Skip to main content

OWASP SAMM

logo

Summary

OWASP Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The version used in this section is OWASP SAMM v1.0.

Definitions

DefinitionRequirements
EH_1. Baseline operational environment for applications and software components154. Eliminate backdoors
353. Schedule firmware updates
EH_2. Improve confidence in application operations by hardening the operating environment266. Disable insecure functionalities
IR_1. Find basic code-level vulnerabilities and other high-risk security issues155. Application free of malicious code
IR_3. Code review process to discover language-level and application-specific risks154. Eliminate backdoors
155. Application free of malicious code
156. Source code without sensitive information
157. Use the strict mode
158. Use a secure programming language
159. Obfuscate code
162. Avoid duplicate code
164. Use optimized structures
168. Initialize variables explicitly
171. Remove commented-out code
344. Avoid dynamic code execution
345. Establish protections against overflows
OE_1. Enable communications for critical security-relevant data075. Record exceptional events in logs
338. Implement perfect forward secrecy
OE_3. Mandate communication of security information and validate artifacts091. Use internally signed certificates
092. Use externally signed certificates
178. Use digital signatures
378. Use of log management system
SA_2. Software design process toward known-secure services and secure-by-default designs062. Define standard configurations
161. Define secure default options
266. Disable insecure functionalities
SA_3. Control the software design process and validate utilization of secure components048. Components with minimal dependencies
062. Define standard configurations
348. Use consistent encoding
TA_3. Concretely tie compensating controls to each threat against internal and third-party software262. Verify third-party components