target maturity for each practice. Most teams run a lightweight self-assessment first — a half-day workshop with engineering leads, security, and one product owner — to get a directional baseline, then follow up with a more rigorous, evidence-backed assessment (citing actual tickets, SLAs, and tool configs rather than gut-feel) before using scores externally in compliance documentation. The biggest first-run mistake is over-scoring: teams routinely claim Level 2 for practices that are actually Level 1 because a policy document exists even though nobody follows it. A realistic baseline followed by a 12- to 18-month roadmap toward 2-3 target-level increases across your weakest practices is a more credible story for auditors and customers than an assessment that claims Level 3 everywhere on day one.
How Safeguard Helps
Safeguard turns SAMM's "Verification" and "Implementation" practices from a spreadsheet exercise into continuous, automated evidence. Our reachability analysis determines which vulnerabilities in your dependency tree are actually exploitable in your running code — not just present in a manifest — which is exactly the kind of metrics-driven signal SAMM Level 3 "Security Testing" expects. Griffin AI, Safeguard's AI-powered triage engine, correlates that reachability data with exploit intelligence to prioritize the handful of findings that matter out of the hundreds a typical SCA scan returns. Safeguard also generates and ingests SBOMs automatically on every build, giving you the audit trail auditors want for SOC 2 and ISO 27001 secure-development controls without manual spreadsheet upkeep. And when a real fix is needed, Safeguard opens auto-fix PRs directly against the affected dependency, so your "Defect Management" and "Vulnerability Management" streams move from ad hoc patching toward the automated, SLA-driven Level 3 maturity SAMM is designed to measure.