OWASP SAMM — Software Assurance Maturity Model (v2)
Source: OWASP SAMM
OWASP SAMM is a vendor-neutral maturity model for measuring and improving a software assurance program. Version 2 organizes practice across five business functions (Governance, Design, Implementation, Verification, Operations), each with three security practices, scored against three maturity levels. It ships an assessment toolkit so a team can self-score and plan increments.
On this wiki SAMM is the peer maturity model to Microsoft SDL and a precursor referenced by NIST SSDF. It is one input to the Secure-SDLC Framework Stack synthesis.
Seed page
Created to resolve dead links from NIST SSDF and Microsoft SDL. A full treatment would map SAMM’s five functions to the wiki’s CMM domains and note where it does and does not address agentic-AI assurance.