Skip to main content

OWASP SAMM

logo

Summary

OWASP Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The version used in this section is OWASP SAMM v1.0.

Definitions

DefinitionRequirements
TA_3. Concretely tie compensating controls to each threat against internal and third-party software
262. Verify third-party components
SA_2. Software design process toward known-secure services and secure-by-default designs
062. Define standard configurations
161. Define secure default options
266. Disable insecure functionalities
SA_3. Control the software design process and validate utilization of secure components
048. Components with minimal dependencies
062. Define standard configurations
348. Use consistent encoding
IR_1. Find basic code-level vulnerabilities and other high-risk security issues
155. Application free of malicious code
IR_3. Code review process to discover language-level and application-specific risks
154. Eliminate backdoors
155. Application free of malicious code
156. Source code without sensitive information
157. Use the strict mode
158. Use a secure programming language
159. Obfuscate code
162. Avoid duplicate code
164. Use optimized structures
168. Initialize variables explicitly
171. Remove commented-out code
344. Avoid dynamic code execution
345. Establish protections against overflows
EH_1. Baseline operational environment for applications and software components
154. Eliminate backdoors
353. Schedule firmware updates
EH_2. Improve confidence in application operations by hardening the operating environment
266. Disable insecure functionalities
OE_1. Enable communications for critical security-relevant data
075. Record exceptional events in logs
338. Implement perfect forward secrecy
OE_3. Mandate communication of security information and validate artifacts
091. Use internally signed certificates
092. Use externally signed certificates
178. Use digital signatures
378. Use of log management system
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.