Abstract
Most organizations track their SAMM and DSOMM progress in spreadsheets, Confluence pages, or endless status meetings. If they’re lucky, they have the budget to get a tool like SAMMY. But when it’s time to prove you’re doing the thing, whether that’s secure code reviews, SAST scans, or release gating, the evidence is scattered across tools, teams, and tribal knowledge.
In this talk, we’ll explore how to turn SAMM and DSOMM requirements into automated, verifiable tests that run as part of your development workflows. We’ll walk through:
- Mapping SAM activities to machine-checkable signals
- Pulling compliance evidence directly from your existing tools
- Detecting gaps before an audit catches them
- Automating release gates to enforce maturity standards in real time
We’ll use realworld examples to show what this looks like in practice, featuring a collection of open-source automations as our reference implementation so you can take the patterns home and adapt them to your own environment. Let’s move from “we think we comply” to “we know we comply and we can prove it”.