Next-gen DevSecOps

OWASP has released v2 of SAMM, its Software Assurance Maturity Model

A revamped version of OWASP’s Software Assurance Maturity Model (SAMM) adds automation along with maturity measurements to the open source security-related framework.

OWASP SAMM v2 – released on Tuesday after three years of refinement – is geared towards helping organizations that develop software to travel down the path towards becoming more secure.

The approach is based on a community-led open source framework that “allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational software development lifecycle”.

The SAMM v2 framework – which is designed to simplify the process of analyzing and improving organizational security posture – has evolved to include automation while improving its alignment with development team workflows.

The new release includes a quick start guide, the SAMM ToolBox to perform assessments and creates roadmaps, and a benchmarking scheme designed to help teams compare their maturity and progress with the results achieved at similar organizations.

“This is a really important release for the project team,” project co-leaders Seba Deleersnyder and Bart De Win said in an update to the security community.

“After three years of preparation, the team, our SAMM community, and through the help of our sponsors we now have an effective and measurable way for all types of organizations to analyze and improve their software security posture.”

Shift left

Using a single GitHub source, a SAMM team can automatically generate a maturity model featuring PDF documents and a website, along with the companion toolbox and applications.

The revised framework supports maturity measurements from both coverage and quality perspectives.

The OWASP SAMM community includes security knowledgeable volunteers from both businesses and educational organizations. The global community works to create “freely-available articles, methodologies, documentation, tools, and technologies”.


READ MORE Open source tool predicts which security vulnerabilities are most likely to be exploited