Benchmark

Goals

How important is it for your organization to compare against peers?

Donate datasets - watch instructions

Helping our users answer the critical questions “How am I doing?” and “What might be working for other similar organizations?” is a priority for the SAMM team. It is our goal to build a database for companies to measure the maturity of their security development practices against the industry based on variables such as verticals and company size. In turn, the information we collect can help the SAMM model evolve based on actual information from the field. As an added benefit, this project can facilitate research on secure development practices worldwide as universities and researchers analyze and interpret the information the community donates, providing valuable insights.


Tapping into the benchmark data

The end-goal of the benchmark initiative is for companies to use the data to measure themselves against their peers in the industry. Our main hurdle at this point is to gather a large enough dataset to guarantee accurate comparisons and maintain full anonymity for the contributing parties. As an added benefit, we’ll use the data to prioritize the publication of guidance for streams and activities.

Benchmark data

v24.1.1

In September 2024, we released an updated OWASP SAMM Benchmark. The number of data sets remains quite limited (30). The benchmark dataset remains skewed towards large organizations. The SAMM Core team was able to slice the data and provide more granular information. The benchmark data and its interpretations were presented during SAMM User Day in San Francisco.

Click here to view the SAMM Benchmark dataset v24.1.1 .

You can also visualize the aggregated and anonymized data.

Click here to view the SAMM Benchmark export from January 2025 CSV file .

v24.1.0

In June 2024, we released the very first OWASP SAMM Benchmark data. Despite the huge interest from the community to have a common benchmark, the number of submitted data sets has been very limited (25). The benchmark is heavily based on data provided by large organizations. The benchmark data and some of its interpretations were presented during SAMM User Days in Lisbon.

Click here to view the SAMM Benchmark dataset v24.1.0 .

Benchmark report

This report is an analysis based on real-world data that provides actionable insights into the current state of application security maturity. It’s a window into the strategies, strengths, and challenges faced by organizations who have contributed to the project. By exploring key trends and scores across the five SAMM business functions, this report offers a clear view of how organizations are tackling application security.

Go to the Benchmark Report page


Submission process

There are 2 ways of submitting data

The data is collected in an anonymous way and covered by the following terms and conditions. During the submission process we will ask for some metadata. The more information provided, the better the comparative analysis will be.

To help practitioners get permission from their clients or companies to submit datasets, we have created the following email template .

Roles

This initiative can only succeed with the help of the community of SAMM users and practitioners that surround the OWASP SAMM project. SAMM users and Practitioners help organizations with SAMM assessments and serve as their benchmark data owner. They might be internal to the organization that is submitting data, or external consultants, performing SAMM assessment organizations according to the guidelines you can find in our Getting started page, Determining Scope blog post, and Fundamentals Course .

Updates

We will be updating this page and the process as the project progresses. If you have any questions, please send an email to [email protected]

OSZAR »