Assessing the Secure Software Lifecycle
There are different assessment approaches to evaluate the maturity of the secure development lifecycle:
Software Assurance Maturity Model (SAMM).
Building Security in Maturity Model (BSIMM).
Common Criteria (CC).
SAMM
Assessment of a development process.
Define and measure security-related activities within an organization.
Evaluate their existing software security practices.
Build a balanced software security program in well-defined iterations.
Demonstrate improvements in a security assurance program.
Uses 12 security practices grouped into one of 4 business functions.
Governance
Construction
Verification
Deployment
Provides an organization maturity level (0 to 3).
BSIMM
Assessment of a development process based on SAMM
Uses 12 security practices grouped into one of 4 business functions;
Governance
Intelligence
Secure software development lifecycle touchpoints.
Deployment
Provides comparison to other BSIMM-assessed companies.
CC
Provides means for international recognition of secure information technology.
Authorized Certification/ Validation Body.
Reuse of certified/ validated products with no further evaluation.
Based on Evaluation Assurance Levels (EAL):
Functionally tested.
Structurally tested.
Methodically tested and checked.
Methodically designed, tested, and reviewed.
Semi-formally designed and tested.
Semi-formally verified design and tested.
Formally verified design and tested.
Last updated