Next SAMM release coming this week

There’s been a huge amount of feedback and lots of refinement to SAMM since the Beta was release last August. I’m happy to report that we’re putting the finishing touches and reviews on the next release as I write. I’ll put together some separate posts that discuss the rationale behind the major changes, but in general, here are some new features in the next release:

  • Better introduction – there’s a proper Executive Summary and a section describing the structure of the model before diving into the details
  • A section on assessing an existing assurance program – this should help folks that need to map an existing software security program into SAMM (or anyone just performing an assessment of a software security program in general)
  • Better guidance on building assurance programs – the Beta had some short text, but the next release includes a bigger section on and building a roadmap for a particular organization
  • New layout and design – revamped the ordering of SAMM materials based on feedback from users and there’s a new topical table of contents (to better route people through the resource provided)

I’m looking forward to feedback on the 1.0 release once it’s out this week… stay tuned!


  1. #1 by Dave (aka Security Ninja) - March 30th, 2009 at 03:04


    I wondered whether you guys had considered mapping your maturity levels to those of governance frameworks such as COBIT?

    I would be happy to help on that if you want to proceed with it. I will be doing this internally at work so I can use models such as SAMM and ISM3 for specific areas of security and then map the maturity levels (already done for ISM3) to COBIT for management because we use that for overall IT governance.

    Let me know what you think.


  2. #2 by chandra - March 30th, 2009 at 12:26

    Awesome, your help would be greatly appreciated! Part of the future plans are to create mappings from SAMM into several different existing standards and COBIT is definitely on the list. The goal was to mark each maturity level with some information about the related sections (and perhaps compile these into a new document like “Using SAMM with COBIT” and write a little introduction and supporting materials). Please let me know anything I can do to help!

    For other future development items, I’ll be putting together a list on this site and go over them on the email discussion list, so hop on that too (it’s low traffic).


  3. #3 by Sami Al-Shaheri - February 8th, 2011 at 04:20


    I wonder if Dave did the mapping, and if there are other ideas to share with me, im graduate student and im trying to do my research, im interested in COBIT and how mapping the information assurance methods/standards can help in cybersecurity.

    Best regards

    Sami Al-Shaheri

(will not be published)

  1. No trackbacks yet.