12.
Classification system for a set of processes /
function
Shows characteristics of processes over
different levels
Examples
CMMI (DEV, SVC, ACQ)
SSE-CMM
BSIMM, openSAMM, etc
Maturity Models
13.
14.
Open Software Assurance Maturity Model
OWASP Project
Open framework to help organizations
Formulate
Implement
Strategy for software security
Tailored to the specific risks facing the
organization
openSAMM
15.
Recognizes 4 type of
business functions
Any organization
performing software
development would
have these (names
could be different)
openSAMM
16.
3 business practices for each function
3 objectives (for levels) under each practice
0 (implied starting point, not included)
1 (initial understanding and ad hoc provision of practice)
2 (increase efficiency / effectiveness of practice)
3 (comprehensive mastery of the practice)
openSAMM - Security
Practices
23.
Perform practices / activities for level 1
Keep assessing it till you are satisfied and the
scorecard tells you to
Inform management with the updated roadmap
in a periodic manner
Move to next level after you are done with the
previous one
Step 4 - Execute with
periodic reviews
This is what management usually expects people to implement security
An organization changes over time, as a result of which, business prefers indicators that show progress across various areas of implementation to gauge where we are going