Evaluating Software Security Through the BSIMM and OWASP SAMM Maturity Models

Written By Ben Skinner
 

November 5th, 2025

Maturity Models like BSIMM (Building Security In Maturity Model) and OWASP SAMM (Software Assurance Maturity Model) are frameworks for evaluating an organization’s software security practices. BSIMM is characterized by allowing organizations to compare their own security initiatives to the security initiatives of other organizations. BSIMM allows you to gauge how your security initiatives will withstand vulnerabilities over time as well as allowing you to use the initiatives of other organizations as benchmarks. OWASP SAMM is a prescriptive model which consists of self-assessment, score cards, and remediation recommendations. OWASP SAMM enables associates to assess and score the different domains of a security initiative. Based on those results, you can determine if your initiative meets the desired security standards or if you should use OWASP SAMM’s guidance to strengthen areas that require improvement.

Both OWASP SAMM and BSIMM consist of four core domains:

BSIMM

  • Governance- Organizes and measures security initiative elements like strategy (roles, budgets, goals), metrics, compliance (regulatory mapping, SLAs, and audits.), policy, and training (upskill developers and architects).

  • Intelligence- Corporate knowledge base of proactive security resources (attack models, security frameworks, and security standards/requirements).

  • Security Development Lifecycle Touchpoints- Integrate security into software development phases (risk modeling, code review, PIA, fuzzing, and static/dynamic analysis).

  • Deployment- Ensuring software readiness for release (pen testing, vulnerability management, environment hardening, and risk mitigation).

OWASP SAMM

  • Governance- Managing the organization wide development process.

  • Construction- Building secure design and code

  • Verification- Reviewing and testing security controls and artifacts.

  • Deployment- Managing and operating released software securely

The purpose of software security maturity models is help organizations gauge how effectively security is integrated into their SDLC and to promote communication and benchmarking across organizations.

In summary, the goal of OWASP SAMM is to provide a prescriptive framework for helping organizations implement structured, risk-based software security strategies, while the goal of BSIMM is to serve as an empirical model built from more than 100 real-world software security initiatives.

— Ben Skinner

 
Ben Skinner
Previous

PASTA, STRIDE, DREAD, Oh My! An introduction to Threat modeling frameworks
Next

10 Keys For Devolping a Secure Application