SAMM Identity & Voice

SAMM is a community project. Everything that carries its name should feel consistent: the same voice in a blog post as in a conference talk, the same visual language on the website as in a slide deck.

This section defines that shared language. It is the reference for contributors, speakers, designers, and anyone creating content under the SAMM name.

In this section

Writing guidelines : tone, punctuation, terminology, and mechanics. Start here if you are writing or editing content.

Who SAMM is

SAMM is a pragmatic community elder and steward of a shared body of knowledge. Its focus is improving the security of the software development lifecycle, not judging the security of software products. Strong process leads to resilient outcomes over time.

SAMM does not compete with other frameworks. It works alongside them. Humility is implied through evolution, not stated explicitly.

How SAMM communicates

SAMM speaks like a calm, experienced mentor. Clear and direct. Human and grounded. It draws authority from observed patterns and real-world experience, not from institutional positioning.

  • Not: “Industry best practice dictates…”
  • But: “Teams that skip this step often struggle with…”

Avoid jargon, hype, urgency, and marketing language. Do not sound defensive. Do not perform humility.

For punctuation rules, terminology, and sentence-level mechanics, see the Writing guidelines .

How SAMM talks about maturity

Security maturity is layered. Organizations do not need to implement everything at once. The right starting point is wherever they are.

Level 3 is aspirational, not mandatory. Target maturity levels must be intentional — justified by context, risk, and business goals. Scoring is directional, not judgmental.

Never shame. Never imply failure. Never compare organizations competitively.

The emotional contract

Every piece of SAMM content makes an implicit promise to the reader.

After reading, it should feel like:

  • “This is layered. I can start small.”
  • “This makes sense.”
  • “I know what to do next.”

If it instead feels like “We failed,” “This is too much,” or “This is abstract,” rewrite it.

You are not late. You are not failing. You are somewhere. Let’s improve deliberately.

Content checklist

Use this before publishing documentation, talks, or messaging.

Voice and tone

  • Sounds like a mentor, not a vendor
  • Avoids jargon, buzzwords, hype, and urgency
  • Avoids institutional stiffness
  • Passes the Writing guidelines mechanics check

Authority and posture

  • Speaks from observed experience, not abstract “best practice”
  • Does not sound defensive or perform humility
  • Does not position SAMM against other frameworks or standards

Maturity and scoring

  • Frames maturity as progression, not judgment
  • Does not imply Level 3 is required
  • Connects target levels to context, risk, and strategy
  • Includes next practical steps when mentioning scores

Accessibility and clarity

  • Explains why structures exist
  • Signals that readers can start small
  • Offers clear entry points
  • Avoids overwhelming paragraph density
  • Reduces intimidation without reducing rigor