SAMM Compliance and Maturity Model

SAMMY UI is optimized for resolutions with a width 1024px and higher.

Architecture Design Technology Management

Maturity Level 1

Maturity Level 2

Maturity Level 3

Identify tools and technologies

Do you evaluate the security quality of important technologies used for development?

You have a list of the most important technologies used in, or in support of, each application
You identify and track technological risks
You ensure the risks to these technologies are in line with the organizational baseline

Description

People often take the path of least resistance in developing, deploying or operating a software solution. New technologies are often included when they can facilitate or speed up the effort or enable the solution to scale better. These new technologies might, however, introduce new risks to the organization that you need to manage.

Identify the most important technologies, frameworks, tools and integrations being used for each application. Use the knowledge of the architect to study the development and operating environment as well as artefacts. Then evaluate them for their security quality and raise important findings to be managed.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading, please wait.

Community guidance

This guidance is based on the approved community submissions.

Loading, please wait.

Promote preferred tools and technologies

Do you have a list of recommended technologies for the organization?

The list is based on technologies used in the software portfolio
Lead architects and developers review and approve the list
You share the list across the organization
You review and update the list at least yearly

Description

Identify commonly used technologies, frameworks and tools in use across software projects in the organization, whereby you focus on capturing the high-level technologies.

Create a list and share it across the development organization as recommended technologies. When selecting them, consider incident history, track record for responding to vulnerabilities, appropriateness of functionality for the organization, excessive complexity in usage of the third-party component, and sufficient knowledge within the organization.

Senior developers and architects create this list, including input from managers and security auditors. Share this list of recommended components with the development organization. Ultimately, the goal is to provide well-known defaults for project teams. Perform a periodic review of these technologies for security and appropriateness.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading, please wait.

Community guidance

This guidance is based on the approved community submissions.

Loading, please wait.

Enforce the use of recommended technologies

Do you enforce the use of recommended technologies within the organization?

You monitor applications regularly for the correct use of the recommended technologies
You solve violations against the list accoranding to organizational policies
You take action if the number of violations falls outside the yearly objectives

Description

For all proprietary development (in-house or acquired), impose and monitor the use of standardized technology. Depending on your organization, either implement these restrictions into build or deployment tools, by means of after-the-fact automated analysis of application artefacts (e.g., source code, configuration files or deployment artefacts), or periodically review focusing on the correct use of these frameworks.

Verify several factors with project teams. Identify use of non-recommended technologies to determine if there are gaps in recommendations versus the organization's needs. Examine unused or incorrectly used design patterns and reference platform modules to determine if updates are needed. Additionally, implement functionality in the reference platforms as the organization evolves and project teams request it.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading, please wait.

Community guidance

This guidance is based on the approved community submissions.

Loading, please wait.

Open CRE

Loading, please wait.