Software Assurance Maturity Model

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

Evaluating an organization’s existing
software security practices

Building a balanced software security program
in well-defined iterations

Demonstrating concrete improvements
to a security assurance program

Defining and measuring security-related activities
within an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

As an open project, SAMM content shall always remain vendor-neutral and freely available for all to use.


OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues.

Michael J. Craigue, Information Security & Compliance, Dell, Inc.


SAMM has defined the building blocks for effective software security assurance… Our clients can use the model to see what needs to be done and what skills and resources are needed to do the job. Best of all, businesses can use SAMM to quantify results and improvements by assessing practices against SAMM activities.

Matt Bartoldus, Co-Founder & Director, Gotham Digital Science


These days people understand that security has to be built in–it can’t be bolted on.  But for many a big question remains: what does it take to build secure software?  SAMM tackles that question head on with a framework for creating and growing a software security initiative.  SAMM has focused the way I think about the human side of the software security problem.

Brian Chess, Founder & Chief Scientist, Fortify Software


The perfect starting place, finally a methodology to help us bring it all together… Where do i get it!

Anonymous, national university


A great document that can be implemented over a period of time, to help address the risks we have with our software.

Anonymous, international financial institution