How secure is your developed software?

An introduction to Software Assurance Maturity Model
Av Even-André Karlsson
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.

In what way software represents a security risk for organizations is rapidly expanding. This is e.g. shown by the recent example where someone hacked into an organization through the temperature sensor on the aquarium, so even if you don’t think your software constitutes a security risk, you might be wrong. In short; the risk of delivering insecure software and the business impacts on both your organization and your customers organizations may be huge.

If you are in doubt we recommend that you check out Software Assurance Maturity Model (SAMM) 1.5 and do a benchmark against that model. We guarantee it will give you some eye openers and ideas for improvement.

In this short news we will describe the structure and content of the model, and we hope this will motivate you to look into the model. Even if security maturity assessment is not required as for other critical non-functional requirements like Safety we foresee that this will be required in the future. 

SAMM is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the software developing organization. It is used to assess and provide guidance for improvement of the practices needed to develop and deploy secure software.

SAMM is built upon a collection of Security Practices that are tied back into four core Business Functions involved in software development (Governance, Construction, Verification and Operations), see figure below for details.

For each security practice, SAMM defines three maturity levels as objectives. Each level within a security practice is characterized by a successively more sophisticated objective defined by specific activities, and more stringent success metrics than the previous level. As an example, the maturity levels (1-3) of the Education and Guidance security practice is shown below.

The assessments are done in a stepwise way, meaning that we evaluate each level independently, e.g. in the example below, level 1 is at 0,75, level 2 at 0,35 and level 3 at 0,1.

For each of the activities, there are detailed helpful guidelines on what is expected. Below are shown the maturity level 1 activities for the Education and Guidance practice.

For each maturity level there is also concrete information on Success Metrics, Costs and affected Personnel.

We have used the Education and Guidance as an example to describe the structure of the process, but within the other Business Functions there are more technical practices. Below we show the Security Architecture here as an example starting with the objectives and activities:

And finally, the detailed description of the activities for maturity level 3:

We hope that this short news has given you a motivation to look into SAMM 1.5 if you have not already done it. Security is becoming increasingly important for all domains as everything is connected to the internet and more functionality is moving to the cloud. We cannot totally relay on that our system is an isolated island, or just a fish tank.

[All pictures in this news article are from SAMM 1.5]

Even-André Karlsson
Even-André Karlsson