๐งฉ Using BSIMM and SAMM Together โ Assessments, Roadmaps, and Quarterly Reviews
Best practical pattern: Use SAMM to define the roadmap and target maturity. Use BSIMM to benchmark whether your chosen capabilities resemble what mature organizations actually do.
Why combine them?
Used together, the models cover each otherโs blind spots.
| Need | Best primary model | Why |
|---|---|---|
| Benchmark against mature organizations | BSIMM | It reflects observed practice across real initiatives |
| Define the target operating model | SAMM | It is purpose-built for staged improvement planning |
| Build a quarterly roadmap | SAMM | It provides a cleaner maturity target structure |
| Defend strategy to skeptical executives | BSIMM + SAMM | One gives outside-world realism, the other gives structured next steps |
| Decide what capability to fund next | SAMM first, BSIMM as a confidence check | Roadmap first, benchmark second |
A practical operating model
1. create a current-state view with SAMM
For each relevant practice, answer:
- what is our current maturity?
- what evidence supports that score?
- which weaknesses are creating the most delivery risk, response risk, or exposure?
2. use BSIMM to sense-check your priorities
Ask:
- are we missing capabilities that mature software security initiatives commonly have?
- are we over-investing in one area while neglecting another?
- do our plans cover architecture, training, environment, and operational feedback โ not just testing?
3. build a roadmap by capability cluster
Good clusters:
- governance and ownership;
- design and architecture;
- testing and release control;
- deployment and runtime;
- response and continuous improvement.
4. review progress in quarterly leadership language
Instead of presenting โwe moved from 1.7 to 2.1,โ present:
- which capabilities became real;
- what risk is now better controlled;
- what delivery friction was removed;
- what decision is needed next.
Example 12-month model
Quarter 1 โ establish the truth
- run a SAMM-based current-state assessment;
- map existing controls and rituals to BSIMM practices;
- identify the three most material gaps by business risk;
- define owners and evidence expectations.
Quarter 2 โ implement foundation controls
- fix the weakest high-risk practices first;
- define secure design, build, and deployment standards;
- start evidence-based leadership reporting.
Quarter 3 โ strengthen distributed execution
- expand training and champion enablement;
- operationalize release evidence and exception review;
- improve telemetry and operational feedback into engineering.
Quarter 4 โ shift from project to program
- move guardrails into defaults and templates;
- use BSIMM framing in executive narratives;
- reset target maturity for the next year based on actual progress.
How to use this in quarterly reviews
What to show
| Slide | What to include |
|---|---|
| Current state | Three to five capability gaps stated in plain English |
| Target state | Which practices are being uplifted this year and why |
| Evidence of progress | New defaults, new adoption, reduced manual review, better response, improved release confidence |
| Risk translation | What this means for customer trust, resiliency, and engineering efficiency |
| Decisions needed | Headcount, platform support, policy change, sequencing, or executive sponsorship |
What to avoid
- a maturity heat map with no narrative;
- a benchmark score with no explanation of business meaning;
- activity lists disconnected from risk, scale, or cost.
Where each model helps the director most
BSIMM helps directors with:
- executive credibility;
- peer framing;
- explaining why Product Security needs to span engineering and operations;
- showing that a broader operating model is normal in mature firms.
SAMM helps directors with:
- sequencing change;
- assigning ownership;
- making maturity measurable;
- preventing one-dimensional growth.
A strong recommendation for Product Security programs
If your Product Security function is already beyond โjust starting,โ the most practical pattern is:
- SAMM for planning;
- BSIMM for benchmarking;
- your own metrics and incidents for prioritization.
That combination creates a program that is externally credible, internally actionable, and easier to govern.
Cross-links
- BSIMM and OWASP SAMM โ Overview, Value, and Comparison
- BSIMM Deep Dive โ Domains, Practices, and Manager Use
- OWASP SAMM Deep Dive โ Business Functions, Practices, and Roadmapping
- Director Packs, Scorecards, and Review Cadence
- Quarterly Product Security Review โ Worked Example
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.