ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

The OWASP Software Assurance Maturity Model (SAMM) is designed to help organizations evaluate and improve their software-security program over time. SAMM groups security practices into four business functions-Governance, Construction, Verification, and Deployment-and defines three incremental maturity levels for each practice. By determining their current level and setting future targets, teams can create a phased roadmap with clear milestones and metrics.

The OWASP Top 10 identifies the most critical web-application risks and helps prioritize remediation, but it is not a process-maturity framework. The OWASP Zed Attack Proxy (ZAP) is a dynamic testing tool, useful for finding runtime issues but not for overall program planning. The OWASP Application Security Verification Standard (ASVS) provides detailed requirements for testing individual applications rather than guiding organization-wide maturity progression. Therefore, SAMM is the appropriate resource for building and tracking a long-term security-process improvement strategy.