February 17, 2023

Last Updated on January 16, 2024

When you’re ready to get started with improving web application security, a key initial step is to assess where you are today. OK… assess how? And against what?

OWASP SAMM (for Software Assurance Maturity Model V2) can be the answer to both questions.

To share all the ways that OWASP SAMM can benefit orgs looking to improve their AppSec practices, a recent episode of The Virtual CISO Podcast features Sebastien Deleersnyder, Co-founder & CTO at Toreon. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

SAMM is all about assessment
What sets OWASP SAMM apart from other proven models like the Building Security In Maturity Model (BSIMM) is its emphasis on defining process maturity.

“[SAMM] is a maturity model because it allows organizations to understand where they are and how they can improve in terms of maturity,” Sebastien describes. “SAMM helps you to measure those security activities that are part of your SDL. And once you can measure them, you can manage them.”

SAMM measures maturity across 5 business functions, each with 3 security practices for a total of 15 practices. You can assign each of these practices a maturity level from zero (doing nothing) to three (you’ve mastered the practice and are continuing to improve).

A mature AppSec practice doesn’t just find and fix security bugs, but also addresses the root cause of the bugs being introduced within the SDLC. It’s a great place to be, but many orgs don’t aim for maturity level 3 on a given practice right out of the gate.

 

Deciding where to start

SAMM is designed to help teams assess the effectiveness of their current application security posture and create a roadmap for reducing AppSec risk. SAMM also reflects the reality that, for most orgs, improving AppSec will proceed in stages and won’t happen overnight.

AppSec activities also need to align with an application’s risk profile and with business needs (e.g., customer demands or compliance drivers). This factors into which application would be a good pilot project to start rolling out new AppSec controls.

 

What’s next?

To hear this podcast episode with web application security expert Sebastien Deleersnyder all the way through, click here.

Want to drill down on OWASP SAMM’s five business functions? Here’s a related post: OWASP SAMM’s 5 Business Functions Unpacked