Welcome to SAMMY


SAMMY is our vision behind OWASP SAMM as a management process and tool. SAMMY is an OWASP SAMM tool that targets to reduce SAMM implementation complexity in organizations. SAMMY starts with small and quick wins and goes broader as there is more buy-in from the users.

SAMMY is free tool however we do require registration. From version 1.2 there is a fully anonymous mode though that does not require any registration. You are not the product and we will take maximum care to ensure the privacy and security of your data. For the full terms of conditions please have look at this document: Terms of agreement

Core concepts

The main conceptual features in SAMMY are as follows:

  • Splitting up SAMM per stream into separate (ideally independent) processes
  • Ownership allocation throughout the process
  • Limiting the SAMM scope based on progress and weights
  • Supporting documentation/evidence for each stream and maturity level
In OWASP SAMM the roadmap is a top-down well-planned process. Our vision is to have a bottom-up assignment-based process. Each stream continuously passes through the following 3 tracks.
  1. Evaluation track is the starting point for each stream. Users with an evaluator role can pick a stream and start assessing it in terms of maturity.
  2. Validation track requires special users (ideally external SAMM trainers) to confirm that the evaluation was indeed correct (or reject and ask for additional evidence).
  3. Improvement track presents all streams up for improvement (sorted by weight) and allows any user within the organization to start tackling it.
Note that after the improvement the streams will typically go back to the evaluation track.

Planned improvements

We would love to get your feedback on SAMMY and we will definitely take it into account. Aside from that we envision the following features in SAMMY in the coming months:

  • Integration with OWASP SAMM Benchmarking that will allow to obtain a more industry-based weighing and scoring of the streams
  • Gamification
  • Evidence expiration and maturity downgrades
  • Automation of some SAMM scoring (e.g., based on infrastructure automation descriptions)

Get in touch with us using the Contact Us form.