As I talked about in this post, I am a proponent of maturity models in general as they help organizations understand that there is a progression of capabilities as organization become more proficient in a discipline (in this case application security/assurance). Maturity models help people understand that changing people and processes takes time, its never just about purchasing a tool, you can’t really skip phases and not every organizations needs to be at the far right of a maturity model.
So, I was pleased when Fortify and Cigital announced their BSIMM (Build Security In Maturity Model). Shortly after this and around the timeframe of the RSA conference, the Open Web Application Security Project (OWASP) formally unveiled its 1.0 (non-beta) Software Assurance Maturity Model (SAMM). SAMM lives on and continues to be improved here.
Conceptually, the two approaches are similar and I find them both useful frameworks to help organizations assess themselves to:
- Understand where they fall in their security practices in terms of a maturity model
- Help them identify and understand gaps they might have
- To be used as a tool to start prioritizing and addressing these gaps.
Also, BSIMM is quite similar in the way they organize content to SAMM. Interestingly, the SAMM project is led by Pravir Chandra who is an employee of Fortify. As such, I consider the efforts complimentary. Having both perspectives is a good thing and both are available for download at no cost.
While BSIMM was sponsored by Fortify and Cigital, SAMM is free from any implied commercial ties and provides more per-level specific, prescriptive (e.g. worksheets, scorecards) guidance. Both provide insight, SAMM provides more specific guidance.
Whether you use one of these maturity models or others available on the market, maturity models and maturity assessments are a valuable tool for organizations looking to improve their development processes to incorporate application security testing.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.