Measuring software maturity using the OWASP SAMM

Contact me for expert help with a maturity assessment, or learning how to do them yourself. Download the PGP public key to email privately.

What is OWASP?

A quick intro: OWASP (the Open Worldwide Application Security Program) is an open-source, open community of security practitioners (and anyone interested in securing all the things, really), with lots of projects ranging from application security training and cheat sheets to risk management, and everything between. (If it has to do with AppSec, there's probably an OWASP project for it. Seriously, search the web for "OWASP" and anything AppSec related, and you'll find an OWASP page for it.)

OWASP is far more than the Top 10. There are even more lists than the original Top 10 (but that's for another page).

What is the OWASP SAMM?

The Software Assurance Maturity Model provides a clearly measurable way for organizations to analyze and improve their software security posture. It contains 90 questions covering the following domains across the secure SDLC:

The model can focus on an individual software or infrastructure project or be applied to the entire organization (relating to secure software). The SAMM team is even working on community-sourced data for a benchmark, so orgs can compare their maturity to others (anonymously of course -- as security practitioners, we are concerned with privacy, naturally).

The model is available in many formats:

Why contract a maturity consultant?

Most maturity consulting is executed by a team of underexperienced people who are unable to thoroughly explain the topics and what the questions are asking (performing maturity assessments is not usually why people get into security), nearly guaranteeing an inconsistent view of the enterprise.

I interview the teams and stakeholders involved in the craft and delivery of software directly, and combine their answers in a concise, cohesive view of your organization's security maturity. I provide consistency, expertise, and guidance on next steps. Further, I can train your personnel to perform the interviews or answer the questions and deliver the reports and metrics themselves, and help them understand the issues the SAMM brings up.

OWASP SAMM official resources