Thursday, March 26, 2009

Software Assurance Maturity Model 1.0 Released

Pravir Chandra recently released the 1.0 version of the Software Assurance Maturity Model (SAMM). I recommend everyone visits the website to review model. Jim Manico also interviewed Pravir on OWASP Podcast #14, where they discussed SAMM becoming an OWASP project and briefly discussed why two distinct models, the Building Security In Maturity Model (BSIMM) and SAMM have emerged.

The newest version of SAMM provides new introductory content including an executive summary and a clear explanation of the model's focus on providing security activities centered around business functions.

Version 1.0 also includes a guide for assessing organizations against the SAMM. Companies can use the provided worksheet consisting of yes or no questions to acertain the maturity of a software security development process. This could be applied to help:
  • Decide whether to purchase software from a vendor
  • Determine which software-as-a-service or cloud computing providers to select
  • Choose whether to develop software in-house or to contract out the work
  • Determine where the weaknesses in your organization's software security process are
  • Demonstrate progress in improving your organization's software security process
SAMM also includes roadmaps for various industry types. These roadmaps demonstrate Pravir's assertion that all organizations do not necesarilly need to have a maturity of "3" in ALL security practices. Sample roadmaps are defined for the following industry types:
  • Independent Software Vendor
  • Online Service Provider
  • Financial Services Organization (New)
  • Government Organization (New)
Again, I encourage everyone to review the Software Assurance Maturity Model at

No comments: