Back to Journal Security Maturity

OWASP SAMM - Measuring and Improving Software Security Maturity

A complete guide to OWASP SAMM (Software Assurance Maturity Model) — the five business functions, fifteen security practices, maturity levels, and how to use SAMM assessments to build a roadmap for software security improvement.

Savadub GRC Team ·
OWASP SAMM - Measuring and Improving Software Security Maturity

OWASP SAMM: A Measurable Roadmap for Software Security Programme Maturity

How mature is your software security programme? Without a structured model for measuring maturity, organisations struggle to understand where they are, where they need to be, and how to prioritise improvements. The OWASP Software Assurance Maturity Model (SAMM) provides exactly this — a framework for assessing and improving software security practices across the software development lifecycle, organised into measurable maturity levels that enable meaningful benchmarking and improvement roadmaps.

SAMM's Five Business Functions and Fifteen Practices

SAMM organises software security activities into five business functions, each containing three security practices:

Governance:

  • Strategy and Metrics — defining and measuring a software security programme
  • Policy and Compliance — establishing security policies and ensuring compliance
  • Education and Guidance — raising security awareness and providing training

Design:

  • Threat Assessment — identifying and analysing threats and risk
  • Security Requirements — defining security requirements for software
  • Security Architecture — designing secure architectures and reference patterns

Implementation:

  • Secure Build — building security into the build process
  • Secure Deployment — securing the deployment pipeline and runtime environment
  • Defect Management — managing and tracking security defects

Verification:

  • Architecture Assessment — reviewing architecture for security weaknesses
  • Requirements-driven Testing — testing against security requirements
  • Security Testing — performing security-focused testing (SAST, DAST, pen test)

Operations:

  • Incident Management — detecting, responding to, and learning from security incidents
  • Environment Management — maintaining secure configurations for operational environments
  • Operational Management — managing operational risk and security monitoring

SAMM Maturity Levels: 0 to 3

Each SAMM security practice is assessed across three maturity levels:

Level 0 (Implicit starting point): The practice is not performed, or is performed ad hoc without structure or documentation.

Level 1 (Initial understanding): The practice is performed in a basic way, providing initial assurance but without systematic or consistent application. Activities are reactive and often manual.

Level 2 (Structured and repeatable): The practice is performed in a structured, consistent way with defined processes, tools, and metrics. Activities are planned and repeatable.

Level 3 (Optimised and measured): The practice is optimised, with continuous improvement based on measurement and feedback. Activities are systematic, automated where possible, and integrated into the development process.

A SAMM assessment scores each of the fifteen practices at the current level (0–3) and can compare against an industry benchmark or desired target level to produce a prioritised improvement roadmap.

Conducting a SAMM Assessment

A SAMM assessment follows a structured process:

Scoping: Defining which teams, products, and processes are in scope for the assessment.

Data collection: Through interviews with developers, architects, operations teams, and security personnel, and review of documentation and tooling, assessing current practice against each SAMM security practice and maturity level criteria.

Scoring: Assigning a maturity level score for each practice based on the assessment evidence. SAMM scoring uses a 0–3 scale with 0.25 increment precision.

Benchmarking: Comparing the organisation's scores to SAMM community benchmarks for similar organisations — by industry, size, and development methodology.

Gap analysis and roadmap: Identifying the gap between current state and target state for each practice. Prioritising improvement activities by their impact on overall programme maturity and their cost to implement.

Roadmap: Producing a time-bound improvement roadmap showing which practices will be improved to which level, in which order, and the specific activities required for each improvement.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like