OWASP SAMM: Q1 2021 Status and Roadmap

Seeking shelter in an ancient kauri treee. Coromandel Forest Park, Waikato, New Zealand
Coromandel Forest Park, Waikato, New Zealand

I was invited to provide an roadmap update on the OWASP SAMM project to our friends in the New Zealand application security community in February.  Giving a virtual talk to an onsite meeting was an interesting experience, as it is hard to get a feel for an audience in a large space.  As New Zealand has put a lot of effort into containing the coronavirus outbreak and has been able to minimize social quarantining requirements they were able to hold this year’s event in person.  Unfortunately for me it meant I could not visit in person; when I visited in 2020 – just before the pandemic – it was a fantastic experience and a great adventure!

Slide Deck
Video (YouTube, 30:30)


The OWASP Software Assurance Maturity Model (SAMM) enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices. We will cover a number of topics in the talk:

  • the core structure of the model, redesigned and extended to align with modern development practices;
  • the measurement model, enhanced to cover both coverage and quality; and
  • the new security practice streams where the SAMM activities are grouped in maturity levels.

We will demonstrate using the new SAMM2 Toolbox to measure the maturity of an example development team and how you can create a roadmap of activities.

Our new SAMM project “CI/CD” pipeline allows us to iterate much faster. We plan to push new SAMM improvements over the coming months. During this talk we will share our short-, medium-, and long-term plans for OWASP SAMM and hope to capture your feedback and requests for improvement.

John Ellingsworth is a security principal at a Fortune 1000 company where he helps software development teams build and deliver secure enterprise solutions. When not delivering secure software solutions, he can be found hanging out with his family, often outdoors, and probably scaling mountains.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project. He contributed to the latest SAMM version (2.0) as a co-author, and has delivered SAMM training at a number of application security conferences.