As I talked about in this post, I am a proponent of maturity models in general as they help organizations understand that there is a progression of capabilities as organization become more proficient in a discipline (in this case application security/assurance). Maturity models help people understand that changing people and processes takes time, its never just about purchasing a tool, you can’t really skip phases and not every organizations needs to be at the far right of a maturity model.
So, I was pleased when Fortify and Cigital announced their BSIMM (Build Security In Maturity Model). Shortly after this and around the timeframe of the RSA conference, the Open Web Application Security Project (OWASP) formally unveiled its 1.0 (non-beta) Software Assurance Maturity Model (SAMM). SAMM lives on and continues to be improved here.
Conceptually, the two approaches are similar and I find them both useful frameworks to help organizations assess themselves to:
- Understand where they fall in their security practices in terms of a maturity model
- Help them identify and understand gaps they might have
- To be used as a tool to start prioritizing and addressing these gaps.
Also, BSIMM is quite similar in the way they organize content to SAMM. Interestingly, the SAMM project is led by Pravir Chandra who is an employee of Fortify. As such, I consider the efforts complimentary. Having both perspectives is a good thing and both are available for download at no cost.
While BSIMM was sponsored by Fortify and Cigital, SAMM is free from any implied commercial ties and provides more per-level specific, prescriptive (e.g. worksheets, scorecards) guidance. Both provide insight, SAMM provides more specific guidance.
Whether you use one of these maturity models or others available on the market, maturity models and maturity assessments are a valuable tool for organizations looking to improve their development processes to incorporate application security testing.