OWASP SAMM (Software Assurance Maturity Model) v2.0 is the open framework for measuring and improving an organisation's software security programme across the complete software development lifecycle. Built around five business functions — Governance, Design, Implementation, Verification, and Operations — each containing three security practices with three maturity levels, SAMM provides a quantitative roadmap for building a world-class application security programme from any starting point.

Unlike binary pass/fail standards, SAMM uses a 0.0 to 3.0 maturity scale per practice — enabling organisations to benchmark current state, set target maturity levels for each practice, and build a pragmatic improvement roadmap aligned with business risk. The SAMM assessment is available as a free online tool with benchmarking against industry peers — making it the most widely used framework for AppSec programme planning and board-level security programme reporting.

📈 Maturity Benchmarking: SAMM v2 assessment data from hundreds of organisations shows the average maturity score is 1.1 out of 3.0 globally. Most Indian software firms score between 0.5 and 1.3 on first assessment. Targeting 2.0+ across all practices places your AppSec programme in the global top quartile.