Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Another Excellent Application Security Maturity Model

by Neil MacDonald  |  August 4, 2009  |  3 Comments

As I talked about in this post, I am a proponent of maturity models in general as they help organizations understand that there is a progression of capabilities as organization become more proficient in a discipline (in this case application security/assurance). Maturity models help people understand that changing people and processes takes time, its never just about purchasing a tool, you can’t really skip phases and not every organizations needs to be at the far right of a maturity model.

So, I was pleased when Fortify and Cigital announced their BSIMM (Build Security In Maturity Model). Shortly after this and around the timeframe of the RSA conference, the Open Web Application Security Project (OWASP) formally unveiled its 1.0 (non-beta) Software Assurance Maturity Model (SAMM). SAMM lives on and continues to be improved here.

Conceptually, the two approaches are similar and I find them both useful frameworks to help organizations assess themselves to:

  • Understand where they fall in their security practices in terms of a maturity model
  • Help them identify and understand gaps they might have
  • To be used as a tool to start prioritizing and addressing these gaps.

Also, BSIMM is quite similar in the way they organize content to SAMM. Interestingly, the SAMM project is led by Pravir Chandra who is an employee of Fortify. As such, I consider the efforts complimentary. Having both perspectives is a good thing and both are available for download at no cost.

While BSIMM was sponsored by Fortify and Cigital, SAMM is free from any implied commercial ties and provides more per-level specific, prescriptive (e.g. worksheets, scorecards) guidance. Both provide insight, SAMM provides more specific guidance.

Whether you use one of these maturity models or others available on the market, maturity models and maturity assessments are a valuable tool for organizations looking to improve their development processes to incorporate application security testing.

3 Comments »

Category: Application Security     Tags: , ,

3 responses so far ↓

  • 1 Gartner talks about OpenSAMM | OpenSAMM   August 11, 2009 at 10:06 am

    [...] folks have sent over links to a recent Gartner post discussing OpenSAMM written by Neil McDonald, a VP and Gartner Research Fellow. Glad to see them taking notice of our [...]

  • 2 Jerin Sebastian   August 25, 2009 at 4:06 am

    Where will I find information about Security Maturity Models. I need this information for academic purpose. I request you to kindly send me details about websites where I would find reliable and complete information with respect to Security Maturity Models.

    Thank you.

  • 3 More Application Security Goodness From OWASP   January 14, 2010 at 9:11 am

    [...] I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the software development lifecycle. [...]