SAMA Cyber Security Framework Compliance
The SAMA Cyber Security Framework is mandatory for Saudi financial institutions.
Learn how ImmuniWeb supports its vulnerability management and penetration testing requirements.
Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (1.0) Compliance
What Is the SAMA Cyber Security Framework?
The SAMA CSF sets the cybersecurity baseline for Saudi financial institutions. It is organized into main domains - covering leadership and governance, risk management and compliance, operations and technology, and third-party cybersecurity - each with subdomains and controls.
Controls are assessed against a maturity model, and Member Organizations submit periodic self-assessments to SAMA. Supervisory reviews expect demonstrable evidence - including penetration testing results - that technical controls are functioning, not merely documented.
See how ImmuniWeb supports SAMA CSF vulnerability management and penetration testing - for the applications your institution runs. Request a demo · or run a free Community Edition test.
Who Must Comply with SAMA CSF?
The SAMA CSF applies to all SAMA Member Organizations:
- Banks and insurers regulated by the Saudi Central Bank.
- Finance companies and credit bureaus under SAMA supervision.
- Financial market infrastructure and other SAMA-regulated entities.
The web, mobile and API applications these institutions run fall within the framework's technical controls.
Key SAMA CSF Requirements for Application Security
Within the operations and technology domain, several controls drive application-security work:
- Secure software development: apply a secure software development life cycle for applications.
- Vulnerability management: conduct regular vulnerability assessments and remediate findings within SAMA's expected timeframes.
- Penetration testing: perform regular, structured penetration testing as evidence that technical controls work - distinct from vulnerability scanning.
SAMA CSF Application-Security Requirements in Depth
Vulnerability Management and Penetration Testing
SAMA expects institutions to run regular vulnerability assessments and structured penetration testing, with critical and high findings remediated within expected timeframes. Supervisory reviews specifically look for penetration testing evidence, so combining continuous scanning with periodic manual penetration testing is key.
Secure Software Development
The framework expects a secure software development life cycle. Embedding security testing into development and testing applications before release keeps them secure and provides maturity evidence against the SAMA CSF.
Common Web & Mobile Application Risks to Address
The application vulnerabilities the framework expects you to find map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support SAMA CSF Compliance with ImmuniWeb
- Map your assets. Inventory internet-facing apps and APIs with ImmuniWeb Discovery.
- Manage vulnerabilities with Neuron scanning and tracked remediation.
- Penetration test web and mobile applications with On-Demand and MobileSuite.
- Secure development with Continuous in CI/CD.
- Remediate within SLA using actionable, zero-false-positive reports.
- Prepare evidence for the annual SAMA self-assessment and supervisory reviews.
How ImmuniWeb Helps You Achieve SAMA CSF Compliance
ImmuniWeb supports the vulnerability-management, penetration-testing and secure-development expectations of the SAMA CSF with assessment-ready evidence.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Penetration testing | Regular, structured penetration testing. | On-Demand, MobileSuite |
| Vulnerability management | Regular assessments and remediation. | Neuron, Discovery |
| Secure development | Secure software development life cycle. | Continuous, On-Demand |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - producing the evidence SAMA supervisory reviews expect.
SAMA CSF vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| SAMA CSF | Vulnerability management + penetration testing | Web/mobile pentest, scanning, ASM |
| Saudi NCA ECC | National Essential Cybersecurity Controls | Same testing supports both |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
| PCI DSS 4.0.1 | Req 6 & Req 11 | Web app pentest + scanning |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Inventory of internet-facing apps, APIs and assets
- Regular vulnerability assessments performed
- Structured penetration testing performed
- Critical/high findings remediated within expected timeframes
- Secure software development life cycle applied
- Maturity targets met (typically Level 3 and above)
- Evidence prepared for the annual SAMA self-assessment
Why SAMA CSF Compliance Matters
The SAMA CSF is mandatory for Saudi financial institutions, and the Saudi Central Bank conducts supervisory reviews and can issue formal warnings, directives and corrective-action requirements. Institutions are expected to reach defined maturity levels and to evidence that controls actually work.
Because web, mobile and API applications are a primary attack surface for financial institutions, demonstrable penetration testing and vulnerability management are among the most direct ways to evidence the framework's technical controls.