OWASP Global AppSec EU 2026 Vienna

Security is widely recognized as one of the top global risks, yet many organizations struggle managing that risk effectively. One of the key reasons is that application security efforts often consist of fragmented tools and isolated practices rather than a coherent program focused on people, processes, and tools.
Within the OWASP community, two mature models exist to support application security programs, OWASP Software Assurance Maturity Model (SAMM) and OWASP DevsSecOps Maturity Model (DSOMM). However, practitioners frequently struggle to understand how these models differ, where they overlap, and how they should be applied in practice. As a result, SAMM and DSOMM are often perceived as competing frameworks. Moreover, their breadth and depth can be overwhelming for teams encountering them for the first time, reinforcing the myth that they must choose one or the other.

This talk provides a structured, high level introduction to both OWASP SAMM and OWASP DSOMM, focusing on their shared principles as well as their key differences. By introducing a simple taxonomy of security scopes, the session explains why multiple security frameworks are necessary and clarifies where SAMM and DSOMM each fit. SAMM is positioned as a model focused on organizational security capabilities and application program maturity, supporting management and strategic decision making, while DSOMM focuses on DevSecOps implementation and operational practices, providing concrete guidance for technical teams and engineering workflows.

This session concludes with a practical case study of a SaaS organization, illustrating how SAMM and DSOMM can be used together to create a coherent improvement roadmap. The case study demonstrates how organizations can start small, avoid boiling the ocean, and use both models in tandem to achieve structured, practical, and sustainable improvements in application security.