August 26, 2022

Last Updated on January 19, 2024

Application security practices are at a crossroads. While traditional security verification methods like penetration testing and code review remain relevant, dev/test teams are looking to “shift security left” to earlier in the software development lifecycle (SDLC).

What tools and approaches can teams use to produce more secure software, as well as comply with requirements from the US government and others seeking assurance that the software they are procuring is secure?

To share how forward-leaning dev/test teams are leveraging the OWASP Software Assurance Maturity Model (SAMM) to reduce software vulnerabilities and risk, Taylor Smith, Network & Application Penetration Testing Lead at Pivot Point Security, joined a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

SAMM’s history

OWASP released the original SAMM model back in 2009, when it was known as O SAMM. The current Version 2 is called OWASP SAMM. Its purpose has been to assess and secure the SDLC end-to-end, quantify its current maturity (that is, its current level of secure functions), and provide guidance on continuously improving overall security and process maturity.

“If I had to cut it to one sentence, OWASP SAMM is a measuring tool to help improve the general security of software in development, and it supports the entire life cycle,” says Taylor. “The whole purpose of SAMM is to not just shove security in at some point during the SDLC, but for it to be an integral part to the entire lifecycle. So, it’s also very flexible. It’s a maturity model that is tailored to the needs of all different development teams, cycles, businesses, and structures. Really cool.”

What is a maturity model?

Maturity models are prevalent not just in cybersecurity, but also for business planning. Like any model, maturity models attempt to simulate reality well enough to produce worthwhile output. The “maturity” aspect involves measuring—and encouraging—continuous improvement.

With OWASP SAMM, maturity refers to the improvement levels across different lifecycle stages.

“SAMM is focusing on the secure development lifecycle (SDL) by taking a look at the maturity of business functions over time to influence security improvements,” Taylor explains. “As you start to look at the various business definitions in SAMM, it starts to make sense what a mature application might look like.”

In preference to “immature,” OWASP uses the terminology “less mature” to talk about programs that are just getting started.

“The model is built to help with continuous improvement, and that’s why the term maturity is used,” adds Taylor. “It’s like a child growing up. You start small. You get big… mature.”

What’s next?

To hear this show with Taylor Smith, click here.

Ready for more software security content? You’ll love this podcast with thought leader Jim Manico: EP#19 – Jim Manico – Why Application Security is a Team Sport and How Your Team Will Win


Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!