Software Assurance Maturity Model (SAMM) (noun) [Word Notes] - Hacking Humans

Summary3 min read

Hacking Humans: Episode on Software Assurance Maturity Model (SAMM)

Host: N2K Networks
Release Date: July 22, 2025
Description: Deception, influence, and social engineering in the world of cybercrime.

Introduction to SAMM

In this episode of Hacking Humans, hosted by N2K Networks, the focus is on the Software Assurance Maturity Model (SAMM). Rick Howard opens the discussion by breaking down the acronym SAMM—Software Assurance Maturity Model—and providing an overview of its purpose and structure.

Rick Howard [00:02]: "SAM is a prescriptive open-source software security maturity model designed to guide strategies tailored to an organization's specific risks."

SAMM is presented as a framework comprising 15 security practices organized into three maturity levels: origin, context, and performance. Initially developed by independent security consultant Pravashandra Chandra in 2009, SAMM offers practitioners a method to evaluate their adherence to best practices across five key areas: business governance, design, implementation, verification, and operations.

SAMM vs. BSIMM

Rick Howard distinguishes SAMM from another model, the BSIMM (Build Security In Maturity Model):

Rick Howard [00:02]: "This is different from the BSIM model Build Security in Maturity model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. In other words, SAM prescribes what organizations should be doing. BSIM tells you what organizations are actually doing."

While SAMM is prescriptive, outlining recommended practices, BSIMM is descriptive, documenting what security initiatives are commonly implemented across various organizations.

Evolution and Adoption of SAMM

The podcast delves into the history and evolution of SAMM:

2016: Pravashandra Chandra donates the first version of SAMM to the Open Web Application Security Project (OWASP).
2017: OWASP releases SAMM version 1.5, enhancing the granularity of scoring and introducing partial credit for maturity benchmarks.
2020: OWASP updates SAMM to version 2.0, upgrading the level 3 maturity criteria to emphasize automation and better integration with development teams.

These updates reflect SAMM’s adaptation to the changing landscape of software development and security practices.

Insights from Pravashandra Chandra

A significant portion of the episode features Pravashandra Chandra himself, providing firsthand insights into the utility and impact of SAMM.

Pravashandra Chandra [02:34]: "One of the things that's always kind of difficult is it's hard to really say what you did. So you get some money from your manager to make some improvements in how you build software and you say, well, it's better, but you can't really quantify how better it is."

Pravashandra underscores the challenge organizations face in quantifying improvements in their security programs. SAMM addresses this by offering a measurable framework that allows organizations to:

Quantify Improvements: By providing clear metrics, SAMM enables organizations to assess the extent of their enhancements in software security practices.

Pravashandra Chandra [02:34]: "Hopefully the maturity model is going to help with that as well."
Define and Measure Security Activities: Beyond merely performing security activities, SAMM facilitates the measurement of their efficacy, ensuring consistent and effective execution across development teams.

Pravashandra Chandra [02:34]: "Not only how you perform them, but how do you measure them so that you can see whether or not they're actually being executed at the same level of efficacy everywhere."

Pravashandra emphasizes that SAMM moves organizations away from a checkbox mentality, encouraging a deeper, more consistent approach to security practices.

Conclusion

Rick Howard wraps up the segment by acknowledging the contributions of the production team and the creative efforts behind the podcast.

Rick Howard [03:37]: "Wordnotes is written by Nila Genoi, executive produced by Peter Kilpe, and edited by John Petrick and me, Rick Howard. The mixed sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening, Sam."

Key Takeaways:

SAMM as a Prescriptive Tool: Unlike BSIMM, SAMM provides a structured approach for organizations to implement and measure their software security practices.
Quantifiable Metrics: SAMM enables organizations to quantify improvements in their security programs, addressing a critical gap in assessing the effectiveness of security initiatives.
Evolving Framework: With continuous updates, SAMM remains relevant, adapting to modern software development practices and emphasizing automation and integration with development teams.
Beyond Checkboxes: The model encourages a comprehensive and consistent execution of security activities, ensuring that practices are not just performed but are effective and measurable.

For organizations looking to enhance their software security posture, SAMM offers a robust framework to guide strategy, measure progress, and ensure that security is an integral part of the software development lifecycle.

Loading summary

Transcript3 lines

[00:02]
Rick Howard
You're listening to the Cyberwire Network. Powered by N2K. The word is SAM, spelled S for software, A for assurance, M for maturity, and M for model definition. A prescriptive open source software security maturity model designed to guide strategies tailored to an organization's specific risks. Example sentence the SAM framework consists of 15 security practices containing activity sets structured into three maturity levels, origin and context. Initially developed by independent security consultant Pravashandra in 2009, Sam is a maturity model that gives practitioners a way to measure how well they're doing against a set of prescribed best practices across five business governance, design, implementation, verification, and operations. This is different from the BSIM model Build Security in Maturity model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. In other words, SAM prescribes what organizations should be doing. BSIM tells you what organizations are actually doing. Sometime in 2016, Chandra donated the first version of SAM to the Open Web Application security project, or OWASP. The next year, April 2017, OWASP released version 1.5, with improvements focusing on the granularity of scoring and allowing partial credit for achieving maturity benchmarks. By 2020, OWASP released version 2.0 by upgrading the level 3 maturity criteria to favor automation and better alignment with development teams. Nerd reference in 2009, Chandra keynoted the OWASP MSP conference. In this clip, he highlights two very big reasons why a maturity model like SAM is useful.
[02:34]
Pravashandra
I am sort of a software developer by, I guess from a long time ago, and then I've sort of been indoctrinated in the security space for, I don't know, maybe the past decade or so. And I've worked for the last five years at least with organizations trying to help them set security assurance programs at the highest level. And one of the things that's always kind of difficult is it's hard to really say what you did. So you get some money from your manager to make some improvements in how you build software and you say, well, it's better, but you can't really quantify how better it is. Is it a lot better? Is it a little better? It's just better. So hopefully the maturity model is going to help with that as well. And then the last piece is really kind of helping to define concretely how you actually perform individual security activities in your development process. Not only how you perform them, but how do you measure them so that you can see whether or not they're actually being executed at the same level of efficacy everywhere, or how they're being done, basically making sure that we're keeping a good eye on how we're executing things, not just the checkbox approach of y. Yes, we're doing some code review. Well, how well are you doing that kind of thing?
[03:38]
Rick Howard
Wordnotes is written by Nila Genoi, executive produced by Peter Kilpe, and edited by John Petrick and me, Rick Howard. The mixed sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening, Sam.