Software Security Maturity Models: A Source Review

Software Security Maturity Models: A Source Review

Building Security in Maturity Model (BSIMM)

The Building Security in Maturity Model (BSIMM), is a guideline that outlines 113 activities organized into 12 different sections which assist in the software security framework. The document is broken into two parts. The first part includes the history of BSIMM, how an organization can take advantage of BSIMM and how data gathered from the organizations that have taken on BSIMM. The second section or part of the document as described by McGraw, Miguess, & West (2017) at a high level focuses on four domains. The domains include governance, intelligence, Software Security Development Lifecycle (SSDL) touchpoints and deployment of the software security framework. The governance section includes strategy & metrics, compliance and policy, and training. The Intelligence section discusses attack models, security features & design and the standards and requirements sections. The SSDL section of the document delves into architecture analysis, software coder reviews and the testing of the security code. The final section focuses on the deployment of software. The deployment section of the document includes the penetration tests, software environment and configuration and vulnerability management.

Software Assurance Maturity Model (SAMM)

The Software Assurance Maturity Model (SAMM) is an open framework created to assist organizations plan and roll-out an approach for software security that is created for the specific risks facing the organization as OWASP (2018) discusses. SAMM assists in analyzing organizations existing software practices. The intent of SAMM to assist the organization in building a balanced software security program in a defined interactive manner. SAMM assists the organization in measuring security-related activities. The SAMM model, separated into four sections, which are governance, construction, verification, and operations. Each one of these areas is a category of activities related to the fundamentals of software development. The SAMM maturity level rating goes from 0 to 3. Zero rating means the practice has been unfulfilled and three means that the practice has been mastered.

Core Software Security

The book as described by Ransome, Misra, Schoenfield, & Schmidt (2014) explains developer oriented software security and all-inclusive process to engage creativity for security. They go on to point out that as long as the software is developed by people, it requires the human component to fix it. Using a developer centric security is not only feasible but also cost-effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source. Some of the books topics include a general expert view of the Secure Development Lifecycle (SDL). A discussion of the elements of the privacy involved with the SDL. Summarizes a complete SDL framework that includes people and procedures. The book goes on to point out the key success factors, deliverables, and metrics for the phases of the SDL and examines cost effectiveness, performance, and organizational structure of a developer-centric software security program.

Information Security Assurance Capability Maturity Model (ISA-CMM)

The Information Security Assurance Capability Maturity Model (ISA-CMM), as described by Security Horizon (2012), outlines the sequence of steps that are executed and how they are improved over time, how they are defined, and steps taken to implement them. ISA-CMM identifies nine process areas that are related to performing Information Assurance task or activities as described by Security Horizon (2012). For every one of the nine activities, a capability maturity level from zero to five is assigned. If the capability is high, there is an understanding that the area is in compliance with the ISA-CMM and if on the lower end the area needs attention to come into compliance. The place or responsibility of information assurance is connected to ISA-CMM to improve the capability of the information assurance process continually. ISA-CMM, as Security Horizon (2012) points out, is designed to gain assurance that the information assurance process is consistent and repeatable over time. The object of performing the ISA-CMM is to improve the predictability, control, and process effective within the organization. The process as described by Security Horizon (2012) is a sequence of steps performed or followed to achieve a specific process. CMMs is a guide to assist the business in achieving statistical process control. Process maturity shows the amount to which a detailed process is defined, managed, measured, controlled, and believed effective as described by Security Horizon (2012).

Enterprise Software Security

Traditional methods to securing software are insufficient as described by Van Wyk, Graff, Peters, & Burley (2015). A way to resolve this is to team the software engineering and network security together to protect the enterprise. This book discusses how to implement this type of a team in an organization. The book goes on to discuss how to construct software that protects sensitive data and business processes and contributes to intrusion detection and response in new methods. The book goes on to explore the deployment lifecycle that includes project start, design, implementation, testing, deployment, operation, and maintenance. The book outlines steps for overcoming obstacles to collaboration between developers and information technology security professionals. They outline helping programmers design, write, deploy, and operate secure software code. Assist the network security engineers in how to use application output more effectively. The book discusses how to implement positive software design practices and identifying security defects in existing designs. It goes on to talk about how application and security teams need to work together to improve code reviews, clarify attack scenarios associated with the vulnerable code, and validate positive compliance. Finally, the book points out how to move from penetration testing in the direction of more comprehensive security testing.

Cyber Security Engineering

The book is written to be a reference and tutorial on the complete series of competencies related to cybersecurity engineering as Woody & Mead (2016) point out. The authors of the book collected a comprehensive collection of best practices for building software systems that show higher operational security, and for considering security throughout the full system development and acquisition lifecycles. The book introduces seven core principles of software assurance, and demonstrate how to apply them logically and methodically. Using the core principles assists an organization in prioritizing the wide range of possible security actions available to them, and assists the organization in justifying the investments. The book goes on to guide one through risk analysis, planning to manage secure software development, building organizational models, identifying required and missing competencies, and defining and structuring metrics. Also addressed is essential topics that include the use of standards, engineering security requirements for acquiring COTS software, applying DevOps, analyzing malware to anticipate future vulnerabilities, and planning ongoing improvements.

References

McGraw, G., Migues, S., & West, J. (2017). Building security in maturity model (BSIMM) version 8. Synopsys.

OWASP. (2018). Software assurance maturity model: A guide to building security into software development, version 1.5. OWASP Foundation.

Ransome, J. F., Misra, A., Schoenfield, B., & Schmidt, H. A. (2014). Core software security: Security at the source. Boca Raton, FL: CRC Press.

Security Horizon. (2012). Information security assurance capability maturity model (ISA-CMM), draft version 3.2. Security Horizon, Inc.

Van Wyk, K. R., Graff, M. G., Peters, D. S., & Burley, D. L. (2015). Enterprise software security: A confluence of disciplines. Upper Saddle River, NJ: Addison-Wesley.

Woody, C. C., & Mead, N. R. (2016). Cyber security engineering: A practical approach for systems and software assurance. Old Tappan, NJ: Pearson Education.