Gartner Blog Network

Another Excellent Application Security Maturity Model

by Neil MacDonald  |  August 4, 2009  |  3 Comments

As I talked about in this post, I am a proponent of maturity models in general as they help organizations understand that there is a progression of capabilities as organization become more proficient in a discipline (in this case application security/assurance). Maturity models help people understand that changing people and processes takes time, its never just about purchasing a tool, you can’t really skip phases and not every organizations needs to be at the far right of a maturity model.

So, I was pleased when Fortify and Cigital announced their BSIMM (Build Security In Maturity Model). Shortly after this and around the timeframe of the RSA conference, the Open Web Application Security Project (OWASP) formally unveiled its 1.0 (non-beta) Software Assurance Maturity Model (SAMM). SAMM lives on and continues to be improved here.

Conceptually, the two approaches are similar and I find them both useful frameworks to help organizations assess themselves to:

  • Understand where they fall in their security practices in terms of a maturity model
  • Help them identify and understand gaps they might have
  • To be used as a tool to start prioritizing and addressing these gaps.

Also, BSIMM is quite similar in the way they organize content to SAMM. Interestingly, the SAMM project is led by Pravir Chandra who is an employee of Fortify. As such, I consider the efforts complimentary. Having both perspectives is a good thing and both are available for download at no cost.

While BSIMM was sponsored by Fortify and Cigital, SAMM is free from any implied commercial ties and provides more per-level specific, prescriptive (e.g. worksheets, scorecards) guidance. Both provide insight, SAMM provides more specific guidance.

Whether you use one of these maturity models or others available on the market, maturity models and maturity assessments are a valuable tool for organizations looking to improve their development processes to incorporate application security testing.

Category: application-security  

Tags: application-security  application-security-testing-tools  best-practices  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Another Excellent Application Security Maturity Model

  1. […] folks have sent over links to a recent Gartner post discussing OpenSAMM written by Neil McDonald, a VP and Gartner Research Fellow. Glad to see them taking notice of our […]

  2. Jerin Sebastian says:

    Where will I find information about Security Maturity Models. I need this information for academic purpose. I request you to kindly send me details about websites where I would find reliable and complete information with respect to Security Maturity Models.

    Thank you.

  3. […] I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the software development lifecycle. […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.