The Model

OWASP SAMM defines five business functions and fifteen security practices to help organizations assess and improve their software security posture.

Governance

Strategy & Metrics Policy & Compliance Education & Guidance

Design

Threat Assessment Security Requirements Secure Architecture

Implementation

Secure Build Secure Deployment Defect Management

Verification

Architecture Assessment Requirements-driven Testing Security Testing

Operations

Incident Management Environment Management Operational Management

Introduction

The original model was written by Pravir Chandra in 2009. Over the years, it has proven a widely distributed and effective model for improving secure software practices in different types of organizations throughout the world. Translations and supporting tools have been contributed by the community to facilitate adoption and alignment. Version 2.0 builds on that foundation to address some of the original model’s limitations, incorporating input from practitioners and the OWASP community gathered during summits in Europe and the US.

For an overview of the changes in version 2, read our SAMM version 2 release notes .

Prefer to read offline? Download SAMM v2 as a PDF : a printable version of the full model.